Project 6: Secure Enterprise App Deployment
CyberPreacher Edition
Project Scenario
A rapidly growing fintech company is transitioning from a legacy on-premises system to cloud in order to modernize its infrastructure and scale operations. During an internal security review, the following issues were discovered:
- User accounts had excessive permissions, increasing the risk of insider threats.
- Secrets and API credentials were stored as plain text in configuration files.
- No multi-factor authentication (MFA) was enforced, leaving critical admin accounts vulnerable.
- There was no centralized logging, making it difficult to trace incidents or access patterns.
- The company exceeded monthly cloud spending due to lack of cost monitoring.
Your task: As part of the cloud engineering team, you will be responsible for deploying a secure enterprise application in AWS that resolves these risks by enforcing strict IAM practices, encrypting secrets, integrating monitoring, and setting up budget alerts.
Lab Objectives
- Exercise 1: Create a dedicated environment and IAM users.
- Exercise 2: Deploy and secure the enterprise application.
- Exercise 3: Enforce MFA and conditional access using IAM policies.
- Exercise 4: Store application secrets in AWS Secrets Manager.
Exercise 1: Environment and IAM Access Controls
Estimated Timing: 15 minutes
Task 1: Create a Project-specific Resource Group (Tag-based)
- Log in to the AWS Management Console.
- Navigate to the Resource Groups drop-down (top navigation bar).
- Click Tag Editor > Manage Tags and create a tag:
- Key:
Project
- Value:
CPApp
- Use this tag for all project resources moving forward for management and cleanup.
Task 2: Create an IAM User and Assign Admin Role
- Go to IAM > Users > Add Users
- Fill in:
- User name:
jane.admin
- Access type: Select Programmatic access and AWS Management Console access
- Console password: Auto-generated or custom
- In Permissions, select Attach policies directly
- Search for and attach AdministratorAccess
- Click Next and create the user
- Save the temporary credentials for first login
Estimated Timing: 20 minutes
- In the AWS Console, navigate to Elastic Beanstalk > Create a new application
- Fill in:
- Application name:
EnterpriseApp
- Platform: Choose Python/Node.js/Java based on your app
- Environment: Web Server Environment
- Upload your app code or sample project
- Click Create environment
Once deployed:
- Go to IAM > Roles
- Assign permissions to the Elastic Beanstalk instance profile:
- Policy:
AmazonSSMFullAccess
, AmazonS3ReadOnlyAccess
Exercise 3: Enable MFA and IAM Policy Conditions
Estimated Timing: 15 minutes
- In IAM > Users, select
jane.admin
- On the Security credentials tab, choose Assign MFA device
- Select Virtual MFA device (use Google Authenticator or similar)
- Follow prompts to scan QR code and confirm codes
Add a Conditional Access Policy
- In IAM > Policies, click Create Policy
- Go to JSON tab and paste:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
}
- Attach this policy to all privileged users. It enforces MFA for all operations.
Exercise 4: Secure Secrets with AWS Secrets Manager
Estimated Timing: 10 minutes
- Go to Secrets Manager > Store a new secret
- Select:
- Secret type: Other type of secrets
- Key/Value pair:
- Key:
AppClientSecret
- Value: Paste your application secret
- Click Next, name the secret
EnterpriseAppSecret
- Store it in region
US East (N. Virginia)
- In your app, retrieve the secret securely via AWS SDK or using instance roles
Summary of Key Security Practices
- IAM: Principle of least privilege enforced through roles and policies
- MFA: Mandatory for privileged users
- Secrets: Stored securely in Secrets Manager, not hardcoded
- Monitoring: Log ingestion via CloudWatch
- Cost Control: Budget alerts active to prevent overspending
Side Task: Once done, take a screenshot of the completed task and upload on LinkedIn including the Hashtag #cloudprojectwithcyberpreacher #CPwCP while sharing your experiences around the project.
Note: Ensure to delete every resources created during this project, to ensure cost management.