Timothy Wong | October 13, 2020
Migrations
Healthcare
Medmo Inc. migrated from their existing legacy infrastructure swiftly due to EOL security related issues. Medmo Inc. provides services in the Healthcare sector and needed to maintain HIPAA compliance on AWS and move on from its existing infrastructure.
Triumph Tech used DevOps and DevSecOps to deploy a HIPAA compliant AWS Architecture and to migrate from the existing Legacy environment.
Triumph Tech chose AWS to provide the resources required to fix the problem.
We used CloudFormation to deploy all of our resources. This included:
We automated security scans using Trivy within CodeBuild. Scan results were sent to AWS Security Hub.
Medmo, Inc. has been a current AWS customer, so TCO analysis was performed by collecting data from the AWS Billing Console.
Automated solutions are the optimal ways to reduce time to market. Automated security scanning makes maintaining compliance more affordable. CloudFormation offers repeatable deployments of customer environments.
Cloud environment is native cloud. The entire stack is running on Amazon Web Services in the US-East-2 region.
If any step within the pipeline fails, notifications are sent to the DevOps Slack channel. SNS topics and Slack’s AWS Chatbot integration achieves this.
Container health is handled at the orchestration level. We set up health checks to monitor specific ports and endpoints within our containers, and we check for a 200- or predetermined response code.
Unhealthy targets are identified as targets who are not passing ELB health checks.
If a critical vulnerability is found during the scan within CodeBuild, a non-zero exit code is produced and no artifact is published to the ECR. Results are formatted and piped out to Security Hub, so the application team can patch the environment.
For warnings and information, results are published to Security Hub and the artifacts are published to ECR.
We consult with clients on best practices in terms of log / metric collection. Application logs are integrated with CloudWatch.
Security-related logs are integrated with Security Hub.
Enabling the client to manage and to maintain the DevOps pipeline after handover is of the utmost importance. Our goals are to minimize the maintenance of the automation and for all members of the Development team to simply push code, follow a development process, and know that their applications are being tested and rapidly deployed.
Enabling the client to manage and maintain the DevOps pipeline after handover is of the utmost importance. Our goals are to:
In order to discover access requirements, we look at the organizational units within the client’s business; this is required to access the DevOps infrastructure. We identify developers, systems engineers, security engineers, and stakeholders. We have previously defined best practices that we follow for each of these groups.
IAM groups are created for each of these Organizational Units and at least privilege access is granted to each. Each group is only granted access to what they actually need.
Our developer policy looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress"
],
"Resource": "arn:aws:ec2:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"ec2:Describe*",
"iam:ListInstanceProfiles",
"mgh:CreateProgressUpdateStream",
"mgh:ImportMigrationTask",
"mgh:NotifyMigrationTaskState",
"mgh:PutResourceAttributes",
"mgh:AssociateDiscoveredResource",
"mgh:ListDiscoveredResources",
"mgh:AssociateCreatedArtifact",
"discovery:ListConfigurations"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateSecurityGroup",
"ec2:ModifyInstanceAttribute",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:CreateImage"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"ForAllValues:StringLike": {
"ec2.ResourceTag/appenv": [
"rmmigrate-dta"
]
}
},
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RunInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "iam:PassRole",
"Resource": "*",
"Effect": "Allow"
}
]
}
No processes deployed to AWS infrastructure will make use of static AWS credentials. All instances that call other AWS functions use roles. Static AWS credentials are only used to call AWS services when third party integrations can not make use of assumed roles.
Log into AWS for each APN partner and user of the platform, and make use of unique IAM users or federated logins. No root access is permitted. We have a CloudWatch alarm setup that triggers an SNS notification via email anytime the root user logs in.
The following Security Group example meets the requirements of:
Components which require encryption in order to maintain HIPAA compliance on AWS:
Trivy vulnerability scans run before an artifact is published to ECR. If a Critical Vulnerability is found, the container image artifact will not be published nor deployed until patched. This ensures HIPAA Compliance on AWS.
AWS API Integration
AWS CLI is used for all programmatic access.
The deployment process is fully automated. When we merge a change into the master branch from development within GitHub, CodePipeline is triggered. CodePipeline first runs CodeBuild and builds an application artifact using Docker. A Docker image is pushed to the ECR and then deployment is approved for production.
Vulnerability scans are fully automated using Trivy which is integrated with Codebuild. Vulnerability scan results are published to Security Hub.
All AWS components are deployed using CloudFormation.
Data is backed up every 12 hours, so even in extreme conditions, only one day’s worth of data may be lost as opposed to the entirety.
We use Elastic Container Service (ECS) Auto Scaling to respond to changes in demand.
We deployed the workload into a development environment to run a test. We ran a load test over a period of 30 minutes, recorded the number of tasks that were deployed by the service, and estimated the cost based on CPU / memory allocation in AWS Fargate. We took the outcome and reduced it by 50% to account for off-peak hours.
Cost for Fargate containers during peak hours is: $498.75. This accounts for a total of 35 containers.
Looking to implement HIPAA Compliance on AWS? Contact one of our DevOps Professionals today.
Automated solutions are the optimal ways to reduce time to market. Automated security scanning makes maintaining compliance more affordable. CloudFormation offers repeatable deployments of customer environments.