Bank Iowa

BACKGROUND

As one of the leading independent agricultural banks and the 2nd largest family-owned bank in Iowa, this financial institution has catered to families, businesses, and farmers in several communities across almost 30 locations. Their diverse portfolio of financial products and services has helped its customers over the years. Bank Iowa has adapted to the changing dynamics of the economy and emerged as one of the leading financial institutions in Midwest without losing their focus on community.

BUSINESS CHALLENGE

The customer “Bank Iowa Corporation” owns the website www.bankiowa.bank. The web application is deployed on an EC2 instance behind an ELB with auto scaling enabled to handle increased load. The database is deployed in multi-az environment in a private subnet. Client was concerned about cloud infrastructure are often easy targets for attackers. Once deployed, many OS and apps/services are not patched regularly.

Probing through every open port is practically the first step hackers take to prepare their attack. For any instance/application to work, one is required to keep few ports open but at the same time, they are threatened by the fear of hackers. Therefore, one must secure all open ports. There are multiple things which can be attacked on a webserver and httpd or sshd services are just one of those things. To keep the OS secure from vulnerabilities, regular patching is a basic requirement. We focused on automating the patching process to save time and effort which can be used for more productive tasks.

Section

Proposed Solution:

We planned to leverage following features of Systems Manager to secure the infrastructure:

  • Maintenance Windows

  • Patch Manager

  • ession Manager

  • Parameter Store Run Command

Proposed Solution:

We planned to leverage following features of Systems Manager to secure the infrastructure:

  • Maintenance Windows
  • Patch Manager
  • Session Manager
  • Parameter Store Run Command

By employing AWS Systems Manager service to automate patch management solution, we were able to reduce the time taken to apply patches and removed the risk of missing critical patch updates.

AWS Session Manager allows one to establish an interactive shell connection to an EC2 instance without using SSH keys. It also reduces the risk of an SSH key or password being compromised.

How the solution was deployed to meet the challenge:

In this project, we set up automatic server patching for EC2 instances, SSH connection using Session Manager and Parameter Store to save application configuration. We saved application configuration in Parameter Store and used to install/update the application configuration in EC2 instances using Run Command.

AWS Cloud Formation templates is used to deploy the Automatic server patching setup. We use five AWS Systems Manager features which allowed us to configure automated patching and other features.

  1. Maintenance Window:

    We have created one maintenance window and assigned two tasks and one target in it. The first task is used for creating AMI of EC2 instances before patching as a backup process and the second task is for patching the EC2 instances.

  2. Patch Manager:

    We configured Custom Patch baselines for different OS (Ubuntu, Centos, AmazonAMI2, and Windows). All baselines are attached to a single patch group.

  3. Session Manager:

    We have configured and enabled Session Manager for SSH tunneling with EC2 instances.

  4. Parameter Store:

    We saved application configuration in Parameter Store to centralize the storage of configuration data.

  5. Run Command:

    WWe used Run Command to install/update Application configuration to EC2 instances.

 

Resource Configuration Details:

  1. SSM Agent installed in EC2 instances.

  2. Enable Systems Manager from Quick-Setup to Register the instances:

  3. EC2 Instance Configuration to access from Systems Manager Services:
    1. Created one IAM role (AmazonEC2RoleforSSMIAM) with Managed Policies attached and attach the role to the EC2 instances.

    2. Tag the EC2 instance with (Automatic Patches = True).

  4. Created and attached IAM Role (PatchAutomationServiceRole) for System Manager to access other AWS resources (eg: S3, SNS, CloudWatch).

  5. Register Patch Baseline with Patch groups.

  6. Maintenance window Tasks.
    1. First task is for taking EC2 instance AMI as backup purpose before installing the patches.

    2. Second task is for executing the Patch run command.

    3. Add Targets in the Maintenance windows and configure Targets (Automatic Patches = True).

  7. All patch related log files are stored in S3 bucket along with instance id.

  8. We saved CloudWatch Agent configuration in Parameter Store and used to install/update the application configuration in EC2 instances using Run Command. Below are the steps.
    1. Add IAM role to instance CloudWatchAgentAdminPolicy.

    2. Download and install CloudWatch Agent in the instance.

    3. Create configuration for the CloudWatch service and store in the Parameter Store.

    4. Start the CloudWatch Agent and verify all metrices after 5 minutes..

    5. Configure Run Command using Documents: AmazonCloudWatch-ManageAgent, add Parameter Store configuration name, select target instance then Run. This will configure and run the CloudWatch Agent to EC2 instances. Make sure the SSM agent is setup to these instances properly.

Section

AWS Configuration deployment automation:

We used infrastructure-as-code (IaaC) to provision, deploy, and manage Automatic server Patch configuration in this account. We have created YAML CloudFormation template to define AWS systems manager level configuration.

Third party applications or solutions used:

We did not use any 3rd party solutions for server patching.

AWS Services used as part of the solution:

  • Amazon Elastic Cloud Compute (EC2)
  • Amazon Auto Scaling
  • Amazon CloudWatch
  • Elastic Load Balancing
  • Amazon Virtual Private Cloud (VPC)
  • Amazon Systems Manager
  • Amazon RDS (Aurora MySQL)
  • Amazon Simple Storage Service (S3)
  • Amazon CloudFront

Date the project entered production:

3rd Feb 2020

Outcome(s)/results:

  • No unauthorized access to the webserver from outside world. IAM user can make an interactive shell connection to the EC2 instance and execute commands.
  • Automated archiving of instance patched log files.
  • Timely application of OS patches without human intervention.

AWS Configuration deployment automation:

We used infrastructure-as-code (IaaC) to provision, deploy, and manage Automatic server Patch configuration in this account. We have created YAML CloudFormation template to define AWS systems manager level configuration.

Third party applications or solutions used:

We did not use any 3rd party solutions for server patching.

AWS Services used as part of the solution:

  • Amazon Elastic Cloud Compute (EC2)
  • Amazon Auto Scaling
  • Amazon CloudWatch
  • Elastic Load Balancing
  • Amazon Virtual Private Cloud (VPC)
  • Amazon Systems Manager
  • Amazon RDS (Aurora MySQL)
  • Amazon Simple Storage Service (S3)
  • Amazon CloudFront

Date the project entered production:

3rd Feb 2020

Outcome(s)/results:

  • No unauthorized access to the webserver from outside world. IAM user can make an interactive shell connection to the EC2 instance and execute commands.
  • Automated archiving of instance patched log files.
  • Timely application of OS patches without human intervention.

Architecture Diagrams of the specific customer deployment

  • Architecture Diagram:

    Section

  • Section

    AWS Autoscaling Snapshot:

  • AWS ELB Snapshot:

    Section

  • Section

    Amazon RDS private subnet Snapshot: