modernisation-platform icon indicating copy to clipboard operation
modernisation-platform copied to clipboard

Published 20 hours ago verified publisher icon ministryofjustice

Enable AWS shield advanced, DDoS monitoring and Auto-DDoS mitigation for Xhibit portal.

Open davidkelliott opened this issue 2 years ago • 3 comments

User Story

As a Modernisation Platform Engineer I want to provide AWS Shield Advanced capabilities to the Xhibit Portal service So that DDoS monitoring and automatic DDoS mitigation are in place for this customer

User Type(s)

Modernisation Platform Customer (Xhibit Portal team) Xhibit Portal user

Value

Customers do not have the permissions required to enable/disable AWS Shield Advanced for themselves. A Modernisation Platform Team member can do so for them. At present Xhibit Portal has AWS Shield Advanced in place, but in monitoring mode. This has been in place for a sufficient amount of time for us to make an informed switch to actively protect the application.

Questions / Assumptions / Hypothesis

Hypothesis

If we move Shield Advanced from monitoring to protecting Then we will safely protect the Xhibit Portal application

Proposal

Definition of done

  • [x] AWS shield advanced enabled
  • [ ] DDoS Monitoring complete
  • [ ] Auto ddos mitigation in place
  • [ ] tests are green
  • [ ] UR test OR added to continual research plan

Reference

How to write good user stories Enabling Shield Advanced

davidkelliott avatar Apr 14 '22 15:04 davidkelliott

Shield advanced now enabled

davidkelliott avatar Jun 09 '22 16:06 davidkelliott

https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/enabling-shield-advanced.html#enabling-aws-shield-advanced

dms1981 avatar Aug 09 '22 10:08 dms1981

This will need to happen in conversation with the Xhibit Portal team to get an understanding of how their service has been utilised since launch - eg, any expected traffic spikes that stand out from baseline.

dms1981 avatar Aug 09 '22 10:08 dms1981

I've taken this one out of sprint as it looks like the AWS managed ACLs for Shield were either overwritten or not fully applied with a count action. We'll need a recommended period of 30 days for the ACLs to get a baseline on what traffic should flow through. For the time being though I've attached the AWS managed ACL to both public load balancers, with a low count threshold, and an enforcement action of count so if they're triggered they won't be disruptive. https://github.com/ministryofjustice/modernisation-platform/issues/1690

dms1981 avatar Aug 19 '22 09:08 dms1981

NB - this should probably wait for sprint 32 to be actioned if we want the full 30 days to elapse.

dms1981 avatar Aug 19 '22 09:08 dms1981

Checked and saw no events - switched action for Shield-Count rule to `block

dms1981 avatar Sep 15 '22 13:09 dms1981