Security
RapidFort AWS MarketPlace deployment doesn't require root privileges. An IAM role is required to connect with S3 for the storage of data.
RapidFort requires the following:
- IAM policy that grants Read/Write/List/Delete privileges for an S3 bucket for the storage of RapidFort data
- Networking and security policy that grants inbound access for port 443 and outbound access to the world
api.rapidfort.comover port 443email-smtp.us-east-1.amazonaws.comover port 574
- Access to a Writer RDS instance for the storage of RapidFort information
No public resources are deployed as part of RapidFort deployment.
Please refer to IAM section of RapidFort On-Premise deployment.
RapidFort AWS Market place deployment doesn't requires any encryption key creation.
RapidFort uses Kubernetes secrets to store sensitive data. Please refer to the RapidFort GitHub Helm Chart for the full list of secrets.
AWS_ACCESS_KEY_ID: {{ default "" .Values.secret.aws_access_key_id | b64enc | quote }}
AWS_SECRET_ACCESS_KEY: {{ default "" .Values.secret.aws_secret_access_key | b64enc | quote }}
AWS_DEFAULT_REGION: {{ default "us-east-1" .Values.secret.aws_default_region | b64enc | quote }}
RF_ROLE_ARN: {{ default "" .Values.secret.aws_role_arn | b64enc | quote }}
RF_S3_BUCKET: {{ required "\nERROR: s3 bucket not set!\nUpdate secret.s3_bucket inside chart/values.yaml file." .Values.secret.s3_bucket | b64enc | quote }}
RF_STORAGE_TYPE: {{ required "\nERROR: storage type not set!\nUpdate secret.storage_type inside chart/values.yaml file." .Values.secret.storage_type | b64enc | quote }}
RF_GS_CREDS: {{ default "" .Values.secret.gs_cred | b64enc | quote }}
USERNAME_SMTP: {{ default "" .Values.secret.smtp_username | b64enc | quote }}
PASSWORD_SMTP: {{ default "" .Values.secret.smtp_password | b64enc | quote }}
SOURCE_ARN: {{ default "" .Values.secret.smtp_source_arn | b64enc | quote }}
KEYCLOAK_JWT_PUB_KEY: {{ default "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt0EwFCzsmzWgn7A8A40hzX1kPHab0WZTmUF8OwHt7fyds6sBiSDPnLIh0BgmXIO2WIrGzARm9dVUeAWI/aUI7qucfgYgW7XSwwz7X/IrX6DExsNZzTLxgIfDJR/WP0fo1vO10BQDAtJxEkX5YvFitBFzg4FLKMZP5inAFM21+jfjD2ufi7NWTyFJR6YCLGFma29XHE75yE76+Xq8eH3DI/8xmrU5hw1Yk5GrABf4KYTijsp+QLQZkEycYvfJEPEMigwnARdp6C3VDp/T8OL1hb2YtrZ4vjZ80azEicQ3ea/R05JK6ikfik2SlC5Rm0Ore0Rh4jB1tI51biVa0smsiwIDAQAB" .Values.secret.keycloak_jwt_pub_key | b64enc | quote }}
KEYCLOAK_CLIENT_ID: {{ default "scanners" .Values.secret.keycloak_client_id | b64enc | quote }}
KEYCLOAK_REALM: {{ default "customers" .Values.secret.keycloak_realm | b64enc | quote }}
KEYCLOAK_SERVICE_ACCOUNT_CLIENT_ID: {{ default "admin-cli" .Values.secret.keycloak_service_account_client_id | b64enc | quote }}
KEYCLOAK_SERVICE_ACCOUNT_CLIENT_SECRET: {{ default "5b97220c-838a-4186-bcdd-8cdb77d0e0f3" .Values.secret.keycloak_service_account_client_secret | b64enc | quote }}
DB_URL: {{ default "mysql+mysqldb://root:[email protected]/standalone" .Values.secret.db_url | b64enc | quote }}
RF_APP_HOST: {{ default "" .Values.secret.rf_app_host | b64enc | quote}}
RF_APP_ADMIN: {{ required "\nERROR: admin user not set!\nUpdate secret.rf_app_admin inside chart/values.yaml file." .Values.secret.rf_app_admin | b64enc | quote}}
RF_APP_ADMIN_PASSWD: {{ required "\nERROR: admin password not set!\nUpdate secret.rf_app_admin_passwd inside chart/values.yaml file." .Values.secret.rf_app_admin_passwd | b64enc | quote}}
DEPLOY_MODE: {{ default "STANDALONE" .Values.secret.deploy_mode | b64enc | quote}}
RF_VERBOSE: {{ default "0" .Values.secret.rf_verbose| toString | b64enc | quote }}
Users are responsible for protecting their secrets using SOPS, Vault, or other sealed secret mechanisms.
RapidFort does not share or log any secrets.
Customer sensitive data is stored in the following locations:
- MySQL (RDS)
- S3
Container image data may be cached locally on EKS nodes (Kubernetes deployment) or the EC2 instance (AMI deployment).
RapidFort AWS MarketPlace deployment allows the following Data Encryption Configurations.
- 1.S3
- 2.RDS MySQL
- 3.EBS
Customers can follow AWS documentation to enable Data Encryption for these services without impacting RapidFort applications.
Please look at the AWS Commercial deployment guide and Security Group section for network configuration details.
RapidFort AWS MarketPlace deployment doesn't require AWS instance metadata service. Customers can choose to disable Instance MetaData Service v1 following the AWS guide.