Professional Documents
Culture Documents
006 Security Worksheet - Facewoof
006 Security Worksheet - Facewoof
Application Information
Name: FaceWoof
Scale/Sizing Details
# Users: __10,000,000____________ Facebook for our Canine friends. Share selfies,
# Daily Sessions: _________________ bios, and stories. Humorous view of our fur-
# Page Views: ___________________ families.
Data Size: __Billions of Photos______
Other: …
15,000,000 dogs (1.5/user)
<corporate and application details relavent to
security goes here>
Application Interfaces
Private/Public Used by Used by Used by
Name Usage Network Access Public? Staff? Management?
Consumer Website users access Public X
Consumer Mobile Mobile applications Public X
Customer Support CS interface Pub/Pvt X
Operations OPs support Private X
Reporting Management interface Private X X
… … …
IAM Groups
Group Name Policies Assigned Follows
PoLP?
DataAccess … No?
LoggerGenerator … Yes
LogReporter … Yes
… …
IAM Roles
Only describe category of users here…
Role Name Assigned Entity/Resource Groups Assigned Policies Assigned Follows PoLP?
DevAccess Corporate Entities <access Dev VPC> …
StagingAcces Corporate Entities <access Staging VPC> …
s
ProdAccess Corporate Entities <access Prod VPC> …
Staging Systems
… … … …
VPCs
Public IPSec Direct Use Bastion
Name Region Description Internet Tunnel Connect Hosts?
Production us-east-1 Production resources X
Staging us-east-1 Staging applications
Corporate us-east-1 Corporate systems and X X
resources
Development us-east-1 Development systems and X X
tools
… … …
Security Zones
Name of Purpose Security VPCs Used
Zone
Public Resources directly accessible Open to internet. ProductionPub
from internet.
DMZ Demiliterized zone. Access by resources in Public ProductionDMZ
zone only.
Internal Internal Access to resources in DMZ ProductionInternal
zone only.
… … … …
Periphery Systems
DNS Security
Public DNS Private DNS
Use Route 53? __Yes__ Use Route 53? __Yes__
Description: Description:
We will use some really neat processes and procedures We will use some really neat processes and procedures
to make sure our DNS stays secure, and AWS will help to make sure our DNS stays secure, and AWS will help
us with this! us with this!
For each type of DNS, describe how you are building and securing your DNS system. Are you using Route 53? If not, what are
you using? What policies are you employing to keep it safe and secure.
Description:
We will be very timely in our security plans for our network time service. We will use only the most chlorinated
time pools.
List your centralized time servers that all other systems will take their time from. List the trusted external time sources you
will use to get actual system time. Describe your security plan and what policies you are employing to keep it safe and
secure.
Other Periphery Systems
Periphery System Security Description
List all other periphery systems that must be secure. What process are you using to maintain security? What policies are you
employing?
Describe process and best practices used or DoS and DDoS prevention and the process you perform if one is detected and in-
progress.
Security Testing
Type of Testing Testing Process
External Vulnerability:
External Penetration:
AWS Process:
(how will we submit testing requests
to AWS?)
Describe the process for testing each of the different types of security for your application.
EC2 and OS Hardening
Hardening Requirement Process Used and Method of Validation
Disable root keys on EC2 Chef script automatically removes root keys once primary contact has been
instances established.
Key rotation for all We rotate our keys every 90 days and have a policy for follow up by each team
access keys to make sure it’s been done correctly and timely.
For each type of hardening, describe what process you use to implement the hardening and any validation you use to make
sure the process is complete. Add additional OS hardening requirements based on your needs.
Security Groups
SG Name VPC Usage Access Access Follows
Allowed Denied PoLP?
DeploySvcs Production Used to deploy … … Y
software to EC2
instances in this
VPC.
… … … … … ?
Custom AMIs
AMI Name EC2 Usage Private/Public Security Boostrap Security
Patches? Process Test
FaceWoofStandard All Instances Private Up to date Chef script Yes
Data in Transit
Data SSL/TLS? Accidental Data Integrity Peer Identity
Type/Name Disclosure Security Security Security
Dog photos No n/a … Inter-service
Credentials Yes Inter-service … certificate validation is
encryption. necessary to prevent
PII Yes Inter-service … man-in-the-middle
encryption. attacks.
… … … … …
Logging
Log Name Format Source Retention Transport/Storage/Analysis
Security
Login attempts … Login Service 90 days …
Bastion Logins … … 365 days …
… … … … …
AWS Security Connection
Security Concern Plan/Policy/Process
How do you interact with AWS for security We have premium support plans for all production
purposes? accounts. We have registered security contact email
group, and primary AWS support contact email group.
These groups page the primary oncalls as appropriate.
What is the established process to respond Abuse requests from AWS arrive on
to abuse warnings from AWS? abuse@facewoof.blah. They are logged as tickets and
forward to the appropriate oncall for action.
… …