Secure AWS architecture with data localization

About the Customer

Customer is a financial services company promoting cashless solutions and back-office operation efficiencies for the corporate market with its strengths in resources including a wide variety of alliance partners, expertise in the card business and a customer base of approximately 37 million people built up over the years.

Customer aims to build a technology-led neo-lending conglomerate that enables India’s credit growth story.

Executive Summary

Customer is a FinTech service provider company dealing with cross-border financial products aiming at individual finance management and freedom. They wished to set up an AWS architecture aligning to RBI guidelines, for their FinTech application leveraging the best in breed AWS cloud services to avail the benefits of its agility and reliability with minimum overhead. Comprinno was engaged to execute this project to build infrastructure on AWS for client’s custom applications.

Challenges

Customer wanted to adopt AWS Security best practices for its cloud infrastructure. Being a FinTech company, they had to comply with RBI regulations.  The System Audit Report for Data Localization (SAR) & Storage of Payment System Data is a compliance mandate driven by RBI to ensure appropriate security measures and data localization controls for storage of payment related data.

Secure AWS architecture with data localization

Solution

Comprinno implemented the below security best practices to ensure data localization.

Data Localization:

VPC was created in the Asia Pacific (Mumbai) Region. Compute resources and databases launched into this VPC were restricted to Asia Pacific (Mumbai) Region. Global condition key aws:RequestedRegion was used in an IAM policy attached to users and roles, in conjunction with other IAM access control permissions. Database and storage for EKS nodes was encrypted using customer managed keys (CMK). Versioning, logging and encryption at rest was enabled for S3 bucket with sensitive data. Service control policy was created and applied to all child accounts which enables all the AWS services in only Mumbai region and all the global AWS services in North Virginia region. AWS CloudTrail was used to monitor and record account activity across AWS infrastructure enabling governance, compliance and audit of AWS accounts. Amazon GuardDuty was enabled to detect signs of account compromise, such as access of AWS resources from an unusual geolocation.

 

Secure AWS architecture with data localization

Security Best Practices: 

AWS Organization was setup with different accounts for development, staging and production. AWS Single Sign On (SSO) was used to centrally manage single sign-on access and user permissions across all the AWS accounts in AWS Organization.

AWS WAF was configured for the application load balancer as an additional level of security against common web exploits and bots, that may affect availability, compromise security or consume excessive resources.

Amazon VPC was created with 3 public and 9 private subnets. Containerized applications under microservices on Amazon Elastic Kubernetes Service (EKS) cluster were deployed across multiple private subnets. The cluster had Application Load Balancer at the front end.

AWS Private Link was used to access S3 from the application, securing data during transit between AWS services outside VPC.

AWS Key Management System (KMS) was used for encrypting data as per AES-256 standard.  AWS Secrets Manager is used to rotate, manage and retrieve the database credentials and API keys.

AWS Config has been used to assess, audit and evaluate the configurations of AWS resources, to determine overall compliance against the guidelines.

AWS Security Hub was used for security threat detection and monitoring.

All AWS Services logs were generated and stored in Amazon S3. Amazon S3 buckets associated with Amazon CloudTrail logs were configured to use the Object Lock feature in Compliance mode, in order to prevent tampering of stored logs and meet regulatory compliance. Server-side encryption was enabled for all S3 buckets.

All AWS Services metrics and app logs were aggregated to create a common AWS CloudWatch Dashboard. Relevant alarms were configured in AWS CloudWatch Alarms for the infrastructure components.

DevSecOps: 

The below solution for CI/CD pipeline was proposed and implemented.

Automatic Deployment was triggered whenever code was committed to GitHub repository. AWS CodeBuild was used for building the docker image and then the image was pushed to AWS ECR (Elastic Container Registry).

A notification alert was set up using AWS SNS to report developers about the failed pipeline.

Secure AWS architecture with data localization

Benefits

- Robust security landscape
- Implemented DevSecOps
- Successfully cleared data localization audit

Related Case Studies

Skill-Lync migrates to AWS from Digital Ocean
Skill-Lync offers industry-relevant advanced engineering courses for engineering students
Leher migrates to AWS
Leher provides tools to creators for hosting exclusive communities
ISO 27001 compliant architecture
ISO 27001 compliant AWS infrastructure architected by Comprinno
Secure AWS architecture with data localization
FinTech company allies with Comprinno to clear data localization audit
GigsBoard
GigsBoard migrates to AWS with assistance from Comprinno
Bigyellowfish Technologies
Bigyellowfish engages with Comprinno to conduct a Well-Architected Review
Klub
Klub fortifies its AWS Cloud infrastructure by partnering with Comprinno
Neural Hive
Neural Hive launches its cloud journey by partnering with AWS and Comprinno
AyuRythm
AyuRythm gears up for high demand volumes for its wellness app
FinTech case study
Asia’s largest Fintech company partners with Comprinno for a PCI DSS Compliant infrastructure
boAt
DynamoDB Cost Optimization For boAt
Portea
AWS inter-region migration in record time during Covid-19 lockdown period
MediBuddy
Cutting edge cloud technology solution for India’s leading healthcare service provider
Mantle Labs  
High-Speed Satellite Image Processing for a Partner Geobotanic AI Platform
LightMetrics
Distributed database that is optimized for Partner handling heavy workloads for an AI platform
Ephicacy
AWS Workspace-based virtual ofce for a global Clinical Research Organization (CRO)
CreditMantri
Secure CRM access to WFH telemarketer during Covid-19 lockdown