Skip to content

chick-fil-a/bovine

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

133 Commits

backend

backend

 
 

docs

docs

 
 

frontend

frontend

 
 

test

test

 
 

tools

tools

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

TODO

TODO

 
 

pylintrc

pylintrc

 
 

setup.py

setup.py

 
 

tox.ini

tox.ini

 
 

Repository files navigation

Alt text

BOVI(n)E - Building Operational Visibility Into (n) Environments

As Enterprises adopt AWS public cloud, one common strategy to use is the multi-account strategy. This strategy can help security teams isolate workloads and provide a strong security boundary around sensitive applications. The biggest problem with the multi-account strategy is visibility and governance. BOVI(n)E helps provide a 10,000 foot view of all your AWS accounts and audit security standards around them.

BOVI(n)E is a fully serverless single page application leveraging AngularJS, AWS API Gateway, AWS Lambda, and AWS DynamoDB.

User Guide

Quickstart Guide

Runtime

The application backend is run on AWS Lambda, and front end is an Angular app. Authentication is handled through AWS Cognito, and the REST API is exposed through AWS APIGateway.

Deployment

Prerequisites

Prior to calling the deployment scripts, the following items must already be deployed on AWS:

  • A role in security account that has a trust relation with an assumable role in the target accounts. This role needs readonly rights in the target account.
  • Cognito user pool setup
  • Custom domain setup in Amazon Certificate Manager, API Gateway, and Route 53 (or other DNS provider)
  • DynamoDB table called AWS-Accounts-Table with accountNum as the primary key

You must also have proper serverless config files built:

  • ex: config.prod.json

Deployment at the top level

Deployment of the API backend application is done with a simple serverless command.

  • To do the initial deploy of the application
$ serverless deploy --profile <aws credentials profile> --stage <deployment stage (dev/prod)>
  • After deploying API Gateway, you need to add binary content support:
    • In the AWS Console under API Gateway, click the newly deployed BOVI(n)E API endpoint -> settings. Under "Binary Media Types" add the following content-types: image/png, image/x-icon

Angular application

Deployment of the static content is an AWS S3 sync of the frontend directory. A simple bash script can be found in the tools directory. This will sync to the appropriate S3 bucket for the stage.

$ sh deploy-content.sh <aws credential profile> <stage>

What's next?

  • Better documentation
  • Unit tests -- we are working on them but welcome contributions
  • Frontend framework update (Angular 4? React? Please share if you have thoughts)
  • Compliance rule engine

Additional Info

You can find additional information on Chick-fil-A's journey around this problem here: https://www.youtube.com/watch?v=_0BCJLIxowQ

We welcome ideas around how to improve this project.

About

Building Operational Visibility Into (n) Environments

Topics

aws security security-audit serverless aws-security security-automation security-tools security-compliance

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

70 stars

Watchers

8 watching

Forks

9 forks
Report repository

Releases

1 tags

Packages

No packages published

Contributors 5

Languages