Infrastructure Security

Cloud Infrastructure

Zenoo leverages cloud service providers like AWS to host its platform, using robust security features like encryption, identity and access management, and network security controls.

Frontend

Domain records are created based on the hosted zone managed within our AWS account by the service called Route53. Records in question are associated with the corresponding load balancers’ domain names instead of explicit static IPs.

Requests are directed through the SSL/TLS connection and the security settings such as SSL certificate, security policies and firewall integration are managed by CloudFront.

Frontend files such as HTML/JavaScript/CSS and assets are stored in S3. They are encrypted with a built-in option called “Server-side encryption with Amazon S3 managed keys (SSE-S3))”. Public access is blocked with the bucket policy containing relevant CloudFront origin access identity only.

Backend

Services are deployed as containers to Elastic Container Service (ECS) by the GitHub actions with specific user roles dedicated for CI/CD processes. These roles are managed by Identity and Access Management (IAM).

Sensitive service parameters (aka application configuration) are managed as secure strings by Systems Manager Parameter Store.

Services are built as a container image and stored in our private Elastic Container Registry (ECR) repositories with the specific roles managed by AWS IAM. They are encrypted with AES-256 algorithm and scanned during the push action for the vulnerability findings. Most of our images are having tag immutability to avoid wrongly performed overwrites.

Kafka clusters are managed by MSK and accessible only within the same VPC. Client services are authenticated through IAM (role-based authentication). Data in transit is encrypted between clients and brokers, also within the cluster via transport layer security (TLS). Data at rest is encrypted with a customer-managed key (CMK) provisioned by our infra code using Key Management Service (KMS).

Redis clusters are managed by ElastiCache and accessible only within the same VPC. Their encryption is enabled both at rest and in transit. Authentication key is assigned for each user (redis application client) and permissions are managed by IAM.

The encryption for DynamoDB tables is enabled both at rest and in transit. Each record has its own time to live duration (TTL) defined by the hub backend instance.

Network Security

Firewalls, Virtual Private Clouds (VPCs) and network segmentation are used to control network traffic and isolate sensitive data.

Each environment has its own VPC with private and public subnets defined. Services are located in private or public subnets depending on their purpose and sensitivity. E.g.: Data layer services such as MSK and ElastiCache are provisioned within the private subnets.

Application Load Balancers (ALB) have the redirection rules to make sure each request goes to the relevant services. They enforce secure requests by redirecting HTTP to HTTPS protocol and they are integrated with Web Application Firewall (WAF).

Intrusion Detection and Prevention

Zenoo employs IDS/IPS systems, including AWS Security Hub, GuardDuty, and WAF, to monitor, alert, and respond to unauthorised access or suspicious activity in real-time.

Web Application Firewall (WAF) rule sets that we use both for frontend and backend contain IP reputation list, rate limit, request body, size restriction and known bad inputs.

SSL certificates are managed by Certificate Manager (ACM). Algorithms used for public keys are RSA 2048 and for the signature, SHA-256 with RSA.