- Project Overview
- Architecture Diagram
- Getting Started
- Docker Set Up
- Terraform Infrastructure
- Local setup
- Security Improvements
This project deploys the Amazon Threat Composer Tool, an open-source application for detecting and identifying potential threat and security issues, onto AWS ECS (Fargate) using Terraform. The Threat Composer application simplifies and organises the threat modeling process, making it easier to manage security threats early in the design & adoption phase. This ECS project demonstrates how to deploy a pre-built threat modeling application to AWS using modern DevOps practices. I containerising the app with Docker, deploying it to AWS using ECS, ALB, Route53 and IAM roles and deploying resources with Terraform. I also built a CI/CD pipeline (GitHub Actions) for automated deployments, ensuring scalability and efficiency. The setup enables users to simulate real-world threat scenarios and model security vulnerabilities effectively using AWS capabilities.
As you work through these sections, the Threat Composer generates a comprehensive Threat Model Document.
Make sure you have the following application dowloaded
Configure AWS CLI
bash
AWS Access Key ID [None]: accesskey
AWS Secret Access Key [None]: secretkey
Default region name [None]: your region
Default output format [None]:
The size of the Docker image tm-app was significantly reduced to 245.56 MB, down from over 1 GB, due to optimisations made during the multi-stage build process. This reduction made the image much more efficient for a Docker container.
Build the docker image:
docker build -t threat-app .Run the container
docker run -p 3000:3000 threat-appThe AWS infrastructure was organised into reusble modules to build the infrastructure and this approach promotes the DRY (Don't Repeat Yourself) principle and makes your code scalable and maintainable. Terraform was used to provision the infrastructure, with the state backend securely hosted on AWS S3, enabling reliable tracking and versioning of infrastructure changes.
.
├── application/
│ ├── config/
│ ├── images/
│ ├── public/
│ ├── src/
│ ├── Dockerfile
│ ├── package.json
│ └── project.json
├── terraform/
│ ├── modules/
│ ├── main.tf
│ ├── provider.tf
│ └── variables.tf
├── .gitignore
└── README.md
| AWS Resources | Purpose |
|---|---|
| ECS Cluster | Manages orchestration to run the Docker container. |
| ECS Task Definition | Specifies the Docker image that ECS will pull and run, as well as allocating CPU, memory, and network configurations such as the VPC and subnets. |
| ECS Service | Manages the lifecycle of tasks, ensuring they run and scale as needed. |
| ECR Repository | Provisioning the ECR repository to store the Docker image. The CI/CD pipeline handles the Docker build automation process, it creates the Docker image from the Dockerfile, and pushes it to the ECR repository threat-app. |
| Application Load Balancer (ALB) | The ALB distributes incoming traffic to the ECS task and routes HTTP and HTTPS traffic to the application in multiple AZ. |
| Route 53 | Serves as the domain name system (DNS) for the application. It routes traffic from your custom domain to the Application Load Balancer. A hosted zone was created for the domain hanimao.com, and a DNS record points the subdomain tm.hanimao.com to the ALB. |
| AWS Certificate Manager (ACM) | Manages and provisions TLS certificates to enable secure HTTPS traffic, ensuring all data transmitted between the user and the application is encrypted. An SSL certificate was created and validated via DNS validation (using Route53) to ensure secure HTTPS access to tm.hanimao.com |
| IAM Roles | Manages security and permissions for the ECS services. |
| Execution Role | (ecs_task_execution_role) gives ECS tasks permission to pull the image from ECR. |
| Service Role | (ecs_service_role) grants ECS the ability to manage the lifecycle of the task and interact with other infrastructure services. |
| GitHub Actions | Automates the CI/CD pipeline. It builds the Docker image, pushes it to ECR, and triggers a new Terraform deployment when changes are merged to the main branch. |
| Security Groups | SG for ALB and ECS and Acts as a virtual firewall controlling traffic to and from resources. SG for ECS controls inbound/outbound traffic to ECS tasks, ensuring only traffic from the ALB is allowed. SG for ALB allows inbound HTTP (port 80) and HTTPS (port 443) traffic, enabling external users to access the application over the internet. |
yarn install
yarn build
yarn global add serve
serve -s build- Implement OIDC instead of using AWS credentials.
- CloudWatch dashboard
- Checkov for scanning infrastructure as code (IaC) files for misconfigurations