diff --git a/content/well-architected-framework/data/docs-nav-data.json b/content/well-architected-framework/data/docs-nav-data.json index eb7534bb6c..5117e6ea03 100644 --- a/content/well-architected-framework/data/docs-nav-data.json +++ b/content/well-architected-framework/data/docs-nav-data.json @@ -393,6 +393,35 @@ } ] }, + { + "title": "Secure infrastructure", + "routes": [ + { + "title": "Implement zero trust security", + "path": "secure-systems/infrastructure/zero-trust-security" + }, + { + "title": "Identity is the new perimeter", + "path": "secure-systems/infrastructure/identity-new-perimeter" + }, + { + "title": "Build a culture of security automation", + "path": "secure-systems/infrastructure/build-culture-security" + }, + { + "title": "Manage network ingress and egress", + "path": "secure-systems/infrastructure/manage-network-ingress-egress" + }, + { + "title": "Secure human access to infrastructure", + "path": "secure-systems/infrastructure/secure-access" + }, + { + "title": "Prevent lateral movement", + "path": "secure-systems/infrastructure/prevent-lateral-movement" + } + ] + }, { "title": "Secure secrets", "routes": [ @@ -431,17 +460,9 @@ } ] }, - { - "title": "Prevent lateral movement", - "path": "secure-systems/prevent-lateral-movement" - }, { "title": "Validate software integrity", "path": "secure-systems/validate-software-integrity" - }, - { - "title": "Implement zero trust security", - "path": "secure-systems/zero-trust-security" } ] }, diff --git a/content/well-architected-framework/docs/docs/secure-systems/infrastructure/build-culture-security.mdx b/content/well-architected-framework/docs/docs/secure-systems/infrastructure/build-culture-security.mdx new file mode 100644 index 0000000000..d27bdcc02c --- /dev/null +++ b/content/well-architected-framework/docs/docs/secure-systems/infrastructure/build-culture-security.mdx @@ -0,0 +1,129 @@ +--- +page_title: Build a culture of security automation +description: Learn how to build security into your organization's culture. +--- + +# Build a culture of security automation + +Security is no longer a separate function in modern +infrastructure. Organizations must incorporate security in all phases of +infrastructure deployment and software development lifecycles (SDLC). + +Waiting for security teams to review and approve changes manually can lead to delays, increased risk of human error, and inconsistent security practices. Waiting for audits and compliance checks to verify your security program does not allow you to respond to emerging threats, leaving your organization vulnerable. + +When you build a culture of security automation, you integrate security practices and +tools into your organization's culture, processes, and workflows. When you +approach security as a necessary part of your organization's culture, you can +mitigate security risks more effectively and efficiently. + +When you build a culture of security automation, you create the following benefits +in your organization: + +**Developer Experience:** + +- Developers get immediate feedback on security issues through their workflows. +- Security becomes part of the development workflow, not an external gatekeeper. +- Learning happens in context when teams discover security issues. + +**Operations Teams:** + +- Infrastructure security through familiar code-based workflows. +- Security policies enforced and deployed automatically, reducing manual oversight burden. +- Compliance becomes a byproduct of standard operations rather than a special process. + +**Security Teams:** + +- Shift from being gatekeepers to being enablers and consultants. +- Focus on defining policies and standards rather than manual reviews. +- Gain visibility into security posture across the entire organization. + +## What is security automation? + +Security automation involves using tools and processes to automate security +tasks, such as scanning for vulnerabilities, managing secrets, applying +security patches, and monitoring for threats. You can automate these +tasks as code, instead of performing the tasks manually. By automating tasks +like policy provisioning, or scanning for secrets, your security posture improves. + + + +Another important aspect of security automation and building a culture around +security is understanding that various compliance standards do not inhibit +innovation. It can be easy to blame compliance requirements for slowing down +development and infrastructure innovation. However, when you teach teams that +security and compliance give you the necessary guardrails to innovate, you can +build a culture that embraces security. + +## Deploy security as code with Terraform + +You can adopt security as code practices using Terraform to automate +the deployment of security [policies as +code](/well-architected-framework/secure-systems/compliance-and-governance/policy-as-code) +in your infrastructure. You can manage policies for HashiCorp Vault, Boundary, +and Sentinel, as well as policies for public cloud providers and orchestration +platforms like Kubernetes, and Nomad. + +You can also use Terraform to manage common infrastructure components such as +user accounts, firewall configurations, and network settings. + +- **Security policies become testable code:** Teams can unit test, peer review, and version control security configurations just like application code. +- **Prevents configuration drift:** Automated detection when infrastructure deviates from secure baselines, encouraging teams to maintain security standards. +- **Enables security guardrails:** Terraform can enforce organization-wide security policies that prevent non-compliant infrastructure deployment. +- **Democratizes security knowledge:** Security configurations are documented in code, making security requirements visible and understandable to all team members. +- **Creates security feedback loops:** Failed deployments due to security violations become learning opportunities rather than blame events. + +This shifts security from being a "blocker" to being an integral part of how you +design and deploy infrastructure. + +## Shift security left with HCP Vault Radar + +Security teams can help shift security left with HCP Vault Radar. Shifting security +left means software and IaC developers integrate security tools into their +development process. HCP Vault Radar [scans for +secrets](/well-architected-framework/secure-systems/secrets/manage-leaked-secrets) +in source code during development, or once they commit their code to a version +control system (VCS) such as GitHub. + +- **Continuous education:** Integrating scanning into the software development + lifecycle helps developers understand how secrets leak. +- **Immediate feedback:** Real-time alerts when developers commit secrets help + improve secure coding practices. +- **Integration with development workflows:** Security scanning becomes part of + the development process, not a separate security audit. +- **Cross-team visibility:** Security teams can see patterns and provide + targeted training based on actual findings. + + +HashiCorp resources: + +- [Correlate HCP Vault Radar findings with HCP Vault](/hcp/tutorials/hcp-vault-radar-operations) +- [Boundary credential brokering with Vault](/boundary/tutorials/credential-management/hcp-vault-cred-brokering-quickstart) +- [Enforce policies in HCP Terraform using Sentinel](/terraform/tutorials/policy/policy-quickstart) + +External resources: + +- [NIST cyberssecurity framework](https://www.nist.gov/cyberframework) +- [Navigating behavioral change in security awareness and culture](https://www.ibm.com/think/insights/security-awareness-culture) +- [Why Culture Is the First Line of Defense in the Age of Agentic AI](https://www.cio.com/article/4043094/why-culture-is-the-first-line-of-defense-in-the-age-of-agentic-ai.html) + +## Next steps + +In this section of how to Secure infrastructure, you learned why it is important to +build a culture where security is integrated into every aspect of your +organization's operations. Build a culture of security automation is part of the [Secure systems +pillar](/well-architected-framework/secure-systems). + +Following these documents in order ensures a logical progression through the key +concepts and best practices, helping you build a strong foundation for your +organizations security program. + +- Integrate Terraform and Vault into common industry +workflows, such as +[GitOps](/well-architected-framework/define-and-automate-processes/process-automation/gitops) +to further automate security practices. +- [Implement zero trust security and networking](/well-architected-framework/secure-systems/infrastructure/zero-trust-security) +- [How to secure cloud infrastructure with identity-based access control](/well-architected-framework/secure-systems/infrastructure/identity-new-perimeter) +- [Build a culture of security automation](/well-architected-framework/secure-systems/infrastructure/build-culture-security) **(this document)** +- [Secure network traffic with ingress and egress](/well-architected-framework/secure-systems/infrastructure/manage-network-ingress-egress) +- [Secure human access to infrastructure](/well-architected-framework/secure-systems/infrastructure/secure-access) +- [Prevent lateral movement](/well-architected-framework/secure-systems/infrastructure/prevent-lateral-movement) diff --git a/content/well-architected-framework/docs/docs/secure-systems/infrastructure/identity-new-perimeter.mdx b/content/well-architected-framework/docs/docs/secure-systems/infrastructure/identity-new-perimeter.mdx new file mode 100644 index 0000000000..e24c34e121 --- /dev/null +++ b/content/well-architected-framework/docs/docs/secure-systems/infrastructure/identity-new-perimeter.mdx @@ -0,0 +1,116 @@ +--- +page_title: How to secure cloud infrastructure with identity-based access control +description: Identity is the new perimeter. Learn zero trust security, dynamic credentials, MFA, and least privilege access for cloud infrastructure. +--- + +# Identity-based security for modern infrastructure + +Modern infrastructure encompasses a mix of on-premises, cloud, and +software-as-a-service (SaaS) workloads. Securing modern infrastructure requires +a shift in focus to securing access to resources using identities, as the network +perimeter is no longer a reliable security boundary. + +Identity has become the new perimeter for securing modern infrastructure. +Instead of relying on network security tools to secure access to resources, +organizations must focus on securing user and machine identities. In addition to +shifting focus to identities, organizations must also ensure all services: + +- **Follow the principle of least privilege:** Grant the minimum access necessary to perform their tasks. +- **Use strong authentication and authorization mechanisms:** Implement robust sign-in workflows, including multi-factor authentication (MFA), to access resources. +- **Use ephemeral credentials:** Use ephemeral, short-lived credentials to reduce the risk of credential theft. +- **Classify data:** Implement a data classification scheme for all services. +- **Isolate workloads and resources:** Limit the effect of potential security breaches. +- **Continuously monitor and audit access:** Detect and respond to potential threats. + + + +## Benefits of identity-based security + +Every user, machine, or service has an identity. Leveraging the identities of your users through an identity provider (IdP) allows you to manage access to resources more effectively. You can also leverage trusted platforms, such as your cloud provider or self-managed infrastructure-as-a-service (IaaS) platforms, to verify a workload's identity. +By adopting identity as the new perimeter, organizations can build a secure infrastructure to handle the challenges of modern workloads. + +By adopting identity as the new perimeter, organizations can build a more secure +infrastructure that is better equipped to handle the challenges of modern +workloads. + +Shifting security focus to identities provides several benefits: + +- **Improved security**: By focusing on securing identities, organizations can + better protect against threats such as phishing, credential theft, and + insider threats. +- **Greater flexibility**: Identity-based security allows organizations to + securely manage access to resources across a mix of on-premises, cloud, and + SaaS workloads. +- **Enhanced user experience**: Identity-based security can provide a more + seamless user experience, reducing the need for users to remember multiple + passwords or navigate complex network security tools. +- **Better compliance**: Identity-based security can help organizations meet + regulatory requirements by providing better visibility and control over + access to sensitive data and resources. + + + +## Implement zero trust with Vault and Boundary + +HashiCorp Vault allows you to adopt ephemeral, dynamic credentials - replacing +long-lived credentials with short-lived ones to reduce the risk of credential +theft. Vault dynamic credentials support multiple cloud providers like Amazon Web +Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), as well as +databases like MySQL, PostgreSQL, and MongoDB. + +HashiCorp Boundary provides identity-aware access without requiring +network-level trust. Instead of opening firewall ports or managing VPN +connections, Boundary verifies user identity and grants just-in-time access to +specific resources based on their authenticated identity and assigned +permissions. + +You can further enhance your security posture by integrating Vault and Boundary +to allow identity-based access to target resources without exposing or sharing +the target's credentials. Users authenticate to Boundary through a trusted +identity provider, and Boundary retrieves dynamic credentials from Vault to +access the target resource. + +HashiCorp Terraform enables you to manage identity [policies as +code](/well-architected-framework/secure-systems/compliance-and-governance/policy-as-code), +ensuring consistent security configurations across all environments and making +your identity perimeter auditable and version-controlled. + +HashiCorp resources: + +- Follow the principles of [least + privilege](/well-architected-framework/secure-systems/identity-access-management/grant-least-privilege) +- Implement [strong authentication and authorization + mechanisms](/well-architected-framework/secure-systems/identity-access-management/implement-strong-sign-in-workflows) +- Use [ephemeral, short-lived + credentials](/well-architected-framework/secure-systems/identity-access-management/use-dynamic-credentials) +- Implement a [data classification + scheme](/well-architected-framework/secure-systems/data/classify-data) +- [Generate dynamic secrets in Vault](/vault/tutorials/db-credentials) +- [OIDC authentication to Boundary using Okta](/boundary/tutorials/identity-management/oidc-okta) +- [OIDC authentication to Vault using Okta](/vault/tutorials/auth-methods/vault-oidc-okta) +- [Connect to Kubernetes using Boundary and Vault](/boundary/tutorials/kubernetes-connect) + +External resources: + +- [What is identity and access management (IAM)?](https://www.ibm.com/think/topics/identity-access-management) +- [Zero trust architecture](https://www.nist.gov/publications/zero-trust-architecture) +- [The real AI risk isn’t AGI — it’s unregulated machine identity](https://www.cio.com/article/4075672/the-real-ai-risk-isnt-agi-its-unregulated-machine-identity.html) + +## Next steps + +In this section of how to Secure infrastructure, you learned why it is important to +shift to using identity as the new security perimeter. Focusing security +programs around identity allows you create a more comprehensive security +strategy. How to secure cloud infrastructure with identity-based access control is part of the [Secure systems +pillar](/well-architected-framework/secure-systems). + +Following these documents in order ensures a logical progression through the key +concepts and best practices, helping you build a strong foundation for your +organization's security program. + +- [Implement zero trust security and networking](/well-architected-framework/secure-systems/infrastructure/zero-trust-security) +- [How to secure cloud infrastructure with identity-based access control](/well-architected-framework/secure-systems/infrastructure/identity-new-perimeter) **(this document)** +- [Build a culture of security automation](/well-architected-framework/secure-systems/infrastructure/build-culture-security) +- [Secure network traffic with ingress and egress](/well-architected-framework/secure-systems/infrastructure/manage-network-ingress-egress) +- [Secure human access to infrastructure](/well-architected-framework/secure-systems/infrastructure/secure-access) +- [Prevent lateral movement](/well-architected-framework/secure-systems/infrastructure/prevent-lateral-movement) diff --git a/content/well-architected-framework/docs/docs/secure-systems/infrastructure/manage-network-ingress-egress.mdx b/content/well-architected-framework/docs/docs/secure-systems/infrastructure/manage-network-ingress-egress.mdx new file mode 100644 index 0000000000..e3ad5061e0 --- /dev/null +++ b/content/well-architected-framework/docs/docs/secure-systems/infrastructure/manage-network-ingress-egress.mdx @@ -0,0 +1,168 @@ +--- +page_title: Secure network traffic with ingress and egress +description: Secure network ingress and egress using Consul service mesh, Boundary, and Terraform-managed firewall rules. +--- + +# Secure network traffic with ingress and egress + +Network ingress and egress controls determine what traffic can enter and leave your infrastructure. As you transition to a security culture centered around identity, managing traffic to and from your infrastructure, both cloud and self-managed, becomes an essential component of security. + +Traditional infrastructure relies on network-based controls to manage traffic +coming into (ingress) and out of (egress) your local network or data center. +Small networks often used a flat network and were only able to manage traffic +at the network perimeter. Larger networks or organizations with a more mature +security program create virtual networks (VLANs) to separate network +traffic. VLANs allow you to create internal network perimeters and +deploy network access controls (NACL) to manage traffic. Security teams also +have the option to configure operating system firewalls to help manage traffic. +Managing local operating system firewalls is often difficult to manage at scale +and places additional overhead on each system to process traffic. + +Modern infrastructure still relies on VLANs for network isolation; however, +advances in networking services provide even greater control. Most modern +infrastructure as a service (IaaS) providers allow you to filter both ingress +and egress traffic at the network interface (NIC) level, before it reaches +the operating system. Managing traffic at the NIC level is also known as +micro-segmentation and is a key component as you build towards a zero trust +network architecture. + +## Why network ingress and egress security matters + +Managing network ingress has been a standard security practice for decades. +Managing egress traffic, however, is often overlooked. Managing egress traffic +ensures that systems that do not require outbound network access are not able to +initiate connections to external systems. This helps prevent data exfiltration +and limits the ability of attackers to communicate with command and control +servers. + +While managing network ingress and egress is important, it can be resource +intensive to manage at scale. As you build a culture of security centered around +identity, you begin to shift away from network-based controls, and focus on +identity-based security. + +## Use service mesh for traffic control with Consul + +HashiCorp Consul allows you to connect infrastructure and services using a +service mesh. Consul protects communication using mutual TLS (mTLS) to ensure that only +authorized services can communicate with each other. + +- **Automatic mTLS encryption** for all service communication, eliminating the need for network-level encryption. +- **Service intentions** that act as application-aware firewall rules, allowing you to define which services can communicate based on identity rather than IP addresses. +- **Transparent proxy integration** that automatically routes and secures traffic without application code changes. +- **L7 traffic management** including traffic splitting, timeouts, and retries that reduce the need for complex network configurations. + + + +By using Consul, you shift from managing network ports and IP-based ACL rules to +managing identities and communication policies. + +Consul service intentions allow you to manage which services communicate with each +other. For example, you can write an intention that blocks traffic for a specific +infrastructure component, or service: + +```hcl +Kind = "service-intentions" +Name = "backend" +Sources = [ + { + Name = "frontend" + Action = "deny" + } +] +``` + +## Secure network access with Boundary + +HashiCorp Boundary allows you to limit network ingress by providing secure, +identity-based access to infrastructure without opening network ports or +managing VPN connections. Boundary verifies user identity and grants just-in-time +access to specific resources based on their authenticated identity and assigned +permissions. + +- **Credential-less access** that removes the need to distribute SSH keys or manage VPN certificates. +- **Just-in-time network access** that creates temporary, session-based connections rather than permanent network paths. +- **Multi-hop architecture** that allows secure access to private networks without exposing internal network topology. +- **Session recording and monitoring** that provides complete audit trails without network packet inspection. +- **Integration with identity providers** that tie network access decisions to your existing user directory. + + + +## Deploy firewall rules with Terraform + +For infrastructure not well integrated with a service mesh, you can use +HashiCorp Terraform to manage network policies. Terraform enables you to manage +network ingress and egress rules as code, ensuring consistent security +configurations across all environments, making your network policies +auditable and version-controlled. + +- **Standardizing security group configurations** across multiple cloud providers and environments. +- **Implementing least-privilege network policies** through code review and approval processes. +- **Automating security group updates** based on application deployment patterns. +- **Providing drift detection** to identify when network configurations have been manually modified. +- **Enabling policy-as-code** where network security rules are tested and versioned like application code. + +In this example Terraform configuration, you create an AWS security group with +no defined network egress. Using Terraform to create the security group removes +the default egress rule that normally allows all outbound traffic. + +```hcl +# By omitting egress rules, this security group blocks all outbound traffic +# (removes AWS default "allow all" egress rule) + +resource "aws_security_group" "no_egress_sg" { + name = "no-egress-security-group" + description = "Security group that blocks all outbound traffic" + vpc_id = aws_vpc.main.id + + # Ingress rules + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["192.168.1.0/24"] # Allow SSH from specific CIDR + description = "Allow SSH inbound" + } + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["10.0.0.0/24"] # Allow HTTP from specific CIDR + description = "Allow HTTP inbound" + } + + tags = { + Name = "no-egress-security-group" + } +} + ``` + +HashiCorp resources: + +- [Get started with Consul](/consul/tutorials/get-started-vms) +- [Control traffic communication between services with intentions](/consul/tutorials/secure-services/secure-services-intentions) +- [Identity management workflows for Boundary](/boundary/tutorials/identity-management) +- [Create an AWS EC2 instance and security group with Terraform](/terraform/tutorials/configuration-language/resource) + +External resources: + +- [What is a service mesh](https://www.ibm.com/think/topics/service-mesh) + +## Next steps + +In this section of how to Secure infrastructure, you learned why it is important to +secure network ingress and egress traffic. Unmanaged traffic creates risks for +your company's security programs, leading to leaked secrets, or unauthorized +access to data. Secure network traffic with ingress and egress is +part of the [Secure systems pillar](/well-architected-framework/secure-systems). + +Following these documents in order ensures a logical progression through the key +concepts and best practices, helping you build a strong foundation for your +organization's security program. + +- [Implement zero trust security and networking](/well-architected-framework/secure-systems/infrastructure/zero-trust-security) +- [How to secure cloud infrastructure with identity-based access control](/well-architected-framework/secure-systems/infrastructure/identity-new-perimeter) +- [Build a culture of security automation](/well-architected-framework/secure-systems/infrastructure/build-culture-security) +- [Secure network traffic with ingress and egress](/well-architected-framework/secure-systems/infrastructure/manage-network-ingress-egress) **(this document)** +- [Secure human access to infrastructure](/well-architected-framework/secure-systems/infrastructure/secure-access) +- [Prevent lateral movement](/well-architected-framework/secure-systems/infrastructure/prevent-lateral-movement) diff --git a/content/well-architected-framework/docs/docs/secure-systems/prevent-lateral-movement.mdx b/content/well-architected-framework/docs/docs/secure-systems/infrastructure/prevent-lateral-movement.mdx similarity index 60% rename from content/well-architected-framework/docs/docs/secure-systems/prevent-lateral-movement.mdx rename to content/well-architected-framework/docs/docs/secure-systems/infrastructure/prevent-lateral-movement.mdx index ebe6d39962..9b75319140 100644 --- a/content/well-architected-framework/docs/docs/secure-systems/prevent-lateral-movement.mdx +++ b/content/well-architected-framework/docs/docs/secure-systems/infrastructure/prevent-lateral-movement.mdx @@ -5,23 +5,27 @@ description: Implement service mesh and zero trust security to prevent lateral m # Prevent lateral movement -This guide describes one of the foundational approaches to safeguard and protect against -“bad actors” following the well documented [MITRE ATT&CK -framework](https://attack.mitre.org/docs/attack_matrix_poster_2024_april.pdf) -(lateral movement). +Providing access to infrastructure resources is inevitable. With the proper +guardrails, as discussed in [secure human access to +infrastructure](/well-architected-framework/docs/secure-systems/infrastructure/secure-access/), +you can reduce the risk of unauthorized access. However, if an attacker gains +access to one resource, they may attempt to move laterally through your +environment to compromise additional resources. -## Lateral movement techniques +## What is lateral movement? Lateral movement is the act of moving through the environment from a compromised -resource into an uncompromised one by exploiting the assumption that the former -is secure. The following diagram shows the lateral movement techniques attackers -commonly use to compromise systems through unauthorized means. +resource into an uncompromised resource by exploiting the assumption that the compromised +resource is secure. - +The [MITRE ATT&CK framework](https://attack.mitre.org/docs/attack_matrix_poster_2024_april.pdf) +provides an overview of lateral movement techniques that you can use to secure +your infrastructure. -![Anatomy of a cyber attack](/img/well-architected-framework/anatomy-cyber-attack-1.png) +The following diagram shows the lateral movement techniques attackers +commonly use to compromise systems through unauthorized means. - +![Anatomy of a cyber attack](/img/well-architected-framework/anatomy-cyber-attack-1.png) Common techniques include: @@ -37,14 +41,10 @@ Common techniques include: With various techniques available to anyone, you need to protect your organization with a solution that stops lateral movement through bi-directional -or mutual transport layer security or (mTLS). +or mutual transport layer security (mTLS). -External resources: - -- [What is the MITRE ATT&CK framework?](https://www.ibm.com/think/topics/mitre-attack) - ## Secure cloud native applications In the traditional datacenter approach to network security, network @@ -54,26 +54,15 @@ VLANs. Following this model, however, might allow a compromised system in one VLAN to access services in other VLANs without proper authentication and authorization. -In modern applications that use a cloud native approach, dynamic (or ephemeral) -services come up and down often. These services need to establish secure -connections and not rely on long-lived secrets or manual authentication processes. - -External resources: - -- [Authentication vs authorization: understanding the difference](https://www.cncf.io/blog/2024/07/23/authentication-vs-authorization-understanding-the-difference/) -- [OWASP Cloud-Native Application Security Top 10](https://owasp.org/www-project-cloud-native-application-security-top-10/) +Modern infrastructure and applications that use a cloud native approach, dynamic +(or ephemeral) services come up and down often. These services need to establish +secure connections and not rely on long-lived secrets or manual authentication +processes. -## Implement a service mesh +## Prevent lateral movement with Consul service mesh - - -![Service Mesh 101](/img/well-architected-framework/service-mesh-1.png) - - - -With the rise of cloud native practices, organizations need to ensure they have -secure, resilient, and performant applications while reducing complexity at -scale. +HashiCorp Consul enables you to secure communication between systems by +leveraging mTLS between systems in the service mesh. A service mesh is an infrastructure layer that manages communication between services for distributed applications. Rather than @@ -82,6 +71,8 @@ abstracts these concerns into a separate layer. This allows services to communicate through the mesh infrastructure without needing to understand the underlying network. +![Service Mesh 101](/img/well-architected-framework/service-mesh-1.png) + The benefits of a service mesh include enhanced observability, security, and reliability. It provides load balancing, traffic routing, and failure handling without requiring code changes. Security is strengthened through @@ -91,26 +82,10 @@ mesh handles operational concerns like retries, timeouts, circuit breaking, and canary deployments, ultimately reducing complexity and improving the maintainability of large-scale distributed systems. - - -HashiCorp's service mesh solution, Consul, enables practitioners to achieve this -today by leveraging mTLS between services in the mesh. - -HashiCorp resources: - -- [What is Consul?](/consul/docs/intro) -- [Consul service mesh](/consul/docs/use-case/service-mesh) -- [Consul service mesh in production with Nomad](/nomad/tutorials/integrate-consul/service-mesh-production-checklist) - -External resources: - -- [NIST SP 800-204A: Building Secure Microservices-based Applications Using Service-Mesh Architecture](https://csrc.nist.gov/pubs/sp/800/204/a/final) -- [OWASP Microservices Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Microservices_Security_Cheat_Sheet.html) - -## Enable secrets management +## Centralize secrets management with Vault Running a service mesh introduces its own set of challenges. Organizations need -to secure, and manage the service mesh configuration and supporting resources. +to secure and manage the service mesh configuration and supporting resources. An example of some of these resources in a mesh are: - Server TLS credentials @@ -122,11 +97,11 @@ An example of some of these resources in a mesh are: - Gossip encryption key - Snapshot agent configuration -If you're using a service mesh today you should consider the level of effort to +If you're using a service mesh today, you should consider the level of effort to store the secrets associated with the service mesh. -Centralization of secrets across your environments are essential to stop a -lateral attack among other vulnerabilities. Identity is the new perimeter and +Centralization of secrets across your environments is essential to stop a +lateral attack, among other vulnerabilities. Identity is the new perimeter, and identity is a secret. Managing multiple secrets may lead to secret sprawl. @@ -137,17 +112,44 @@ identity is a secret. Managing multiple secrets may lead to secret sprawl. HashiCorp Vault can help practitioners simplify these workloads and centralize these secrets. Vault's secrets engines give teams solutions for various -use cases trying to manage secrets. +use cases, trying to manage secrets. HashiCorp resources: +- [What is Consul?](/consul/docs/intro) +- [Consul service mesh](/consul/docs/use-case/service-mesh) +- [Consul service mesh in production with Nomad](/nomad/tutorials/integrate-consul/service-mesh-production-checklist) - [What is "secret sprawl" and why is it harmful?](https://www.hashicorp.com/resources/what-is-secret-sprawl-why-is-it-harmful) - [Vault for secrets management with Consul](/consul/docs/integrate/vault/k8s) - [Identify, prevent, and manage leaked secrets](/well-architected-framework/secure-systems/secrets/manage-leaked-secrets) External resources: +- [What is the MITRE ATT&CK framework?](https://www.ibm.com/think/topics/mitre-attack) +- [Authentication vs authorization: understanding the difference](https://www.cncf.io/blog/2024/07/23/authentication-vs-authorization-understanding-the-difference/) +- [OWASP Cloud-Native Application Security Top 10](https://owasp.org/www-project-cloud-native-application-security-top-10/) +- [NIST SP 800-204A: Building Secure Microservices-based Applications Using Service-Mesh Architecture](https://csrc.nist.gov/pubs/sp/800/204/a/final) +- [OWASP Microservices Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Microservices_Security_Cheat_Sheet.html) - [NIST SP 800-63B-4: Digital Identity Guidelines: Authentication and Authenticator Management](https://csrc.nist.gov/pubs/sp/800/63/b/4/2pd) -- [OWASP Secrets Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html) \ No newline at end of file +- [OWASP Secrets Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html) + +## Next steps + +In this section of how to Secure infrastructure, you learned why it is important to +secure infrastructure against lateral movement attacks. Unmanaged traffic creates risks for +your company's security programs, leading to leaked secrets, or unauthorized +access to data. Prevent lateral movement is +part of the [Secure systems pillar](/well-architected-framework/secure-systems). + +Following these documents in order ensures a logical progression through the key +concepts and best practices, helping you build a strong foundation for your +organization's security program. + +- [Implement zero trust security and networking](/well-architected-framework/secure-systems/infrastructure/zero-trust-security) +- [How to secure cloud infrastructure with identity-based access control](/well-architected-framework/secure-systems/infrastructure/identity-new-perimeter) +- [Build a culture of security automation](/well-architected-framework/secure-systems/infrastructure/build-culture-security) +- [Secure network traffic with ingress and egress](/well-architected-framework/secure-systems/infrastructure/manage-network-ingress-egress) +- [Secure human access to infrastructure](/well-architected-framework/secure-systems/infrastructure/secure-access) +- [Prevent lateral movement](/well-architected-framework/secure-systems/infrastructure/prevent-lateral-movement) **(this document)** diff --git a/content/well-architected-framework/docs/docs/secure-systems/infrastructure/secure-access.mdx b/content/well-architected-framework/docs/docs/secure-systems/infrastructure/secure-access.mdx new file mode 100644 index 0000000000..11fc852fda --- /dev/null +++ b/content/well-architected-framework/docs/docs/secure-systems/infrastructure/secure-access.mdx @@ -0,0 +1,209 @@ +--- +page_title: Secure human access to infrastructure +description: Learn how to secure human access to infrastructure with modern identity management, ephemeral credentials, and zero-trust security. +--- + +# Secure human access to infrastructure + +The move to cloud-native and ephemeral resources has changed how +people think about securing access to infrastructure. Regardless of your +deployment methodology, your teams still need to access infrastructure for +troubleshooting and incident response. + +In traditional infrastructure deployments, you might have used bastion hosts or VPNs +to provide secure access to infrastructure. However, these methods can introduce +additional attack surfaces and may not align with modern security best +practices. Managing access to infrastructure typically relied on long-lived, +static credentials. Long-lived credentials increase the risk of compromise, +leading to unauthorized access. + +## Why secure human access to infrastructure? + +Securing human access to infrastructure is critical to protect against +unauthorized access and potential threats. Organizations must implement a strong +identity and access management program, including: + +- [**Define access + requirements:**](/well-architected-framework/secure-systems/identity-access-management/define-access-requirements) + to ensure only authorized users can access infrastructure. +- [**Ensure access follows the principle of least + privilege:**](/well-architected-framework/secure-systems/identity-access-management/grant-least-privilege) + to ensure users have only the minimum access necessary to perform their job functions. +- [**Centralize authentication and + authorization:**](/well-architected-framework/secure-systems/identity-access-management/centralize-identity-management) + to protect against unauthorized access and simplify identity management. +- [**Use strong authentication + methods:**](/well-architected-framework/secure-systems/identity-access-management/implement-strong-sign-in-workflows) + to protect against credential theft and unauthorized access. +- [**Switch to ephemeral, dynamic + credentials:**](/well-architected-framework/secure-systems/identity-access-management/use-dynamic-credentials) + to reduce the risk of credential compromise. +- [**Audit and manage account + access:**](/well-architected-framework/secure-systems/identity-access-management/manage-access-lifecycle) + to ensure access is reviewed and revoked when no longer needed. + +Implementing an effective identity and access management program sets the +foundation to secure human access to infrastructure. + +## Deploy access controls with Terraform + +HashiCorp Terraform helps you adapt to how you manage and audit infrastructure +access. Instead of platform engineers accessing infrastructure directly, they +use Terraform to define and manage infrastructure as code. + +- **Eliminates direct console access** - Teams interact with infrastructure through code review and approval processes rather than direct cloud console access +- **Enforces change management** - All infrastructure modifications must go through version control, peer review, and approval workflows +- **Provides complete audit trails** - Every infrastructure change is documented in Git history with author, timestamp, and approval records +- **Enables policy enforcement** - Terraform Cloud/Enterprise can enforce organization-wide security policies that prevent non-compliant infrastructure deployment +- **Supports least-privilege access** - Teams only need access to version control and CI/CD systems, not direct infrastructure APIs + +For example, rather than an engineer logging into the Azure portal to deploy a +virtual machine, platform engineers write or update a Terraform configuration, +commit the configuration to version control. + +```hcl +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~>3.0" + } + } +} + +provider "azurerm" { + features {} +} + +resource "azurerm_virtual_machine" "example" { + name = "example-vm" + location = "East US" + resource_group_name = "existing-rg" + network_interface_ids = [ + azurerm_network_interface.example.id, + ] + vm_size = "Standard_B1s" + + storage_image_reference { + publisher = "Canonical" + offer = "0001-com-ubuntu-server-jammy" + sku = "22_04-lts" + version = "latest" + } + + storage_os_disk { + name = "example-osdisk" + caching = "ReadWrite" + create_option = "FromImage" + managed_disk_type = "Standard_LRS" + } + + os_profile { + computer_name = "hostname" + admin_username = "testadmin" + admin_password = "Password1234!" + } + + os_profile_linux_config { + disable_password_authentication = false + } +} + +resource "azurerm_network_interface" "example" { + name = "example-nic" + location = "East US" + resource_group_name = "existing-rg" + + ip_configuration { + name = "testconfiguration1" + subnet_id = "/subscriptions/YOUR-SUBSCRIPTION-ID/resourceGroups/existing-rg/providers/Microsoft.Network/virtualNetworks/existing-vnet/subnets/existing-subnet" + private_ip_address_allocation = "Dynamic" + } +} +``` + +Once the team approves the changes, and ensures the changes align with their +organizational security and compliance policies, the platform engineer runs Terraform +to apply the changes to the infrastructure, or uses a GitOps workflow to deploy +the configuration once you approve and merge the changes. Using Terraform provides a +clear audit trail of who made changes to the infrastructure and when, without +the need for direct access to the infrastructure or platform itself. + +For larger platform teams, you can also use HCP Waypoint to enable developer +self-service for common provisioning tasks. Waypoint provides a self-service +workflow for application and infrastructure deployments. Waypont abstracts the +infrastructure complexity away from developers, allowing them to deploy +applications without needing direct access to the underlying infrastructure. + +- **Reduces developer infrastructure access needs** - Developers deploy applications through Waypoint's interface rather than requiring cloud console access +- **Enforces deployment standards** - Platform teams define secure deployment patterns that developers automatically follow +- **Integrates with existing CI/CD** - Works with Git workflows to enable deployment without manual infrastructure interaction +- **Provides deployment visibility** - Teams can track application deployments without needing infrastructure monitoring access + +Using Waypoint further reduces the number of people who need direct +infrastructure access, supporting the principle of least privilege while also +improving developer productivity. + +## Secure remote access with Boundary + +HashiCorp Boundary is a modern access management solution that provides secure access to +infrastructure without the need for bastion hosts or VPNs. + +- **Eliminates SSH key distribution** - No need to manage, rotate, or secure SSH private keys across teams +- **Session-based access** - Creates temporary, auditable connections that automatically expire +- **Multi-hop architecture** - Securely access private resources without exposing network topology or requiring VPN infrastructure +- **Integration with identity providers** - Leverages existing Active Directory, LDAP, or cloud identity services for authentication +- **Dynamic target discovery** - Automatically discovers and provides access to infrastructure resources based on user permissions + + + +Boundary supports dynamic, ephemeral credentials to +reduce the risk of credential compromise by integrating with HashiCorp Vault. +Boundary also provides detailed session recording and auditing capabilities to +monitor access to infrastructure. + +## Use dynamic credential management with Vault + +HashiCorp Vault has several features that help secure access to your +infrastructure. As discussed with Boundary, Vault can generate dynamic, +ephemeral credentials for accessing infrastructure, reducing the risk of +credential compromise. Vault can also act as a centralized identity provider, if +you do not have an existing identity provider, to manage authentication and +authorization for accessing infrastructure. + +- **Just-in-time credential generation** - Creates database passwords, cloud access keys, and SSH certificates on demand +- **Automatic credential revocation** - Credentials expire automatically, reducing the window of compromise +- **Centralized secret rotation** - Automatically rotates static credentials (API keys, database passwords) without service disruption +- **Audit and compliance** - Complete logging of who accessed what secrets and when +- **Boundary + Vault integration** - Boundary retrieves database passwords from Vault at session start, eliminating shared credentials +- **Terraform + Vault integration** - Terraform retrieves cloud credentials from Vault for deployments, no long-lived service account keys +- **SSH certificate authority** - Vault issues short-lived SSH certificates instead of managing static SSH keys + +HashiCorp resources: + +- [Get started with Boundary](/boundary/tutorials/get-started-hcp) +- [Boundary credential management with Vault](/boundary/tutorials/credential-management) +- [Build a GitOps pipeline to deploy a three-tier application](/terraform/tutorials/hashicorp/gitops) + +External resources: + +- [NIST digital identity guidelines](https://pages.nist.gov/800-63-3/) + +## Next steps + +In this section of how to Secure infrastructure, you learned why it is important to +secure access to your infrastructure. Ensuring security +programs use a comprehensive approach to infrastructure access helps your +organization reduce security threats. Secure human access to infrastructure is +part of the [Secure systems pillar](/well-architected-framework/secure-systems). + +Following these documents in order ensures a logical progression through the key +concepts and best practices, helping you build a strong foundation for your +organizations security program. + +- [Implement zero trust security and networking](/well-architected-framework/secure-systems/infrastructure/zero-trust-security) +- [How to secure cloud infrastructure with identity-based access control](/well-architected-framework/secure-systems/infrastructure/identity-new-perimeter) +- [Build a culture of security automation](/well-architected-framework/secure-systems/infrastructure/build-culture-security) +- [Secure network traffic with ingress and egress](/well-architected-framework/secure-systems/infrastructure/manage-network-ingress-egress) +- [Secure human access to infrastructure](/well-architected-framework/secure-systems/infrastructure/secure-access) **(this document)** +- [Prevent lateral movement](/well-architected-framework/secure-systems/infrastructure/prevent-lateral-movement) diff --git a/content/well-architected-framework/docs/docs/secure-systems/infrastructure/zero-trust-security.mdx b/content/well-architected-framework/docs/docs/secure-systems/infrastructure/zero-trust-security.mdx new file mode 100644 index 0000000000..f875b76142 --- /dev/null +++ b/content/well-architected-framework/docs/docs/secure-systems/infrastructure/zero-trust-security.mdx @@ -0,0 +1,129 @@ +--- +page_title: Implement zero trust security and networking +description: Learn how a zero trust security model enhances security by eliminating implicit trust and continuously verifying access requests. +--- + +# Implement zero trust security and networking + +In traditional infrastructure, security focused on securing the network perimeter +using firewalls, VPNs, and other network security tools. + +Securing modern infrastructure requires a new approach to security. While most +of the security principles and tools are still utilized, how you implement a +strong security program has changed. + +In the secure infrastructure series, you will learn about the importance of +shifting your security focus to identities, instead of the traditional network +perimeter. You will also see the importance of incorporating security into your +organization's culture, enabling security automation to improve efficiency and +reduce human error. You will then review how you should manage ingress and +egress (north-south) traffic and prevent lateral +movement to stop unauthorized access and data exfiltration. + +In the secure infrastructure section, you will learn how to adapt your security +program to support modern infrastructure using identities and automation to +establish a zero trust architecture. + +## What is a zero trust network architecture? + +Zero trust security is a security model that eliminates the concept of trusted +networks and requires verification for every user, device, and application +attempting to access resources. Unlike traditional perimeter-based security, +which assumes everything inside the network is safe, zero-trust security +operates on the principle of "never trust, always verify." + +In the following video, HashiCorp co-founder Armon Dadgar discusses the zero +trust security model and how it can protect your organization. + + + +Throughout this series, you will see how HashiCorp tools work together, so you +can create a strong security model following zero trust principles across your +infrastructure. + +1. **Terraform manages infrastructure changes:** + + - Engineers modify infrastructure through code review. + - [CI/CD](/well-architected-framework/define-and-automate-processes/automate/cicd) + systems use Vault-generated cloud credentials. + - No human has direct cloud console access. + +1. **Vault manages secrets and identities:** + + - Manages static and dynamic secrets. + - Creates a trusted identity platform to authenticate and authorize users and + devices. + - Issues just-in-time credentials for infrastructure access. + - Manages certificates for both PKI and certificate-based authentication. + +1. **Boundary and Vault provide access to infrastructure:** + + - Support teams access infrastructure through Boundary. + - Vault provides just-in-time credentials for each session. + - All access is temporary, audited, and automatically expires. + +1. **Consul enables network security:** + + - API gateways and ingress controllers manage north-south traffic with identity-based policies. + - Service mesh provides automatic mTLS encryption and service-to-service authorization. + - Service intentions define which services can communicate, providing + micro-segmentation that blocks unauthorized lateral movement. + +1. **Waypoint allows developer self-service:** + + - Developers deploy through standardized workflows without infrastructure access. + - Platform teams define secure deployment patterns that developers automatically follow. + - Reduces the number of people requiring direct infrastructure permissions. + +Combining these tools creates a strong foundation for a zero-trust model where +access to infrastructure is both secure and auditable without sacrificing +operational efficiency. + + + +Other services to complete your zero trust architecture include: + +- **Identity providers** - Centralized [identity and access management + systems](/well-architected-framework/secure-systems/identity-access-management/define-access-requirements) + (Okta, Azure AD, Ping Identity) that integrate with Vault to provide SSO and + MFA capabilities. +- **SIEM solutions** - Security Information and Event Management (SIEM) + solutions (Splunk, ELK Stack, Grafana) that collect and analyze logs + from Vault, Boundary, Consul, and other systems to provide real-time + monitoring and alerting. +- **Endpoint security solutions** - Tools that ensure devices accessing the + network meets security standards, such as antivirus software, firewalls, and + endpoint detection and response (EDR) solutions. + +HashiCorp resources: + +- [Get started with Vault](/vault/tutorials/get-started) +- [Get started with Boundary](/boundary/tutorials/get-started-hcp) +- [Get started with Consul](/consul/tutorials/get-started-kubernetes) +- [Get started with Waypoint](/waypoint/tutorials/hcp-waypoint) + +External resources: + +- [The Evolution of Zero Trust and the Frameworks that Guide It](https://www.ibm.com/think/insights/the-evolution-of-zero-trust-and-the-frameworks-that-guide-it) +- [NIST Zero Trust Architecture](https://www.nist.gov/publications/zero-trust-architecture) + +## Next steps + +In this section of how to Secure infrastructure, you learned about the tools and +workflows needed to implement a zero trust security model. Integrating +HashiCorp tools into your infrastructure and network architecture enables auditable +infrastructure changes, secure access to infrastructure following the principle +of least privilege, and properly managed secrets. Implement zero trust security +and networking is part of the [Secure systems +pillar](/well-architected-framework/secure-systems). + +Following these documents in order ensures a logical progression through the key +concepts and best practices, helping you build a strong foundation for your +organization's security program. + +- [Implement zero trust security and networking](/well-architected-framework/secure-systems/infrastructure/zero-trust-security) **(this document)** +- [How to secure cloud infrastructure with identity-based access control](/well-architected-framework/secure-systems/infrastructure/identity-new-perimeter) +- [Build a culture of security automation](/well-architected-framework/secure-systems/infrastructure/build-culture-security) +- [Secure network traffic with ingress and egress](/well-architected-framework/secure-systems/infrastructure/manage-network-ingress-egress) +- [Secure human access to infrastructure](/well-architected-framework/secure-systems/infrastructure/secure-access) +- [Prevent lateral movement](/well-architected-framework/secure-systems/infrastructure/prevent-lateral-movement) diff --git a/content/well-architected-framework/docs/templates/prompts.md b/content/well-architected-framework/docs/templates/prompts.md new file mode 100644 index 0000000000..1f57fa10c3 --- /dev/null +++ b/content/well-architected-framework/docs/templates/prompts.md @@ -0,0 +1,20 @@ +Before proceeding, add style-guide directory to chat context. + +1. Are there any spelling errors in this document? + +1. Are there any US english grammar errors in this document? + +1. Check this file for any confusing statements + +1. Using the information from the style-guide directory, are there any problems + with not following the recommendations?? + +1. Is this technically accurate? + +1. Can i better describe how hashicorp tools help? + +1. looking at all docs in the directory, are there any inconsistencies + in technical explanation of concepts that could be better aligned, + inconsistent formatting for links, lists, etc? + +1. Are there any sentances that start with `this`? \ No newline at end of file diff --git a/content/well-architected-framework/redirects.jsonc b/content/well-architected-framework/redirects.jsonc index 7c2bfd473a..d66d205b4b 100644 --- a/content/well-architected-framework/redirects.jsonc +++ b/content/well-architected-framework/redirects.jsonc @@ -202,5 +202,15 @@ "source": "/well-architected-framework/nomad/production-reference-architecture-vm-with-consul", "destination": "/nomad/tutorials/enterprise/production-reference-architecture-vm-with-consul", "permanent": true + }, + { + "source": "/well-architected-framework/secure-systems/prevent-lateral-movement", + "destination": "/well-architected-framework/secure-systems/infrastructure/prevent-lateral-movement", + "permanent": true + }, + { + "source": "/well-architected-framework/secure-systems/zero-trust-security", + "destination": "/well-architected-framework/secure-systems/infrastructure/zero-trust-security", + "permanent": true } ]