Root privileges

RapidFort AWS MarketPlace deployment doesn't require root privileges. An IAM role is required to connect with S3 for the storage of data.

Policy of Least Privileges

RapidFort requires the following:
  • IAM policy that grants Read/Write/List/Delete privileges for an S3 bucket for the storage of RapidFort data
  • Networking and security policy that grants inbound access for port 443 and outbound access to the world
    • over port 443
    • over port 574
  • Access to a Writer RDS instance for the storage of RapidFort information

Public Resources

No public resources are deployed as part of RapidFort deployment.

IAM Roles

Please refer to IAM section of RapidFort On-Premise deployment.

Encryption Keys

RapidFort AWS Market place deployment doesn't requires any encryption key creation.

Storage of Secrets

RapidFort uses Kubernetes secrets to store sensitive data. Please refer to the RapidFort GitHub Helm Chart for the full list of secrets.
AWS_ACCESS_KEY_ID: {{ default "" .Values.secret.aws_access_key_id | b64enc | quote }}
AWS_SECRET_ACCESS_KEY: {{ default "" .Values.secret.aws_secret_access_key | b64enc | quote }}
AWS_DEFAULT_REGION: {{ default "us-east-1" .Values.secret.aws_default_region | b64enc | quote }}
RF_ROLE_ARN: {{ default "" .Values.secret.aws_role_arn | b64enc | quote }}
RF_S3_BUCKET: {{ required "\nERROR: s3 bucket not set!\nUpdate secret.s3_bucket inside chart/values.yaml file." .Values.secret.s3_bucket | b64enc | quote }}
RF_STORAGE_TYPE: {{ required "\nERROR: storage type not set!\nUpdate secret.storage_type inside chart/values.yaml file." .Values.secret.storage_type | b64enc | quote }}
RF_GS_CREDS: {{ default "" .Values.secret.gs_cred | b64enc | quote }}
USERNAME_SMTP: {{ default "" .Values.secret.smtp_username | b64enc | quote }}
PASSWORD_SMTP: {{ default "" .Values.secret.smtp_password | b64enc | quote }}
SOURCE_ARN: {{ default "" .Values.secret.smtp_source_arn | b64enc | quote }}
KEYCLOAK_JWT_PUB_KEY: {{ default "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt0EwFCzsmzWgn7A8A40hzX1kPHab0WZTmUF8OwHt7fyds6sBiSDPnLIh0BgmXIO2WIrGzARm9dVUeAWI/aUI7qucfgYgW7XSwwz7X/IrX6DExsNZzTLxgIfDJR/WP0fo1vO10BQDAtJxEkX5YvFitBFzg4FLKMZP5inAFM21+jfjD2ufi7NWTyFJR6YCLGFma29XHE75yE76+Xq8eH3DI/8xmrU5hw1Yk5GrABf4KYTijsp+QLQZkEycYvfJEPEMigwnARdp6C3VDp/T8OL1hb2YtrZ4vjZ80azEicQ3ea/R05JK6ikfik2SlC5Rm0Ore0Rh4jB1tI51biVa0smsiwIDAQAB" .Values.secret.keycloak_jwt_pub_key | b64enc | quote }}
KEYCLOAK_CLIENT_ID: {{ default "scanners" .Values.secret.keycloak_client_id | b64enc | quote }}
KEYCLOAK_REALM: {{ default "customers" .Values.secret.keycloak_realm | b64enc | quote }}
KEYCLOAK_SERVICE_ACCOUNT_CLIENT_ID: {{ default "admin-cli" .Values.secret.keycloak_service_account_client_id | b64enc | quote }}
KEYCLOAK_SERVICE_ACCOUNT_CLIENT_SECRET: {{ default "5b97220c-838a-4186-bcdd-8cdb77d0e0f3" .Values.secret.keycloak_service_account_client_secret | b64enc | quote }}
DB_URL: {{ default "mysql+mysqldb://root:[email protected]/standalone" .Values.secret.db_url | b64enc | quote }}
RF_APP_HOST: {{ default "" .Values.secret.rf_app_host | b64enc | quote}}
RF_APP_ADMIN: {{ required "\nERROR: admin user not set!\nUpdate secret.rf_app_admin inside chart/values.yaml file." .Values.secret.rf_app_admin | b64enc | quote}}
RF_APP_ADMIN_PASSWD: {{ required "\nERROR: admin password not set!\nUpdate secret.rf_app_admin_passwd inside chart/values.yaml file." .Values.secret.rf_app_admin_passwd | b64enc | quote}}
DEPLOY_MODE: {{ default "STANDALONE" .Values.secret.deploy_mode | b64enc | quote}}
RF_VERBOSE: {{ default "0" .Values.secret.rf_verbose| toString | b64enc | quote }}
Users are responsible for protecting their secrets using SOPS, Vault, or other sealed secret mechanisms.
RapidFort does not share or log any secrets.

Storage of Customer Sensitive Data

Customer sensitive data is stored in the following locations:
  • MySQL (RDS)
  • S3
Container image data may be cached locally on EKS nodes (Kubernetes deployment) or the EC2 instance (AMI deployment).

Data Encryption Configuration

RapidFort AWS MarketPlace deployment allows the following Data Encryption Configurations.
  1. 1.
  2. 2.
  3. 3.
Customers can follow AWS documentation to enable Data Encryption for these services without impacting RapidFort applications.

Network Configuration

Please look at the AWS Commercial deployment guide and Security Group section for network configuration details.

Instance MetaData Service v1

RapidFort AWS MarketPlace deployment doesn't require AWS instance metadata service. Customers can choose to disable Instance MetaData Service v1 following the AWS guide.