AWS Enivronment

Root privileges

RapidFort AWS MarketPlace deployment doesn't require root privileges. An IAM role is required to connect with S3 to store data.

Policy of Least Privileges

RapidFort requires the following:

  • IAM policy that grants Read/Write/List/Delete privileges for an S3 bucket for the storage of RapidFort data
  • Networking and security policy that grants inbound access for port 443 and outbound access to the world
    • over port 443
    • over port 574
  • Access to a Writer RDS instance for the storage of RapidFort information

Public Resources

No public resources are deployed as part of RapidFort deployment.

IAM Roles

Refer to IAM section of RapidFort On-Premise deployment.

Encryption Keys

RapidFort AWS Market place deployment doesn't require encryption key creation.

Storage of Secrets

RapidFort uses Kubernetes secrets to store sensitive data. Refer to the RapidFort GitHub Helm Chart for the full list of secrets

AWS_ACCESS_KEY_ID:  {{ default "" .Values.secret.aws_access_key_id | b64enc | quote }}  

AWS_SECRET_ACCESS_KEY: {{ default "" .Values.secret.aws_secret_access_key | b64enc | quote }}  

AWS_DEFAULT_REGION: {{ default "us-east-1" .Values.secret.aws_default_region | b64enc | quote }}  

RF_ROLE_ARN: {{ default "" .Values.secret.aws_role_arn | b64enc | quote }}  

RF_S3_BUCKET: {{ required "\nERROR: s3 bucket not set!\nUpdate secret.s3_bucket inside chart/values.yaml file." .Values.secret.s3_bucket | b64enc | quote }}  

RF_STORAGE_TYPE: {{ required "\nERROR: storage type not set!\nUpdate secret.storage_type inside chart/values.yaml file." .Values.secret.storage_type | b64enc | quote }}  

RF_GS_CREDS: {{ default "" .Values.secret.gs_cred | b64enc | quote }}  

USERNAME_SMTP: {{ default "" .Values.secret.smtp_username | b64enc | quote }}  

PASSWORD_SMTP: {% raw %} {{ default "" .Values.secret.smtp_password | b64enc | quote }}  

SOURCE_ARN: {{ default "" .Values.secret.smtp_source_arn | b64enc | quote }}  

KEYCLOAK_JWT_PUB_KEY: {{ default "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt0EwFCzsmzWgn7A8A40hzX1kPHab0WZTmUF8OwHt7fyds6sBiSDPnLIh0BgmXIO2WIrGzARm9dVUeAWI/aUI7qucfgYgW7XSwwz7X/IrX6DExsNZzTLxgIfDJR/WP0fo1vO10BQDAtJxEkX5YvFitBFzg4FLKMZP5inAFM21+jfjD2ufi7NWTyFJR6YCLGFma29XHE75yE76+Xq8eH3DI/8xmrU5hw1Yk5GrABf4KYTijsp+QLQZkEycYvfJEPEMigwnARdp6C3VDp/T8OL1hb2YtrZ4vjZ80azEicQ3ea/R05JK6ikfik2SlC5Rm0Ore0Rh4jB1tI51biVa0smsiwIDAQAB" .Values.secret.keycloak_jwt_pub_key | b64enc | quote }}  

KEYCLOAK_CLIENT_ID: {{ default "scanners" .Values.secret.keycloak_client_id | b64enc | quote }}  

KEYCLOAK_REALM: {{ default "customers" .Values.secret.keycloak_realm | b64enc | quote }}  

KEYCLOAK_SERVICE_ACCOUNT_CLIENT_ID: {{ default "admin-cli" .Values.secret.keycloak_service_account_client_id | b64enc | quote }}  

KEYCLOAK_SERVICE_ACCOUNT_CLIENT_SECRET: {{ default "5b97220c-838a-4186-bcdd-8cdb77d0e0f3" .Values.secret.keycloak_service_account_client_secret | b64enc | quote }}  

DB_URL: {{ default "mysql+mysqldb://root:RF-123579@mysql/standalone" .Values.secret.db_url | b64enc | quote }}  

RF_APP_HOST: {{ default "" .Values.secret.rf_app_host | b64enc | quote}}  

RF_APP_ADMIN: {{ required "\nERROR: admin user not set!\nUpdate secret.rf_app_admin inside chart/values.yaml file." .Values.secret.rf_app_admin | b64enc | quote}}  

RF_APP_ADMIN_PASSWD: {{ required "\nERROR: admin password not set!\nUpdate secret.rf_app_admin_passwd inside chart/values.yaml file." .Values.secret.rf_app_admin_passwd | b64enc | quote}}  

DEPLOY_MODE: {{ default "STANDALONE" .Values.secret.deploy_mode | b64enc | quote}}  

RF_VERBOSE: {{ default "0" .Values.secret.rf_verbose| toString | b64enc | quote }}  

Users are responsible for protecting their secrets using SOPS, Vault, or other sealed secret mechanisms. RapidFort does not share or log any secrets.

Storage of Customer Sensitive Data

Customer sensitive data is stored in the following locations:

  • MySQL (RDS)
  • S3

Container image data may be cached locally on EKS nodes (Kubernetes deployment) or the EC2 instance (AMI deployment).

Data Encryption Configuration

RapidFort AWS MarketPlace deployment allows the following Data Encryption Configurations.

  1. S3
  2. RDS MySQL
  3. EBS

Customers can follow AWS documentation to enable Data Encryption for these services without impacting RapidFort applications.

Network Configuration

Refer to the Server - Installing RapidFort SASM on-premises (AWS Commercial Cloud and AWS GovCloud) section for network configuration details.

Instance MetaData Service v1

RapidFort AWS deployment doesn't require AWS instance metadata service. Customers can choose to disable Instance MetaData Service v1 following the AWS guide.