digihunch / orthweb Goto Github PK

1. S3

• access must come via S3 endpoint (using aws:sourceVpce condition)
• require HTTPS encryption in transit, using aws:SecureTransport
• require server-side encryption, using header
• update routing table if necessary

2. KMS

• create vpc endpoint for KMS
• tighten the key policy to restrict access via endpoint, using aws:sourceVpce

3. Secret manager access

• ensure access via VPC endpoint, using aws:sourceVpce

For those VPC endpoints, no need to use endpoint policy for now.

1. set replicase=3 for orthanc containers. [x]
2. rewire port mapping in docker compose (ref). [x]
3. reconfigure envoy proxy configuration to distribute traffic [x]
4. bring envoy proxy version to latest --> outstanding

• replica
• healthcheck
• network
• resource limit
• ec2 instance size

Document network route, for example:

• access to S3 (PHI) goes through private endpoint
• access to system manager (management traffic) goes through public network

Hello,

Disclaimer - I'm new to terraform. When I run terraform plan everything looks good except at the very end I see this error below.

Changes to Outputs:

• s3_bucket = (known after apply)
  ╷
  │ Error: Invalid index
  │
  │ on modules/network/main.tf line 39, in resource "aws_subnet" "publicsubnet2":
  │ 39: availability_zone = data.aws_availability_zones.available.names[2]
  │ ├────────────────
  │ │ data.aws_availability_zones.available.names is list of string with 2 elements
  │
  │ The given key does not identify an element in this collection value: the given index is greater than or equal to the length of the collection.
  ╵
  ╷
  │ Error: Invalid index
  │
  │ on modules/network/main.tf line 55, in resource "aws_subnet" "privatesubnet2":
  │ 55: availability_zone = data.aws_availability_zones.available.names[2]
  │ ├────────────────
  │ │ data.aws_availability_zones.available.names is list of string with 2 elements
  │
  │ The given key does not identify an element in this collection value: the given index is greater than or equal to the length of the collection.
  ╵

The instructions didn't mention to do any updates to the data.tf file, but I did try and update that anyway with some values for aws_availability_zones and aws_region, however, when I then tried terraform plan again it complained that data should not be tampered with and is actually supposed to be filled in by the terraform process.

Any idea clue or suggestions regarding this error?

Thank you.

╷
│ Error: Secrets Manager Secret "arn:aws:secretsmanager:us-east-1:434082930953:secret:DatabaseCreds96ea1f2a0c7f35c6-HunT6u" Version "AWSCURRENT" not found
│
│ with data.aws_secretsmanager_secret_version.creds,
│ on secret.tf line 30, in data "aws_secretsmanager_secret_version" "creds":
│ 30: data "aws_secretsmanager_secret_version" "creds" {
│
╵

because markdown is getting too long.

1. VPC flow log to s3 bucket -> done
2. s3 access log to s3 bucket -> done
3. database log to cloud watch -> done
4. IMDS v2 support (s3 permission) -> done
   5. semantic version release

currently there's no vpc endpoint for ssm

Consider using dcmtk instead of dcm4che

currently password is used to authenticate
need to add IAM role authentication on top of it for maximum security

1. introduce an Elastic IP and use its DNS name for HTTPS and DICOM TLS traffic
2. re-configure certificate for elastic IP. Similar to any public IP, an elastic IP also comes with a DNS name ec2-a-b-c-d.compute-1.amazonaws.com
3. introduce a second EC2 instance in the 2nd public subnet. Use public IP of the instances for SSH only.
4. test the process to re-attach elastic IP.
5. update chart.

Currently, Orthweb configures RSA key pair for user to SSH to instance. This step is a little involving:

1. To SSH in, user has to create a key pair. That turns out to be a distractive step in user's experience.
2. A separate public IP has to be prepared for each instance, making a total of 3 elastic IPs.
3. Bastion host as a potential alternative would consume extra computing $$$
4. port 22 has to remain open on the internet.

Currently CloudShell does not connect to instances in VPC. System Manager might be a better fit.

currently password is generated on the client side, and pushed to secrets manager. this is not up to best practices because:

1. the transmission of password over network
2. password is stored in plaintext in terraform state

reference:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_cloudformation.html

Currently Orthweb generates DB secret and stores it to Secret Manager in AWS.

Secret Manager is more expensive than Secure string in System Manager Parameter store

• If continue using Secret Manager, it should be rotated and update to Docker compose
• If secret is intended to be static, use Parameter store instead.

"When I attempt to download either a ZIP folder ("Download ZIP") or DICOM directory ("Download DICOMDIR"), the download briefly starts but then fails with a Network error. "