From 7f6b3af0876da6208c1e9b9a0fd7d5d4f261df48 Mon Sep 17 00:00:00 2001 From: Rich Allen Date: Mon, 30 Dec 2019 10:56:43 -0500 Subject: [PATCH 1/7] Inital infra documentation --- docs/00-engineering/dev-environments.md | 31 ------------------- .../infrastructure/infrastructure.md | 29 +++++++++++++++++ 2 files changed, 29 insertions(+), 31 deletions(-) delete mode 100644 docs/00-engineering/dev-environments.md create mode 100644 docs/00-engineering/infrastructure/infrastructure.md diff --git a/docs/00-engineering/dev-environments.md b/docs/00-engineering/dev-environments.md deleted file mode 100644 index 9b3a4b5ace..0000000000 --- a/docs/00-engineering/dev-environments.md +++ /dev/null @@ -1,31 +0,0 @@ -# Development and Hosting Environments - -## Intro - -The development process differs slightly from project to project, but what follows is our most typical approach. - -## Live (aka Production aka Prod) - -Content gets added/migrated here. - -Git tags that have been QA'd are deployed here. - -## QA (aka Staging) - -Some QA tests, acceptance tests, stakeholder review and training. - -## Dev (aka Integration) - -Dev is usually kept on the master git branch, or (occasionally) a branch created specifically for integration. - -Code deployed to dev should ideally contain deploy hooks (reverting Drupal features, for example). - -We occasionally demo prototypes or functionality on Dev sites. - -## Sandbox (aka Local) - -On our local machines. - -Generally kept on a branch relevant to whatever work we are doing. Consult the git workflow specific to each project for more info. - -We often demo prototypes or ongoing work on our sandboxes, via google hangout. diff --git a/docs/00-engineering/infrastructure/infrastructure.md b/docs/00-engineering/infrastructure/infrastructure.md new file mode 100644 index 0000000000..d0c422198d --- /dev/null +++ b/docs/00-engineering/infrastructure/infrastructure.md @@ -0,0 +1,29 @@ +# Infrastructure Best Practices + +Bixal utilized infrastructure as code (IaC) for services that support it. IaC provides reproducibility and allows for ephemeral environments. Different technologies exists to accomplish this task from [Terraform](https://www.terraform.io/), [Ansible](https://www.ansible.com/) + +To document all the best practices of each different technology you encounter is out of the scope of this document. The goal of this page is to cover the major security concerns and serve as an introduction how to build and maintain infrastructure. + +## FedRAMP + +## Network Architecture + +Projects should always take network architecture into account when designing servers and infrastructure. All CSP's have the ability to create public, and private subnet's. By utilizing this architecture services can remain private and more protected, and services such as bastion hosts may be used to harden access to private services. For more information on this type of architecture you can review AWS's [reference documentation](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html). While this documentation is AWS specific, the concepts apply across CSP's. + +## IAM and Role Based Access + +All cloud service providers, which have a fedRAMP authorization have have strong identity and role based management. It is imperative that teams follow a policy of least privilege and never simply grant full access to a service. These controls, along with use of multi factor authentication are of the highest priority when dealing access to environments. Credentials should **NEVER** be shared all of the following services will allow for unique identifiers and credentials to be created for users and services. + +## Amazon Web Services + +### Managing Credentials + +### Gov Cloud vs Public Regions + +The primary differences between Gov Cloud and a General Public regions is staffing, and availability of services and FedRAMP authorizations. Gov Cloud has FedRAMP high along with some related DoD impact level certifications. It achieves this by staffing only US Citizens and a reduction in overall services where they cannot be compliant to the standard. + +What this means as an architecture perspective is the following: + +* Does our application need FedRAMP (or DoD impact level) high? +* Does our application utilize services not available in Gov Cloud? +* Does our application need to be served, or interconnected to global audience? (E.g - a USAID project which is us funded by USAID but may have a global audience). \ No newline at end of file From 195a67373a5dfa33fc653ecfc75513ff36c5076d Mon Sep 17 00:00:00 2001 From: Rich Allen Date: Mon, 30 Dec 2019 11:22:01 -0500 Subject: [PATCH 2/7] init aws and general documentation --- docs/00-engineering/infrastructure/infrastructure.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/00-engineering/infrastructure/infrastructure.md b/docs/00-engineering/infrastructure/infrastructure.md index d0c422198d..32a5ea890d 100644 --- a/docs/00-engineering/infrastructure/infrastructure.md +++ b/docs/00-engineering/infrastructure/infrastructure.md @@ -16,6 +16,8 @@ All cloud service providers, which have a fedRAMP authorization have have strong ## Amazon Web Services +Currently Bixal utilizes AWS with it's current hosting support. + ### Managing Credentials ### Gov Cloud vs Public Regions @@ -26,4 +28,4 @@ What this means as an architecture perspective is the following: * Does our application need FedRAMP (or DoD impact level) high? * Does our application utilize services not available in Gov Cloud? -* Does our application need to be served, or interconnected to global audience? (E.g - a USAID project which is us funded by USAID but may have a global audience). \ No newline at end of file +* Does our application need to be served, or interconnected to global audience? (E.g - a USAID project which is us funded by USAID but may have a global audience). From ef400b9d12b9694fcd2a436cf2cb604f2d1f093c Mon Sep 17 00:00:00 2001 From: Rich Allen Date: Mon, 30 Dec 2019 11:30:20 -0500 Subject: [PATCH 3/7] finishing the list of technologies for IAC --- docs/00-engineering/infrastructure/infrastructure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/00-engineering/infrastructure/infrastructure.md b/docs/00-engineering/infrastructure/infrastructure.md index 32a5ea890d..7e0e6f0489 100644 --- a/docs/00-engineering/infrastructure/infrastructure.md +++ b/docs/00-engineering/infrastructure/infrastructure.md @@ -1,6 +1,6 @@ # Infrastructure Best Practices -Bixal utilized infrastructure as code (IaC) for services that support it. IaC provides reproducibility and allows for ephemeral environments. Different technologies exists to accomplish this task from [Terraform](https://www.terraform.io/), [Ansible](https://www.ansible.com/) +Bixal utilized infrastructure as code (IaC) for services that support it. IaC provides reproducibility and allows for ephemeral environments. Different technologies exists to accomplish this task from [Terraform](https://www.terraform.io/), [Ansible](https://www.ansible.com/), [Packer](https://packer.io), or [Vagrant](https://www.vagrantup.com/) are common technologies that we've run across. To document all the best practices of each different technology you encounter is out of the scope of this document. The goal of this page is to cover the major security concerns and serve as an introduction how to build and maintain infrastructure. From d75b9364d018af1d03b9ed5e553d992e057f8177 Mon Sep 17 00:00:00 2001 From: Rich Allen Date: Tue, 31 Dec 2019 11:37:07 -0500 Subject: [PATCH 4/7] aws configuration information --- .../infrastructure/infrastructure.md | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/docs/00-engineering/infrastructure/infrastructure.md b/docs/00-engineering/infrastructure/infrastructure.md index 7e0e6f0489..5beb0ec785 100644 --- a/docs/00-engineering/infrastructure/infrastructure.md +++ b/docs/00-engineering/infrastructure/infrastructure.md @@ -20,6 +20,37 @@ Currently Bixal utilizes AWS with it's current hosting support. ### Managing Credentials +Generally access is given to a role by using AWS Security Token Service. You will have a user which has been given a policy to [assume](https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/) a role. In order to be able to assume a role, you must have [multi-factor authentication](https://aws.amazon.com/iam/features/mfa/) set up. This only works with the Virtual device MFA, not with Yubikey U2F! +Once you have a user account, with MFA and password setup you can create an [access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey). Once you have an access key you can install the [aws cli](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html). To configure the cli create a ~/.aws/credentials file. This file should look something like this: + +```text +[default] +aws_access_key_id = MYACCESSKEY +aws_secret_access_key = MYSECRETACCESSKEY +[projectname] +role_arn = arn:aws:iam::9999999999:role/developer-role +source_profile = default +mfa_serial = arn:aws:iam::123456789:mfa/my-username +region = us-east-1 +``` + +You can then assume this role with the following useage: + +```sh +$ aws --profile projectname sts get-caller-identity +Enter MFA code for arn:aws:iam::123456789:mfa/my-username: +``` + +You will get a response that similar to the following: + +```json +{ + "UserId": "MYACCESSKEY:default-botocore-session-654321654321", + "Account": "789456123", + "Arn": "arn:aws:sts::789456123:assumed-role/developer-role/default-botocore-session-654321654321" +} +``` + ### Gov Cloud vs Public Regions The primary differences between Gov Cloud and a General Public regions is staffing, and availability of services and FedRAMP authorizations. Gov Cloud has FedRAMP high along with some related DoD impact level certifications. It achieves this by staffing only US Citizens and a reduction in overall services where they cannot be compliant to the standard. From b357d781aec777d8063cd9c3377a2b60e6690cc3 Mon Sep 17 00:00:00 2001 From: Rich Allen Date: Tue, 31 Dec 2019 11:37:27 -0500 Subject: [PATCH 5/7] aws configuration information --- docs/00-engineering/infrastructure/infrastructure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/00-engineering/infrastructure/infrastructure.md b/docs/00-engineering/infrastructure/infrastructure.md index 5beb0ec785..dd572836de 100644 --- a/docs/00-engineering/infrastructure/infrastructure.md +++ b/docs/00-engineering/infrastructure/infrastructure.md @@ -34,7 +34,7 @@ mfa_serial = arn:aws:iam::123456789:mfa/my-username region = us-east-1 ``` -You can then assume this role with the following useage: +You can then assume this role with the following usage: ```sh $ aws --profile projectname sts get-caller-identity From eae51b5310390d40977bc8ef08a4510e7d4d9f9b Mon Sep 17 00:00:00 2001 From: Rich Allen Date: Tue, 31 Dec 2019 11:56:01 -0500 Subject: [PATCH 6/7] FedRAMP information --- .../infrastructure/infrastructure.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/00-engineering/infrastructure/infrastructure.md b/docs/00-engineering/infrastructure/infrastructure.md index dd572836de..8d69803a78 100644 --- a/docs/00-engineering/infrastructure/infrastructure.md +++ b/docs/00-engineering/infrastructure/infrastructure.md @@ -6,6 +6,21 @@ To document all the best practices of each different technology you encounter is ## FedRAMP +### What is FedRAMP + +FedRAMP is an program authorized by the OMB to streamline the 'Authority to Operate' process and simplify setting up technology systems and fulfilling [FISMA](https://www.dhs.gov/cisa/federal-information-security-modernization-act) requirements. It's very verbose with some 800+ controls related to the security and procedures around ownership of technology at the federal level. To sum up what it addresses: + +* Who has access to the system? +* What roles are there? +* What PII is contained within the system? +* What are the impacts if the system is not available? +* What is the plan if the system needs to be recovered from physical or technology disasters. +* How is the system backed up? +* Who is securing and updating technology in the system? + +FedRAMP lets us use a platform like Acquia, and not have to be responsible for the physical hardware and only be responsible +for the application and user management. + ## Network Architecture Projects should always take network architecture into account when designing servers and infrastructure. All CSP's have the ability to create public, and private subnet's. By utilizing this architecture services can remain private and more protected, and services such as bastion hosts may be used to harden access to private services. For more information on this type of architecture you can review AWS's [reference documentation](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html). While this documentation is AWS specific, the concepts apply across CSP's. From b9e9025dc4f4da9bc8135529258174eebc1b0df9 Mon Sep 17 00:00:00 2001 From: Tyler Thompson Date: Thu, 9 Jan 2020 10:01:24 -0500 Subject: [PATCH 7/7] edited and provided an example of what needs to be changed for aws cli mfa --- .../infrastructure/infrastructure.md | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/docs/00-engineering/infrastructure/infrastructure.md b/docs/00-engineering/infrastructure/infrastructure.md index 8d69803a78..f205f24582 100644 --- a/docs/00-engineering/infrastructure/infrastructure.md +++ b/docs/00-engineering/infrastructure/infrastructure.md @@ -1,6 +1,6 @@ # Infrastructure Best Practices -Bixal utilized infrastructure as code (IaC) for services that support it. IaC provides reproducibility and allows for ephemeral environments. Different technologies exists to accomplish this task from [Terraform](https://www.terraform.io/), [Ansible](https://www.ansible.com/), [Packer](https://packer.io), or [Vagrant](https://www.vagrantup.com/) are common technologies that we've run across. +Bixal utilizes infrastructure as code (IaC) for services that support it. IaC provides reproducibility and allows for ephemeral environments. Different technologies exists to accomplish this task from [Terraform](https://www.terraform.io/), [Ansible](https://www.ansible.com/), [Chef](https://www.chef.io/), [Puppet](https://puppet.com/), or [SaltStack](https://www.saltstack.com/) are common technologies that we've run across. To document all the best practices of each different technology you encounter is out of the scope of this document. The goal of this page is to cover the major security concerns and serve as an introduction how to build and maintain infrastructure. @@ -23,20 +23,21 @@ for the application and user management. ## Network Architecture -Projects should always take network architecture into account when designing servers and infrastructure. All CSP's have the ability to create public, and private subnet's. By utilizing this architecture services can remain private and more protected, and services such as bastion hosts may be used to harden access to private services. For more information on this type of architecture you can review AWS's [reference documentation](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html). While this documentation is AWS specific, the concepts apply across CSP's. +Projects should always take network architecture into account when designing servers and infrastructure. All Cloud Service Providers (CSP's) have the ability to create public, and private subnet's. By utilizing this architecture services can remain private and more protected, and services such as bastion hosts may be used to harden access to private services. For more information on this type of architecture you can review AWS's [reference documentation](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html). While this documentation is AWS specific, the concepts apply across CSP's. ## IAM and Role Based Access -All cloud service providers, which have a fedRAMP authorization have have strong identity and role based management. It is imperative that teams follow a policy of least privilege and never simply grant full access to a service. These controls, along with use of multi factor authentication are of the highest priority when dealing access to environments. Credentials should **NEVER** be shared all of the following services will allow for unique identifiers and credentials to be created for users and services. +All CSP's, which have a fedRAMP authorization have have strong identity and role based management. It is imperative that teams follow a policy of least privilege and never simply grant full access to a service. These controls, along with use of multi factor authentication are of the highest priority when dealing access to environments. Credentials should **NEVER** be shared all of the following services will allow for unique identifiers and credentials to be created for users and services. ## Amazon Web Services -Currently Bixal utilizes AWS with it's current hosting support. +Currently Bixal utilizes AWS with it's cloud hosting provider. ### Managing Credentials Generally access is given to a role by using AWS Security Token Service. You will have a user which has been given a policy to [assume](https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/) a role. In order to be able to assume a role, you must have [multi-factor authentication](https://aws.amazon.com/iam/features/mfa/) set up. This only works with the Virtual device MFA, not with Yubikey U2F! -Once you have a user account, with MFA and password setup you can create an [access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey). Once you have an access key you can install the [aws cli](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html). To configure the cli create a ~/.aws/credentials file. This file should look something like this: + +Once you have a user account, with MFA and password setup you can create an [access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey). Once you have an access key you can install the [aws cli](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html). To configure the aws cli with a main sign on and cross account role with mfa, create a ~/.aws/credentials file. This file should look something like this: ```text [default] @@ -45,9 +46,20 @@ aws_secret_access_key = MYSECRETACCESSKEY [projectname] role_arn = arn:aws:iam::9999999999:role/developer-role source_profile = default -mfa_serial = arn:aws:iam::123456789:mfa/my-username +mfa_serial = arn:aws:iam::111111111:mfa/my-username region = us-east-1 ``` +Here is what you will need to `` from the example: +```text +[default] +aws_access_key_id = +aws_secret_access_key = +[] +role_arn = arn:aws:iam:::role/ +source_profile = default +mfa_serial = arn:aws:iam:::mfa/ +region = +``` You can then assume this role with the following usage: