Difference between revisions of "Securing OpenEMR - AWS"

From OpenEMR Project Wiki
(Created page with "[under review]")
 
(→‎Background: I dispute "get very quick feedback")
 
(10 intermediate revisions by one other user not shown)
Line 1: Line 1:
[under review]
== Background ==
*  Please feel free to ask security questions on [https://chat.open-emr.org via our chat system]  
*  BY FAR THE MOST IMPORTANT THING YOU CAN DO is [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-iam-user enable 2FA for your AWS account]
 
== Account ==
* Setting up 2FA
** AWS provides excellent instructions for [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-iam-user setting up 2FA here.]
** This will require you to enter a code from an app on your phone after inputting your password. Apps such as [https://itunes.apple.com/us/app/duo-mobile/id422663827?mt=8 Duo] or [https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8 Google Authenticator] are recommended for generating the code.
* Billing Estimates
* Other Account Tasks
 
== Secure Your Domain (Optional - Route53) ==
* This is a guide for securing your domain if you registered it via AWS's Route53. If you did not, some of the concepts still apply and you are encouraged to implement where ever your domain is registered.
* There are 3 important records for securing a domain: SPF, DKIM, and DMARC.
^^^
* The most important is SPF. To implement SPF:
** xyz, xyz xyz
* Implement DKIM:
** xyz
* Implement DMARC:
** xyz
 
== Configure Logging (CloudTrail) ==
 
 
== Configure Your Network (VPC) ==
* Flow Logs
** Flow Logs allow you to perform a variety of security and monitoring tasks. Turning them on is simple: [screenshot]
* Security Group rules
** Security Group rules restrict inbound internet access to your system.
** You should have Port 443 open to the broader internet. If you can restrict it to a specific list of IP Addresses, say a few clinics, even better.
** Port 22 should only be open to the specific IP address of the admin who needs to SSH in.
** [screenshots]
 
== Monitor Cyber Attacks (GuardDuty) ==
* xyz
 
 
== Create a Load Balancer (EC2) ==
* Application Load Balancer
 
 
== Set up a Firewall (WAF) ==
* xyz

Latest revision as of 07:27, 15 April 2022

Background

Account

  • Setting up 2FA
    • AWS provides excellent instructions for setting up 2FA here.
    • This will require you to enter a code from an app on your phone after inputting your password. Apps such as Duo or Google Authenticator are recommended for generating the code.
  • Billing Estimates
  • Other Account Tasks

Secure Your Domain (Optional - Route53)

  • This is a guide for securing your domain if you registered it via AWS's Route53. If you did not, some of the concepts still apply and you are encouraged to implement where ever your domain is registered.
  • There are 3 important records for securing a domain: SPF, DKIM, and DMARC.

^^^

  • The most important is SPF. To implement SPF:
    • xyz, xyz xyz
  • Implement DKIM:
    • xyz
  • Implement DMARC:
    • xyz

Configure Logging (CloudTrail)

Configure Your Network (VPC)

  • Flow Logs
    • Flow Logs allow you to perform a variety of security and monitoring tasks. Turning them on is simple: [screenshot]
  • Security Group rules
    • Security Group rules restrict inbound internet access to your system.
    • You should have Port 443 open to the broader internet. If you can restrict it to a specific list of IP Addresses, say a few clinics, even better.
    • Port 22 should only be open to the specific IP address of the admin who needs to SSH in.
    • [screenshots]

Monitor Cyber Attacks (GuardDuty)

  • xyz


Create a Load Balancer (EC2)

  • Application Load Balancer


Set up a Firewall (WAF)

  • xyz