Securing Web Applications in AWS with Soha
Security is the top priority for Amazon Web Services (AWS) and our customers. AWS handles security with the shared responsibility model. When you are running workloads on AWS, we handle everything from the physical security of our data centers all the way up to the hypervisor. Customers are responsible for building secure applications on AWS, as well as configuring AWS features like security groups or AWS Identity and Access Management (IAM) policies.
Soha Systems is an APN Technology Partner who provides enterprise-grade application security solutions on the customer side of the shared responsibility model. Customers can use Soha to restrict access to applications running in AWS by wrapping them with a secure login in a fully managed package. Soha’s solution complements AWS security features by allowing customers to deploy a line of defense between their applications and the Internet. You can create an Amazon Virtual Private Cloud (VPC) for applications, lock it down so that it allows no inbound access, and use Soha to allow your users to access applications within the Amazon VPC securely.
In this blog post, I will walk you through the steps for setting up this easy-to-use security solution.
Next, stand up a secure VPC with an application that you’d like to protect. For this example, I have built an AWS CloudFormation template that creates a VPC with a public and private subnet. The VPC contains a Network Address Translation (NAT) instance in the public subnet and a web instance in the private subnet. Traffic is allowed out through the NAT instance—there is no inbound access allowed. Download the template, and create a CloudFormation stack from it in your AWS account. Make a note of the VPC ID and private subnet ID that will be in the outputs for this stack. You will need these IDs later to configure Soha to allow access to the web application.
Soha uses an Amazon Elastic Compute Cloud (Amazon EC2) instance called a Cloudlet running in your VPC to allow access to your applications. The Cloudlet is actually brokering the connectivity in and out of your VPC. When installed, the Soha Cloudlet ensures that all inbound ports to your applications are locked down—in essence, moving the attack surface from your application to the Soha cloud.
Here is a diagram of what the completed example will look like. The CloudFormation template will create the VPC, subnets, security groups, and the web and NAT instances. Soha will create the Cloudlet and the Soha security group.
Configure the Application in Soha
Now that you’ve launched a CloudFormation stack from the example template, log in to Soha and follow these steps to configure the application.
First, create an application name and specify its address. The CloudFormation template creates a web instance with the private IP address of 10.0.1.100. Use this as the internal address for the application and set the protocol to HTTP. For this example, use the Soha domain for the application and pick a unique name. When you have this filled out, click Next.
Now configure and launch a Cloudlet into your VPC. Give your Cloudlet a name and pick Amazon AWS EC2/VPC as the Cloudlet package type. Click Next.
Deploy the Cloudlet by clicking the Download and deploy now button. This will take you to the CloudFormation console and will start launching the CloudFormation template. You will need to provide the VPC ID and subnet ID from the example application CloudFormation stack.
Once the template is deployed, it will take a few minutes for Soha to find the Cloudlet and configure it for your application. The Soha console will be updated when the application is ready, and you will also get an email. Click the link in the Soha console or in the email that says the application is ready. You will be prompted to sign in with your Soha credentials, and you will then be redirected to the application. Congratulations, you have secured access to the demo application with Soha!
To learn more about Soha, visit their AWS Partner Directory listing here.