I am having Magento 2 as Paas service and they are running Fastly as the WAF i need someone to help me with the below activities.
• Securely configuring Fastly .
• Lockdown Fastly and only allow port 443 and 80
• Block DDoS Attacks
• Block BOTS
• Method to flush Cache frequently without impacting site
• Block Admin Magento Portal from Fastly to IP whitelisting
• Log all activities
• Export the Logs to LogRhythm
• Install SSL certificate along with installing root certificates
• Block all access and only allow users based on their role
• Figure out how can we use IDM (not high priority but ideally if we can do that in 6 weeks along with all other open items)
Load Balancers is of (Imperva)
• Allow only accepts traffic from Fastly
• All traffic from Web servers should go out from LB not directly from web servers to users
• Logs all LB activities
• Export the logs to LogRhythm
Web Servers is of Nginx
• Lockdown servers config .
• Log all activities
• Block that nothing can be written from application to NGINX server shell
• Lockdown access
• Only application ID has access to the SQL
• No user should be able to run any queries
• Enable auditing
• Log every activity
• Export log to LogRhythm or install LogRhythm agents to NGINX, APACHE, And MY SQL Servers
Magento 2 E-Comm Platform
• Get admin access to bitbucket
• Configure Secure Code Scanning (RIPSTECH)
• Only authorized users are allowed for CI/CD pipeline based on RBAC (Role based access control)
• Lockdown Bit Bucket
• Run code scan for existing code in Bitbucket
Magento 2 App
• Disable unnecessary extensions
• Create IP whitelisting for Admin Portal
• Harden the User ID and Password requirements
• Harden the Admin access with MFA, Captcha, and complex password with a minimum of 10 characters
• Enable all possible loggings for Admin actions
• All logs either shipped to an S3 type bucket for LogRhythm to read to a location on the web server from LR can read.
• Method to vet third-party extensions and how they JS can be scanned and installed using Bitbucket
• The process that all third-party advertising agencies must follow Five Below Change and Release Management process and must pass the secure code scanning practices before deploying the code in prod
Security and Network Operations Center Run Book
• Create a possible run book for Level 1 and Level 2 based on Security, System, and Engineering issues
Recently Two Cnames redirecting to two URL's had been configured .
Presently i am having super user access to the Magento Cloud but not for the application.
Also I will need the day to day support in any or other activities related to this task.