Root privileges
RapidFort AWS MarketPlace deployment doesn't require root privileges. An IAM role is required to connect with S3 to store data.
Policy of Least Privileges
RapidFort requires the following:
- IAM policy that grants Read/Write/List/Delete privileges for an S3 bucket for the storage of RapidFort data
- Networking and security policy that grants inbound access for port 443 and outbound access to the world
- api.rapidfort.com over port 443
- email-smtp.us-east-1.amazonaws.com over port 574
- Access to a Writer RDS instance for the storage of RapidFort information
Public Resources
No public resources are deployed as part of RapidFort deployment.
IAM Roles
Refer to IAM section of RapidFort On-Premise deployment.
Encryption Keys
RapidFort AWS Market place deployment doesn't require encryption key creation.
Storage of Secrets
RapidFort uses Kubernetes secrets to store sensitive data. Refer to the RapidFort GitHub Helm Chart for the full list of secrets
AWS_ACCESS_KEY_ID: {{ default "" .Values.secret.aws_access_key_id | b64enc | quote }}
AWS_SECRET_ACCESS_KEY: {{ default "" .Values.secret.aws_secret_access_key | b64enc | quote }}
AWS_DEFAULT_REGION: {{ default "us-east-1" .Values.secret.aws_default_region | b64enc | quote }}
RF_ROLE_ARN: {{ default "" .Values.secret.aws_role_arn | b64enc | quote }}
RF_S3_BUCKET: {{ required "\nERROR: s3 bucket not set!\nUpdate secret.s3_bucket inside chart/values.yaml file." .Values.secret.s3_bucket | b64enc | quote }}
RF_STORAGE_TYPE: {{ required "\nERROR: storage type not set!\nUpdate secret.storage_type inside chart/values.yaml file." .Values.secret.storage_type | b64enc | quote }}
RF_GS_CREDS: {{ default "" .Values.secret.gs_cred | b64enc | quote }}
USERNAME_SMTP: {{ default "" .Values.secret.smtp_username | b64enc | quote }}
PASSWORD_SMTP: {% raw %} {{ default "" .Values.secret.smtp_password | b64enc | quote }}
SOURCE_ARN: {{ default "" .Values.secret.smtp_source_arn | b64enc | quote }}
KEYCLOAK_JWT_PUB_KEY: {{ default "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt0EwFCzsmzWgn7A8A40hzX1kPHab0WZTmUF8OwHt7fyds6sBiSDPnLIh0BgmXIO2WIrGzARm9dVUeAWI/aUI7qucfgYgW7XSwwz7X/IrX6DExsNZzTLxgIfDJR/WP0fo1vO10BQDAtJxEkX5YvFitBFzg4FLKMZP5inAFM21+jfjD2ufi7NWTyFJR6YCLGFma29XHE75yE76+Xq8eH3DI/8xmrU5hw1Yk5GrABf4KYTijsp+QLQZkEycYvfJEPEMigwnARdp6C3VDp/T8OL1hb2YtrZ4vjZ80azEicQ3ea/R05JK6ikfik2SlC5Rm0Ore0Rh4jB1tI51biVa0smsiwIDAQAB" .Values.secret.keycloak_jwt_pub_key | b64enc | quote }}
KEYCLOAK_CLIENT_ID: {{ default "scanners" .Values.secret.keycloak_client_id | b64enc | quote }}
KEYCLOAK_REALM: {{ default "customers" .Values.secret.keycloak_realm | b64enc | quote }}
KEYCLOAK_SERVICE_ACCOUNT_CLIENT_ID: {{ default "admin-cli" .Values.secret.keycloak_service_account_client_id | b64enc | quote }}
KEYCLOAK_SERVICE_ACCOUNT_CLIENT_SECRET: {{ default "5b97220c-838a-4186-bcdd-8cdb77d0e0f3" .Values.secret.keycloak_service_account_client_secret | b64enc | quote }}
DB_URL: {{ default "mysql+mysqldb://root:RF-123579@mysql/standalone" .Values.secret.db_url | b64enc | quote }}
RF_APP_HOST: {{ default "" .Values.secret.rf_app_host | b64enc | quote}}
RF_APP_ADMIN: {{ required "\nERROR: admin user not set!\nUpdate secret.rf_app_admin inside chart/values.yaml file." .Values.secret.rf_app_admin | b64enc | quote}}
RF_APP_ADMIN_PASSWD: {{ required "\nERROR: admin password not set!\nUpdate secret.rf_app_admin_passwd inside chart/values.yaml file." .Values.secret.rf_app_admin_passwd | b64enc | quote}}
DEPLOY_MODE: {{ default "STANDALONE" .Values.secret.deploy_mode | b64enc | quote}}
RF_VERBOSE: {{ default "0" .Values.secret.rf_verbose| toString | b64enc | quote }}
Users are responsible for protecting their secrets using SOPS, Vault, or other sealed secret mechanisms. RapidFort does not share or log any secrets.
Storage of Customer Sensitive Data
Customer sensitive data is stored in the following locations:
- MySQL (RDS)
- S3
Container image data may be cached locally on EKS nodes (Kubernetes deployment) or the EC2 instance (AMI deployment).
Data Encryption Configuration
RapidFort AWS MarketPlace deployment allows the following Data Encryption Configurations.
- S3
- RDS MySQL
- EBS
Customers can follow AWS documentation to enable Data Encryption for these services without impacting RapidFort applications.
Network Configuration
Refer to the Server - Installing RapidFort SASM on-premises (AWS Commercial Cloud and AWS GovCloud) section for network configuration details.
Instance MetaData Service v1
RapidFort AWS deployment doesn't require AWS instance metadata service. Customers can choose to disable Instance MetaData Service v1 following the AWS guide.