Vault Architecture (proposed changes)
Closed this issue · 3 comments
The next iteration of the Vault reference is a major rewrite and will have significant changes. Lets issues detail the suggested approach. Once concourses is reached between @dcallao (HashiCorp) and AWS (@avattathil @gargana) We can move to an alpha sprint
Architecture
Storage
- Remove consul dependency (Use Vault standalone backed) <- Unreleased feature
Node Distribution
Raft relies upon consensus negotiation to organize and replicate information and so the environment must provide 3 unique resilient path
)
Min Availability Zone = 3
Max Availability Zone = 5
Ports
External:
8200/tcp - inbound | Vault API Vault clients -> servers
Internal:
8201/tcp - inbound/outbound | Used for Vault replication traffic and request forwarding servers <-> servers
Internal:
8200/tcp - raft/gossip traffic | servers <-> servers
Features: (Suggestions to debate)
- vault auth enable ldap
- End-to-End TLS.
- Enable Auditing (Disable Shell Command History)
Proposed Best Practices
- Enable Auto-unseal with KMS backend
- Enable Audit trail to S3 with cloudwatch, lock down S3 bucket
- Set logging to
warn
- Add SNS subscription for cloudwatch logs
- Enable
aws
auto auth - Set IAM policies for
aws
auth & KMS auto-unseal - Set Kubernetes Auth policy for us from and EKS client (https://www.vaultproject.io/docs/auth/kubernetes.html)
Security Best Practices
- Disable Shell Command History
- Customize ulimits
- Turn Off Core Dumps
CIS Ubuntu Linux 16.04 LTS Benchmark - Level 1
- Enable option to select hardened AMI provided by CIS on AWS Marketplace: https://aws.amazon.com/marketplace/pp/B078TPPXV2
Closing out because of new release.