The challenge

The client faced significant challenges in strengthening the security posture of their AWS accounts and ensuring compliance with standards like CIS, PCI-DSS, and NIST. A key concern was preventing unauthorized access. Furthermore, managing multiple AWS accounts lacked a centralized network and Single Sign-On (SSO), complicating access control. Developers having direct access to production environments also led to unauthorized architectural changes, resulting in RBI compliance violations.

The solution

Searce provided a process and suggested the automation in place and implemented the same to avoid any kind of above ambiguity in security compliance. The high level points and implementation is as follows:

• Automated Deployments leveraging security:
  • With the help of Ansible, all the monolithic and container based deployment has been automated.
  • With the help of GITLAB, all the deployments have been automated for the Tier 1 application.
  • IaaC has been used with terragrunt wherever applicable.
  • Built AWS CodePipeline using AWS Native Services.
  • Pushing the deployment logs to SecurityHub for Dashboarding and reporting.
  • Automation implemented for the server patching.
  • Backup automation in place where AWS backup is being used for the RDS and other EBS based resources.
• Security reconfiguration:
  • AWS config has been reconfigured for all the accounts to cover all the compliance needs and to accommodate the new PCI-DSS guidelines.
  • AWS policies were reconfigured so that all the AWS accounts should only be accessible using the respective VDIs.
  • AWS policies were reconfigured so that no resources should be provisioned other than the Mumbai region.
  • Custom IAM policy has been configured and applied to the group of users where the restricted rights have been given per resource.
  • Custom policy of S3 has been implemented so that the data should not be visible to everyone.
  • Implementation of endpoints for the DynamoDB and S3 has strengthened the data security.
  • Implementation of the SSO on the servers with the restriction of the usage of the SSH keys.
  • Whitelisting of the certain URLs only for the server updates and for third party application connectivity has been implemented.
  • Usage of Secret Manager and KMS has been enforced to avoid any kind of credential hard coding in the code and on the servers.
  • Restriction on the AWS secure shell and the AWS keys has been implemented to restrict any kind of change via AWS APIs.
  • Custom Roles has been implemented on the servers to access the AWS resources per architecture.
• Refining Alert and Process Implementation:
  • Developers have been restricted in accessing and changing any kind of configuration in the production environment but they can see the performance based insights for their respective resources.
  • Alert has been reconfigured for all the resources where the Warning alerts get triggered for 70% of resource utilization and the Critical Alert gets triggered for the 80 % of resource utilization.
  • Alert configuration done with the help of the webhook instead of email based alert to avoid the chance of unsubscription from any of the email DL users.
  • Alert SOPs created for each type of alert and published to respective AU command center and the Searce Command Center.
  • Any changes in the production environment has to be taken with respect to the Change Request(CR), in case the CR is not present then the changes has to be denied immediately, although at certain emergency the changes needs to be taken with the email approval of CTO over the email and CR should be recorded following day stating the reason of the emergency while being tagged with Emergency Change Request (Emergency CR).
  • Any deployment has to be taken with the help of the Automation and there should not be any manual intervention. In case if the deployment fails then the rollback needs to be done and the entire SDLC needs to be followed.

The impact

• Boosted Customer Trust: Robust security and automation bolstered customer confidence, leading to increased client retention and new AWS account acquisition.
• Achieved Regulatory Compliance: Successfully met CIS, PCI-DSS, and NIST compliance standards, significantly improving RBI adherence.
• Mitigated Risk: Enhanced threat detection and incident response capabilities drastically reduced the risk of data breaches and unauthorized access, minimizing potential financial and reputational damage.
• Increased Operational Efficiency: Automated deployments, Infrastructure as Code (IaC), and SSO integration streamlined access across AWS accounts, cutting overhead and boosting overall efficiency.