Workload example: Containerised web service

This workload is an example of Theme 2: Manage immutable infrastructure through secure pipelines.

The web service runs on Amazon ECS and uses a database in Amazon RDS. The application team defines these resources in an AWS CloudFormation template. Containers are created with EC2 Image Builder and stored in Amazon ECR. The application team deploys changes to the system through AWS CodePipeline. This pipeline is restricted to the application team. When the application team makes a pull request for the code repository, the two-person rule is used.

For this workload, the application team takes the following actions to address the Essential Eight strategies.

Application control

The application team enables scanning for Amazon ECR container images in Amazon Inspector.
The application team build the File Access Policy Daemon (fapolicyd) security tool into the EC2 Image Builder pipeline. For more information, see Implementing Application Control on the ACSC website.
The application team configures the Amazon ECS task definition to log output to Amazon CloudWatch Logs.
The application team implements mechanisms to inspect and manage Amazon Inspector findings.

Patch applications

The application team enables scanning for Amazon ECR container images in Amazon Inspector and configures alerts for deprecated or vulnerable libraries.
The application team automates their responses to Amazon Inspector findings. New findings initiate their deployment pipeline through an Amazon EventBridge trigger, and CodePipeline is the target.
The application team enables AWS Config to track AWS resources for asset discovery.

Restrict administrative privileges

The application team is already restricting access to production deployments through an approval rule on their deployment pipeline.
The application team relies on the centralised cloud team's identity federation for rotation of credentials and centralised logging.
The application team creates a CloudTrail trail and CloudWatch filters.
The application team sets up Amazon SNS alerts for CodePipeline deployments and CloudFormation stack deletions.

Patch operating systems

The application team enables scanning for Amazon ECR container images in Amazon Inspector and configures alerts for OS patch updates.
The application team automates their response to Amazon Inspector findings. New findings initiate their deployment pipeline through an EventBridge trigger, and CodePipeline is the target.
The application team subscribes to Amazon RDS event notifications so that they are informed about updates. They make a risk-based decision with their business owner about whether to apply these updates manually or let Amazon RDS apply them automatically.
The application team configures the Amazon RDS instance to be a multi-Availability Zone cluster in order to reduce the impact of maintenance events.

Multi-factor authentication

The application team relies on the centralised identity federation solution described in the Core architecture section. This solution enforces MFA, logs authentications, and alerts on or automatically responds to suspicious MFA events.

Regular backups

The application team configures AWS Backup to automate backup of the data their Amazon RDS cluster.
The application team stores CloudFormation templates in a code repository.
The application team develops an automated pipeline to create a copy of their workload in another Region and run automated tests (AWS blog post). After the automated tests run, the pipeline destroys the stack. This pipeline automatically runs once a month and validates the effectiveness of the recovery procedures.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Serverless data lake

COTS software