-
Notifications
You must be signed in to change notification settings - Fork 1
AWS Setup
The setup for the project is fairly straightforward and simple, with an intentional eye toward minimizing the amount of services utilized. There is a separate AWS account specifically for housing all of the SDG National Reporting Initiative assets.
-
The UN SDG National Reporting Initiative's API is hosted through EC2.
-
The PostgreSQL database for the UN SDG National Reporting Initiative is hosted through RDS.
-
S3 is used to house uploaded images, configurations used in automated builds, and automated backups.
-
SES is used to send data from submitted forms to the proper recipients for review.
There are three security groups for this project:
-
This security group is for web server infrastructure hosting the API. The only ports allowed are for receiving web traffic from the outside, PostgreSQL communication from the database, and SSH from Jenkins.
-
This security group is for database instances. Only the
sdg-nri-websecurity group is allowed to communicate with this security group. This prevents just anyone from being able to directly connect to the database. -
This security group is for Jenkins instances. Only web traffic is allowed.
This project relies upon IAM roles (not IAM users) to manage credentials in accordance with best practices. IAM roles simplify the provisioning of AWS credentials and reduce the potential for leaking secrets.
The sdg-nri-web role is assigned to API instances, and any permissions policies should be attached to that role in the IAM console. Currently, the Jenkins permissions policy is also attached to this role, so if you have issues with access when running jobs, please check with this role first.