In our last blog, we shared how the Flux7 IT consulting services team developed and built an AWS-Based Tableau Infrastructure for a leading biopharmaceutical organization focused on curing cancer. (ICYMI, you can find it here.) As promised in that article, we’re sharing today a look at the security best-practices put into place in our AWS infrastructure in order to ensure the security of the company’s intellectual property, and patient’s personal data. In addition, we’ll share a unique backup solution we created for our customer’s Tableau application.
AWS Security Hub, Tableau Backup Solution Keep BioPharma Research Secure.
At Flux7, we build security in, ensuring security best practices are woven into the fabric of customer installations. For this customer, we did so through a couple main initiatives: AWS Security Hub and AWS Config Rules, and best practice security controls with CIS Hardening among others.
AWS Security Hub & AWS Config
AWS Security Hub provides a comprehensive view of high-priority security alerts and compliance status across AWS accounts. With Security Hub, we sought to provide this pharma customer with a single place that aggregates, organizes, and prioritizes their security alerts from multiple AWS services. AWS Security Hub compliance checks use the configuration items recorded by AWS Config, Amazon’s service that continuously audits AWS resource configurations.
As a result, we started by setting up a repository with AWS CloudFormation templates to enable AWS Config in the AWS account. AWS configuration rules were set up on all four of the firm’s accounts, giving them a recording of events for forensics and alerting.
CIS Hardening and Other Best Practice Security
We set up the Tableau accounts hardened to CIS standards thereby meeting AWS security best-practices. In addition, the Flux7 AWS consulting team added:
Instance recovery alarms to all bare instances so that an instance with a hardware malfunction is recovered automatically.
To work with legacy on-premises firewall systems, we specified instance IP addresses to maintain a constant IP list for the on-premise firewall.
And, all outbound traffic is routed through AWS Direct Connect (an AWS service that establishes a dedicated network connection from the client premises to AWS) so that existing on-premise security rules can be applied.
Logs are shipped to an audit account, simultaneously providing a central location for log analysis and log integrity in the event of an incident. Amazon CloudWatch Logs organizes these audit logs while providing a pre-defined log path so the customer can model posting additional logs to CloudWatch Logs based on this work. Last, we pre-defined error conditions for the customer, providing them with an alarm should an error in the uploaded logs meet these conditions. If so, they are able to take action.
In addition to the security best practices put into place for this customer, we created a best practice Tableau backup solution as well.
Tableau Backup on AWS
For our state of the art backup solution, we created an AWS CloudFormation template that deploys AWS SSM Automation Document, which in turn has commands to upload Tableau backup and Tableau logs backup to Amazon S3 and clean up the instance of those logs.
Written by Flux7 Labs
Flux7, an NTT DATA Company, is the only Sherpa on the DevOps journey that assesses, designs, and teaches while implementing a holistic solution for its enterprise customers, thus giving its clients the skills needed to manage and expand on the technology moving forward. Not a reseller or an MSP, Flux7 recommendations are 100% focused on customer requirements and creating the most efficient infrastructure possible that automates operations, streamlines and enhances development, and supports specific business goals.