Vault Architecture (proposed changes)

Question

Vault Architecture (proposed changes)

Closed this issue 4 years ago · 3 comments

The next iteration of the Vault reference is a major rewrite and will have significant changes. Lets issues detail the suggested approach. Once concourses is reached between @dcallao (HashiCorp) and AWS (@avattathil @gargana) We can move to an alpha sprint

Answer 1 · 2020-02-12T21:32:46.000Z

Architecture

Storage

Remove consul dependency (Use Vault standalone backed) <- Unreleased feature

Node Distribution

Raft relies upon consensus negotiation to organize and replicate information and so the environment must provide 3 unique resilient path

)

Min Availability Zone = 3
Max Availability Zone = 5

Ports

External: 8200/tcp - inbound | Vault API Vault clients -> servers
Internal: 8201/tcp - inbound/outbound | Used for Vault replication traffic and request forwarding servers <-> servers
Internal: 8200/tcp - raft/gossip traffic | servers <-> servers

Features: (Suggestions to debate)

vault auth enable ldap
End-to-End TLS.
Enable Auditing (Disable Shell Command History)

Answer 2 · 2020-02-14T00:06:39.000Z

Proposed Best Practices

Enable Auto-unseal with KMS backend
Enable Audit trail to S3 with cloudwatch, lock down S3 bucket
Set logging to warn
Add SNS subscription for cloudwatch logs
Enable aws auto auth
Set IAM policies for aws auth & KMS auto-unseal
Set Kubernetes Auth policy for us from and EKS client (https://www.vaultproject.io/docs/auth/kubernetes.html)

Security Best Practices

Disable Shell Command History
Customize ulimits
Turn Off Core Dumps

CIS Ubuntu Linux 16.04 LTS Benchmark - Level 1

Enable option to select hardened AMI provided by CIS on AWS Marketplace: https://aws.amazon.com/marketplace/pp/B078TPPXV2

Answer 3 · 2020-06-15T22:19:38.000Z

Closing out because of new release.