The Project
Our team of cloud experts have been already involved in the design and implementation of the Deutsche Payment infrastructure in AWS. Using Terraform (Infrastructure as Code) was set to be our baseline. Preparing the AWS cloud environment for further automation and PCI/DSS re-certification of the customers service landscape was our mission. To do so the creation of hardened Amazon Machine Images (AMI) as well as providing a mechanism for verified code check-ins became necessary.
The Problem
By using AWS’ auto-scaling and self-healing infrastructure to host applications, the foundations are prepared for golden AMI usage. The target machines must follow Center for Internet Security (CIS) guidelines and have to contain the verified software for fast start-up times.
The Solution
A multi-stage build process was implemented by using AWS CodeCommit, CodeBuild and CodePipeline. The first stages check that commits are signed by a permitted author, only then the build continues. By using HashiCorps packer and modern Amazon Linux 2, CIS rules are applied to the AMI before baking in the actual software and encrypting the volume. As an additional management tool, AWS Inspector is added to permanently monitor running instances on compliance.
Our Contribution
kreuzwerker designed the process together with the Deutsche Payment and described the infrastructure in Terraform. We also provided tools to update running applications in-place with new AMI as well as housekeeping functionality.
The Benefit
By setting up an automated build process, the resulting environment is always benefitting from updated and AWS managed security patches and threat knowledge, while putting the applications under full compliance monitoring using AWS Inspector.
The Upshot
Hardening the used infrastructure from the very beginning and permanently monitoring it on compliance using the full AWS feature set enables the Deutsche Payment to further develop their offerings, while running it fully scalable and secure on fully managed AWS IaaS.