Amazon ECS, AWS Control Tower, Amazon GuardDuty, AWS CloudTrail
Amazon Web Services
The company is a new generation digital investment platform, focused on digital assets such as blockchain and cryptocurrencies. They provide fast, reliable and independent financial instruments to its users. The company enables its users to track the digital asset markets in real time and manage their investments while ensuring their information and portfolios are secured.
They have millions of users and the exchange platform has support for more than 80 cryptocurrencies. The users can deposit and withdraw money through bank integrations. Along with support for the domestic fiat currency, they also provide 24/7 customer support for its users.
Since almost day one they have been operating their infrastructure on AWS but the workload was created by following old manners and not a best practices way. Moreover, they wanted to expand their service parity for their end-users by introducing new services such as their own blockchain, a new wallet platform, host their own blockchain nodes etc.
Company’s aim was to design and create a well-architected organization structure for their AWS workloads and environments on cloud to help them to overcome any security, scalability, availability and operational challenges for high user satisfaction.
To ensure the security of such assets and the privacy of highly sensitive information, Sufle conducted a security assessment of the current workload to explain security gaps and to show vulnerable points to the customer. After reviewing and discussing this detailed report that highlights potential vulnerabilities, it has been decided to design a new and secure workload on AWS from scratch.
With the 10+ years of experience of Sufle on designing secure environments on AWS, customer decided on this collaboration and the process started with implying proof-of-concept (POC) to test the new infrastructure design. Ongoing services of the green blockchain platform migrated to a new AWS account and implemented a new hardened and segmented network.
On new organization design we leveraged AWS Control Tower to create a standardized organization structure. AWS Control Tower made it possible to quickly establish a multi-account AWS environment with security baselines, dramatically accelerated the account build-out process. Using different accounts workloads are isolated from each other and non-production environments are created for development and testing purposes. By using the Control Tower Account Factory to build out accounts and using data residency guardrails and Region Deny capability that helped maintain the security posture through automation.
In addition to that, AWS Control Towers built-in support to AWS Identity Center (successor to AWS SSO enabled us to centrally manage users and their privileges by defining different groups for each of the different platforms that they have such as exchange, wallet, nodes, chain etc. Technical teams who started to use AWS Identity Center to login AWS, have access to multiple AWS accounts through single sign-on and they didn’t compromise from security since MFA is configured to be mandatory for all user logins and temporary credentials are used from now on for individuals as well.
Since Infrastructure as Code practices are used to create different workloads, all environments and workloads are in the same security standards which are defined on the organization level. Every environment is designed with segmented networks using these same standards on isolated accounts. Poorly publicly connected applications with static IP whitelisting are moved to private subnets and inter-connected using AWS Transit Gateway.
Applications are modernized and moved to containerized systems. Using Amazon ECS container orchestration is enabled and auto-scaling capability of Amazon ECS enables them to scale for their millions of users which is growing everyday. Through CI/CD pipelines integrated with Amazon ECS, testing and security checks are done automatically when a change is moving towards the production environment.
Effective implementation of centralization is also implemented on the centralized security practices. Using security and audit services of AWS, such as CloudTrail, GuardDuty and Inspector within AWS Organizations enabled them to place security and governance on the organizational level. Sufle leveraged Amazon GuardDuty to detect network intrusions, AWS Config to monitor desired configurations and overall infrastructure compliance and AWS CloudTrail to audit all logs and activities across multiple accounts, all centrally to ensure continuous security and management of security events.
Company’s plan for next year is global expansion with their new well-architected infrastructure and secure environment that can support them by scaling and continuous security automations.