Loading...
Loading...
Loading...
# Secure AWS Deployment
**Author:** Ahmed Umar Rehman
**Project Type:** Cloud Security Implementation (AWS)
**Scope:** Secure deployment using IAM, S3, VPC, EC2, CloudTrail, and CloudWatch
---
## Table of Contents
1. [Introduction](#1-introduction)
2. [Project Objectives](#2-project-objectives)
3. [AWS Services Used](#3-aws-services-used)
4. [Architecture](#4-architecture)
- [4.1 Overview](#41-overview)
- [4.2 Architecture Components](#42-architecture-components)
- [4.3 Logical Flow](#43-logical-flow)
5. [Implementation Steps](#5-implementation-steps)
- [Step 1: IAM Setup](#step-1-iam-setup)
- [Step 2: Secure S3 Storage](#step-2-secure-s3-storage)
- [Step 3: VPC Setup](#step-3-vpc-setup)
- [Step 4: EC2 Launch and Access Control](#step-4-ec2-launch-and-access-control)
- [Step 5: CloudTrail Logging](#step-5-cloudtrail-logging)
6. [Security Best Practices Implemented](#6-security-best-practices-implemented)
7. [Conclusion](#7-conclusion)
---
## 1. Introduction
Cloud computing enables organizations to deploy scalable infrastructure quickly, but insecure configurations can expose environments to unauthorized access, data leakage, and operational risk.
This project demonstrates a **secure AWS deployment** based on foundational cloud security controls, including:
- strong identity and access management,
- secure object storage,
- private network segmentation,
- hardened compute access,
- and activity monitoring/auditing.
The environment is designed using practical AWS services and follows common security principles such as **least privilege**, **defense in depth**, and **continuous monitoring**.
---
## 2. Project Objectives
The project objectives are to:
- Implement secure **Identity and Access Management (IAM)** policies.
- Enable **Multi-Factor Authentication (MFA)** for stronger account protection.
- Deploy secure **Amazon S3** storage with baseline protections.
- Create a **Virtual Private Cloud (VPC)** for network isolation.
- Launch a secure **EC2** instance inside the VPC.
- Enable **CloudTrail** logging for traceability and auditing.
---
## 3. AWS Services Used
| Service | Purpose |
|---|---|
| IAM | Identity and access management |
| Amazon S3 | Secure cloud storage |
| Amazon VPC | Network isolation |
| Amazon EC2 | Virtual server deployment |
| AWS CloudTrail | Activity logging and auditing |
| AWS CloudWatch | Monitoring and alerts |
---
## 4. Architecture
### 4.1 Overview
The architecture combines multiple AWS services to provide:
- controlled authentication and authorization,
- secure and recoverable data storage,
- isolated networking,
- controlled server access,
- and centralized visibility into account activity.
### 4.2 Architecture Components
#### IAM (Identity and Access Management)
- Created a dedicated IAM user (instead of using root access for daily operations).
- Enabled MFA to add a second authentication factor.
- Applied permissions for service access based on project needs.
#### Amazon S3 (Secure Storage)
- Created an S3 bucket for project logs/resources.
- Enabled **Block Public Access** to prevent unintended exposure.
- Enabled **Versioning** to improve data resilience and rollback capability.
- Applied secure storage settings to support confidentiality and recoverability.
#### Amazon VPC (Private Networking)
- Created VPC: `SecureProjectVPC`
- CIDR block: `10.0.0.0/16`
- Configured networking components:
- public/private subnets,
- route tables,
- internet gateway,
- NAT gateway.
This allows controlled ingress/egress while isolating internal resources.
#### Amazon EC2 (Compute)
- Launched EC2 instance: `SecureServer`
- AMI: Amazon Linux
- Instance type: `t2.micro`
- Storage: `8 GB`
- Key pair: `secure-key`
A restrictive security group allows only SSH (port 22) from the authorized source IP.
#### CloudTrail and CloudWatch (Visibility & Monitoring)
- Enabled CloudTrail with trail name: `SecureProjectTrail`
- Logged account-level API activity such as:
- user sign-ins,
- resource creation,
- configuration updates,
- security-relevant events.
CloudWatch supports monitoring and alerting workflows for operational visibility.
### 4.3 Logical Flow
```mermaid
flowchart LR
U[Authorized IAM User + MFA] --> AWS[AWS Account]
AWS --> S3[S3 Bucket\nBlock Public Access + Versioning]
AWS --> VPC[VPC 10.0.0.0/16\nPublic/Private Subnets]
VPC --> EC2[EC2 SecureServer\nSSH: Port 22 from trusted IP]
AWS --> CT[CloudTrail\nAPI Activity Logs]
CT --> CW[CloudWatch\nMonitoring / Alerts]
```
---
## 5. Implementation Steps
### Step 1: IAM Setup
#### 5.1 Create IAM User
- Created IAM user: `AhmedUmarRehman`
- Avoided routine use of the root account to reduce account-level risk.
#### 5.2 Enable MFA
- Enabled Multi-Factor Authentication for the IAM user.
- Added stronger login protection against credential compromise.
---
### Step 2: Secure S3 Storage
#### 6.1 Create S3 Bucket
- Created bucket: `secure-deployment-bucket-ahmed`
- Region: `US East (N. Virginia)`
#### 6.2 Block Public Access
- Enabled full public access blocking at bucket level.
- Reduced risk of accidental public exposure of stored objects.
#### 6.3 Enable Versioning
- Enabled bucket versioning.
- Improved recovery from accidental deletion or overwrite.
---
### Step 3: VPC Setup
#### 7.1 Create VPC
- Created VPC: `SecureProjectVPC`
- CIDR: `10.0.0.0/16`
#### 7.2 Configure Subnets and Routing
Configured foundational networking:
- public subnets,
- private subnets,
- route tables,
- internet gateway,
- NAT gateway.
This enables controlled communication while preserving internal isolation.
---
### Step 4: EC2 Launch and Access Control
#### 8.1 Launch EC2 Instance
| Parameter | Value |
|---|---|
| Instance Name | SecureServer |
| Instance Type | t2.micro |
| AMI | Amazon Linux |
| Key Pair | secure-key |
| Storage | 8 GB |
#### 8.2 Configure Security Group
- Restricted inbound access to **SSH (port 22)** only.
- Allowed SSH only from the authorized user IP address.
- Minimized exposed attack surface for the server.
---
### Step 5: CloudTrail Logging
#### 9.1 Create CloudTrail
- Created CloudTrail trail: `SecureProjectTrail`
- Enabled API-level activity logging across the environment.
Tracked events include:
- user logins,
- resource provisioning,
- configuration changes,
- security-relevant actions.
---
## 6. Security Best Practices Implemented
The deployment includes the following security controls:
- IAM user usage instead of root for daily administration.
- MFA enabled for stronger authentication.
- S3 public access blocked.
- S3 versioning enabled.
- VPC-based network isolation.
- Security-group-based restricted server access.
- CloudTrail-enabled auditing and accountability.
- CloudWatch-backed operational visibility.
---
## 7. Conclusion
This project successfully demonstrates a practical and secure AWS deployment using core cloud security services and controls.
By combining secure identity practices, protected storage, isolated networking, controlled compute access, and continuous monitoring, the environment establishes a strong baseline security posture suitable for foundational cloud workloads.
It also reinforces a key principle of cloud operations: **security should be designed into the architecture from the start, not added later.**
Full-stack web application for the University of Guelph Rocketry Club featuring AI-powered chatbot, member management, project showcases, and sponsor integration.
Reactory Data (`reactory-data`) is the data, assets, and CDN repository for the Reactory platform. It provides baseline directory structures, fonts, themes, internationalization files, client plugin source code and runtime bundles, email templates, workflow schedules, database backups, AI learning resources, and static content.
globs: src/app/**/*.tsx src/components/**/*.tsx src/hooks/**/*.ts src/lib/**/*.ts
A TypeScript CLI application that initiates and maintains an autonomous conversation between two AI personas using Ollama. The app starts with user input and then continues the conversation automatically until stopped.