Professional Documents
Culture Documents
Application Information
Name: FaceWoof
Scale/Sizing Details
# Users: __10,000,000 ___________ Facebook for our Canine friends. Share selfies,
# Daily Sessions: ________________ bios, and stories. Humorous view of our fur-
# Page Views: __________________ families.
Data Size: __Billions of Photos _____
Other: …
15,000,000 dogs (1.5/user)
<corporate and application details relavent to
security goes here>
Application Interfaces
Name Usage Private/Public
Network Access
Used by
Public?
Used by
Staff?
Used by
Management?
Consumer Website users access Public X
Consumer Mobile Mobile applications Public X
Customer Support CS interface Pub/Pvt X
Operations OPs support Private X
Reporting Management interface Private X X
… … …
Usernames, passwords, auths Security Team Security RDS, Encryption, IT Loss of control and trust
Credit Card Numbers (PCI) E-Commerce Team Essential PCI environment Compliance
PII for customers CIO Essential RDS, Encryption, IT Loss of trust
Social data Privacy Team Essential RDS Loss of trust
Infrastructure OPs Critical AWS Security
Source code Engineering Software GIT Security
Corporate systems HR Essential EC2, S3, RDS, IT, 3rd party Compliance, Security
3rd party systems OPs, Mgmt Critical … Security
… … … … …
AWS Information
Accounts
Account Name Alias AWS Acct # Production? Owner
Production facewoofproduction 576555855592 X OPs
Corporate Facewoofcorporate 576555856493 HR
Development/QA facewoofdevelopment 576555856828 Engineering
… … … … …
IAM Groups
Group Name Policies Assigned Follows
PoLP?
DataAccess … No?
LoggerGenerator … Yes
LogReporter … Yes
… …
IAM Roles
Only describe category of users here…
Role Name Assigned Entity/Resource Groups Assigned Policies Assigned Follows PoLP?
DevAccess Corporate Entities <access Dev VPC> …
StagingAccess Corporate Entities <access Staging VPC> …
ProdAccess Corporate Entities <access Prod VPC> …
Staging Systems
… … … …
VPCs
Name Region Description Public
Internet
IPSec
Tunnel
Direct
Connect
Use Bastion
Hosts?
Production us-east-1 Production resources X
Staging us-east-1 Staging applications
Corporate us-east-1 Corporate systems and X X
resources
Development us-east-1 Development systems and X X
tools
… … …
Security Zones
Name of Purpose Security VPCs Used
Zone
Public Resources directly accessible Open to internet. ProductionPub
from internet.
DMZ Demiliterized zone. Access by resources in Public ProductionDMZ
zone only.
Internal Internal Access to resources in DMZ ProductionInternal
zone only.
… … … …
Periphery Systems
DNS Security
Public DNS Private DNS
Use Route 53? __Yes__ Use Route 53? __Yes__
Description: Description:
We will use some really neat processes and procedures We will use some really neat processes and procedures
to make sure our DNS stays secure, and AWS will help to make sure our DNS stays secure, and AWS will help
us with this! us with this!
For each type of DNS, describe how you are building and securing your DNS system. Are you using Route 53? If not, what are
you using? What policies are you employing to keep it safe and secure.
Description:
We will be very timely in our security plans for our network time service. We will use only the most chlorinated
time pools.
List your centralized time servers that all other systems will take their time from. List the trusted external time sources you
will use to get actual system time. Describe your security plan and what policies you are employing to keep it safe and
secure.
Other Periphery Systems
Periphery System Security Description
List all other periphery systems that must be secure. What process are you using to maintain security? What policies are you
employing?
Describe process and best practices used or DoS and DDoS prevention and the process you perform if one is detected and in-
progress.
Security Testing
Type of Testing Testing Process
External Vulnerability:
External Penetration:
AWS Process:
(how will we submit testing requests
to AWS?)
Describe the process for testing each of the different types of security for your application.
EC2 and OS Hardening
Hardening Requirement Process Used and Method of Validation
Disable root keys on EC2 Chef script automatically removes root keys once primary contact has been
instances established.
Key rotation for all We rotate our keys every 90 days and have a policy for follow up by each team
access keys to make sure it’s been done correctly and timely.
For each type of hardening, describe what process you use to implement the hardening and any validation you use to make
sure the process is complete. Add additional OS hardening requirements based on your needs.
Security Groups
SG Name VPC Usage Access Access Follows
Allowed Denied PoLP?
DeploySvcs Production Used to deploy … … Y
software to EC2
instances in this
VPC.
… … … … … ?
Custom AMIs
AMI Name EC2 Usage Private/Public Security Boostrap Security
Patches? Process Test
FaceWoofStandard All Instances Private Up to date Chef script Yes
Data in Transit
Data SSL/TLS? Accidental Data Integrity Peer Identity
Type/Name Disclosure Security Security Security
Dog photos No n/a … Inter-service
Credentials Yes Inter-service … certificate validation is
encryption. necessary to prevent
PII Yes Inter-service … man-in-the-middle
encryption. attacks.
… … … … …
Logging
Log Name Format Source Retention Transport/Storage/Analysis
Security
Login attempts … Login Service 90 days …
Bastion Logins … … 365 days …
… … … … …
AWS Security Connection
Security Concern Plan/Policy/Process
How do you interact with AWS for security We have premium support plans for all production
purposes? accounts. We have registered security contact email
group, and primary AWS support contact email group.
These groups page the primary oncalls as appropriate.
What is the established process to respond Abuse requests from AWS arrive on
to abuse warnings from AWS? abuse@facewoof.blah. They are logged as tickets and
forward to the appropriate oncall for action.
… …