I just need the answer of (6 Documentation )

1 Introduction For the final project youll be designing and securing an AWS web application and its accompanying infrastructure. To accomplish this, youll be borrowing heavily from the concepts in this class up to (and including) Module 11 - Application Container Security. Some tips: cite everything! The more citations you pull in, the better. Feel free to reference any of the course material, but also plenty of outside sources (you may find many pieces of OWASPs documentation useful). Second, be sure to read the assignment in its entirety before starting and let us (Joe & Ross) know if you have any questions before beginning.

2 Network Technical Specification Length: 1-2 pages The network should have 3 subnets within a single VPC: 1 public-facing, and 2 private-facing subnets. You do NOT have to talk about the routing configuration (assume it has been completed for you), but please say which Security Groups and Access Lists you would put in place to ensure external users can view the website on the standard HTTP port but cannot access any other ports on the web server. Also, how would you configure the Access Lists and Security Groups such that the web server can speak to the database, but cannot access any other unnecessary internal resources? The web server, which will reside in your public subnet should have an Elastic IP address and should scale (elastically) to meet any amount of user demand. AWS provides a service that accomplishes exactly this. Please tell us what that feature is and exactly how you would configure it. Also, we use the term server loosely. You can use an EC2 instances if youd like, but there are some very useful alternatives you might want to investigate. 1

3 DevSecOps & Security Technical Specification Length: 2-3 pages Throughout the course weve talked a lot about DevSec pipelines and the workflows they implement. Suppose the application were building here is being developed within AWS and the source code is being stored in Code Commit. Please design a workflow using AWS service offerings that, upon a developer committing code to the repo, kicks off a job that does the following: performs static code analysis (using the SAST of your choice), deploys the application code to a server/container and performs a dynamic analysis (using the DAST of your choice), if both checks pass it deploys the code to the actual production web server instance(s), and reports the results of the testing and deployment to the development team. Depending on which SAST/DAST tools you select, describe where you would host them (if necessary) and tell us why it could be desirable to run both static and dynamic analysis of your web application. NOTE: the SAST and DAST tools should not be pre-existing AWS service. Please refer to to the tools we covered in Modules 5 and 6 or other relevant scanning tools.

4 Application Technical Specification Length: 2-3 pages At a high-level youll be running a web server that connects to a database and also serves a publicly available list of API methods. First, which web server would you use and why? Next, which database would you use and why? Assume the dataset is large, but not huge. The data contains natural relationships that should support fast search. The data also has a pre-existing, well-defined schema that will not change over time. Think carefully about what these data specs. mean when choosing a DB engine (relational, key-store, document-based, etc.). With respect to the DB server, how would you run it: inside of an EC2 instance, in a container, in a pre-existing Amazon service? Please give specific details that support your decision. How would you make the web and database server fault-tolerant? Wed also like to hear how you intend to keep these services online while performing routine scanning and maintenance on them? Which tools would you use to scan your chosen web server and database server? Why did you choose these tools and how would you configure them to minimize (or eliminate) downtime? Recall the website also offers a set of REST APIs to its users. Namely, it will offer a /GET method that allows someone to GET a JSON list of users and their, say, financial transactions. A /DELETE method is also supported that allows a user to delete their bank account in the event they decide to close it down. Finally, there is a /POST method that allows a user to add authorized party to their account so the newly added members can view historical transaction data. What technology would you use to implement such an API? There 2 is clearly no security baked into this API, so please discuss the risks of just publishing the API as it is written here? What steps would you take to secure the API against malicious access?

5 Data Security Technical Specification Length: 1-2 pages For this application you can assume data is being stored in S3, your database (whichever platform you chose), and also being archived in Glacier. Due to the financial nature of your data, you must restrict access to the data, log all accesses, have data be highly available in the event of a failure, and prevent data from being lost if breached/stolen. For each of these 4 security goals, discuss how, in detail, you would implement them.

6 Documentation Once the written part of your project is complete, please use a free online tool of your choosing (draw.io, creately.gom, Gliffy) and diagram the architecture you designed. I understand certain icons might be missing, and thats fine, but please do your best. Wed like you to build two architecture diagrams. The first should diagram the infrastructure. For instance, you may want to show how the network was designed, where are your load balancers, how are your subnets laid out, where are your databases residing, etc. Here is a good example of what you might want to shoot for: https://cloudacademy.com/blog/wp-content/uploads/2014/07/CMSin-VPC.jpg. Your second diagram should depict the DevOps/dataflow aspect of the project. Wed like you to show how the code goes from the repo, to the test environment, gets deployed and analyzed with SAST/DAST, then gets pushed to production. You can find a reference architecture diagram here: https://d2908q01vomqb2. cloudfront.net/7719a1c782a1ba91c031a682a0a2f8658209adbf/2017/05/29/ architecture.jpeg 3