Security Checklist#

The following provides some general guidelines with respect to securing your ESS deployment. The checklist is not meant to be an exhaustive list.

Limit Network Exposure#

Limit external access to specific networks/ports.

Separate internal and external traffic. For example, by running inside a VPC, you can ensure that all communication within the VPC is securely separated from external traffic.

Use an Trusted Application Allow List to grant trust to specific applications only.

Use an Identity Provider Allow List to specify trusted Identity Providers.

If setting up a VPN endpoint, avoid manually adding public Internet routes/authorizations to the VPN endpoint .

Use Encryption#

Use TLS for network encryption.

  • Encrypt in-transit inbound traffic to ESS.

  • For external facing services, use TLS certificates from an official Certificate Authority (CA). Do not use self-signed certificates.

Encrypt data at rest, including audit logs.

See Encryption.

Manage and Safeguard Sensitive Data/Credentials#

Use secrets manager.

Secure highly-sensitive (i.e., passwords, tokens, etc.) environment variables:

  • Do not set these environment variables on the containers as they are stored and passed in plain text.

    Use utilities such as Hashicorp Vault, or AWS Key Management Service (KMS), and Systems Manager (SSM) Parameter Store.


    Fully compromising a node or container in the Kubernetes cluster still allows access via the AWS APIs to SSM and KMS, so it is not stripped of all attack vectors on these secrets. However, this approach is significantly better than having secrets available in plain text. Further securing of these containers is up to the enterprise IT teams installing the system.

If you are using AWS ECR for your repository images, leverage IAM roles for your worker node instances to grant access to the repositories without using separate Docker credentials/secret.

Run ESS microservices in Kubernetes or in managed services, leveraging security features to grant access.