Below are the key design considerations for TREEHOOSE
- All the core infrastructure is deployed using IaC (Infrastructure as Code).
- The solution is based on Serverless Architecture for ease of operability and scalability.
- AWS CloudTrail is enabled in all AWS accounts and the logs centralised for Auditing.
- AWS Config is enabled in all AWS accounts and the config records centralised for Auditing.
- Amazon CloudWatch is used for log aggregation and metrics for each TRE project/AWS account.
- Use AWS KMS for encryption at-rest.
- Encryption in-transit is enabled for all AWS services where applicable and also enabled for all API calls.
- For all AWS IAM policies the principle of least privilege has been followed.
- AWS Accounts provide well-defined billing and security boundaries. Hence each research project should be hosted in a separate AWS account.
These are some additional decisions that the end user of TREEHOOSE should make based on their functional and non-functional requirements.
-
Centralise and enable AWS Security services like:
-
Enable AWS Web Application Firewall for Web Applications.
-
Enable additional Control Tower Guardrails.
-
Optimize how you use AppStream.