← Week 3: Testing & Deployment

Day 17: Security Hardening

Phase 7 · Oct 9, 2026

← Week 3: Testing & Deployment

Agenda (2–3 hours)

  • Review (60 min): Security review checklist — IAM, network, container, secrets, TLS
  • Implement (60 min): Move all secrets to Secrets Manager; enable VPC flow logs; add container read-only root filesystem
  • Test (60 min): Run aws iam get-role-policy for each task role; verify no *:* policies; verify TLS mutual authentication rejects unknown clients
← Week 3: Testing & Deployment

IAM Least Privilege Audit

# Check effective permissions for each task role
aws iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::ACCOUNT:role/api-task-role \
  --action-names dynamodb:GetItem dynamodb:PutItem dynamodb:Query \
                 sqs:SendMessage \
  --resource-arns arn:aws:dynamodb:us-east-1:ACCOUNT:table/task-queue \
                  arn:aws:sqs:us-east-1:ACCOUNT:task-queue

# Expected: all ALLOWED
# If any dynamodb:DeleteTable or dynamodb:Scan — remove them
← Week 3: Testing & Deployment

Secrets Management

Never store TLS certificates or config secrets in task definition environment variables.

// At startup: fetch TLS cert from Secrets Manager
let secret = secretsmanager.get_secret_value()
    .secret_id("task-svc/tls/cert")
    .send().await?;

let cert_pem = secret.secret_string().unwrap();
let identity = Identity::from_pem(cert_pem, private_key_pem);

Rotation: set a rotation Lambda on the Secrets Manager secret; ECS tasks pick up the new cert on the next startup (rolling deploy).

← Week 3: Testing & Deployment

Container Security

{
  "containerDefinitions": [{
    "readonlyRootFilesystem": true,
    "user": "1000",
    "linuxParameters": {
      "capabilities": {
        "drop": ["ALL"]
      }
    },
    "mountPoints": [{
      "sourceVolume": "tmp",
      "containerPath": "/tmp",
      "readOnly": false
    }]
  }]
}

Read-only root filesystem + drop ALL capabilities + non-root user = minimal blast radius if the container is compromised.

← Week 3: Testing & Deployment

Key Takeaways

  • Simulate IAM policies before deploying — aws iam simulate-principal-policy catches over-permissioned roles
  • Secrets Manager over environment variables: secrets are rotatable, auditable, and not visible in describe-task
  • readonlyRootFilesystem: true prevents runtime writes to the container image — a common malware persistence technique
  • VPC flow logs capture all network traffic for post-incident investigation without modifying application code

Tomorrow: CI/CD pipeline — automated build, test, and deploy.