- always put in the effort to minimally scope account, policy, role, or token privilege1
- create a limited USER in your Dockerfile and switch to it with the USER command2
RUN groupadd -r appuser -g 433 && \ useradd -u 431 -r -g appuser -s /sbin/nologin -c "Docker image user" appuser USER root RUN somecommand.sh # command that needs root RUN anothercommand.sh # another command that needs root USER appuser # switch back to the limited user
- install a VPN or HTTPS proxy on a .nano instance, limit access to the console from that VPC
- only allow traffic to ALB from Cloudfront or Cloudflare
- from Cloudflare: can use simple Lambda to scrape https://www.cloudflare.com/ips/
- from Cloudfront: https://aws.amazon.com/blogs/networking-and-content-delivery/limit-access-to-your-origins-using-the-aws-managed-prefix-list-for-amazon-cloudfront/
- use IPs in NACLs as 2nd layer - "security is like an onion"
- Cryptolyzer: https://cryptolyzer.readthedocs.io/en/latest/
- create security group for cluster service that only allows traffic to the service from the ALB security group
- httpstat: https://github.com/reorx/httpstat
- enable tag immutability to prevent images being overwritten
- security for internal senders: https://badshah.io/aws-ses-and-email-spoofing/
-
use any of the free code scanning SAST tools, see sast-scan.yml for example of a ready-to-go Github Action
-
use CODEOWNERS to prevent senstive files or actions being overwritten/changed without approval
-
Github Actions3:
- don't use structured data (i.e. JSON, XML, YAML) in secrets
- use intermediate environment variable for untrusted input
- accept the input into a variable, then use THAT variable in your sensitive function