Deploying CipherStash Proxy to AWS ECS

Prerequisites

• AWS Account: Make sure you have an active AWS account.
• AWS CLI: Install and configure the AWS CLI with appropriate permissions.
• Docker: Install Docker if you need to build and push the Docker image to AWS ECR.
• CipherStash Proxy configuration: Refer to the CipherStash Proxy configuration documentation for details.

Step-by-step guide

1. Prepare your Docker image

You can deploy CipherStash Proxy to AWS ECS using the Docker image from the AWS Marketplace or Dockerhub.

1. If you want to purchase CipherStash Proxy from the AWS Marketplace, follow the instructions in this how to guide to pull the Docker image.

2. If you'd prefer to use the Dockerhub registry, push the cipherstash/cipherstash-proxy image to Amazon ECR (Elastic Container Registry) as follows:

1aws ecr create-repository --repository-name cipherstash-proxy
2aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <account_id>.dkr.ecr.<region>.amazonaws.com
3docker tag cipherstash/cipherstash-proxy:latest <account_id>.dkr.ecr.<region>.amazonaws.com/cipherstash-proxy:<tag>
4docker push <account_id>.dkr.ecr.<region>.amazonaws.com/cipherstash/cipherstash-proxy:<tag>

2. Create a task definition

• Create a JSON file for the ECS task definition that includes the necessary configurations and environment variables:

  1{
  2  "family": "cipherstash-proxy",
  3  "containerDefinitions": [
  4    {
  5      "name": "cipherstash-proxy",
  6      "image": "<account_id>.dkr.ecr.<region>.amazonaws.com/cipherstash/cipherstash-proxy:<tag>",
  7      "cpu": 256,
  8      "memory": 512,
  9      "essential": true,
  10      "portMappings": [
  11        {
  12          "containerPort": 6432,
  13          "hostPort": 6432
  14        }
  15      ],
  16      "environment": [
  17        {
  18          "name": "CS_USERNAME",
  19          "value": "postgres"
  20        },
  21        {
  22          "name": "CS_PASSWORD",
  23          "value": "password"
  24        },
  25        {
  26          "name": "CS_WORKSPACE_ID",
  27          "value": "12345678-1234-1234-1234-123456789012"
  28        },
  29        {
  30          "name": "CS_CLIENT_ACCESS_KEY",
  31          "value": "12345678-1234-1234-1234-123456789012"
  32        }
  33      ],
  34      "secrets": [
  35        {
  36          "name": "CS_DATABASE__NAME",
  37          "valueFrom": "arn:aws:ssm:your-region:your-account-id:parameter/database_name"
  38        },
  39        {
  40          "name": "CS_DATABASE__HOST",
  41          "valueFrom": "arn:aws:ssm:your-region:your-account-id:parameter/database_host"
  42        },
  43        {
  44          "name": "CS_DATABASE__PORT",
  45          "valueFrom": "arn:aws:ssm:your-region:your-account-id:parameter/database_port"
  46        }
  47      ]
  48    }
  49  ]
  50}

  Replace placeholders with actual values and save this as cipherstash-proxy-task-def.json.

• Register the task definition using the AWS CLI:

  1aws ecs register-task-definition --cli-input-json file://cipherstash-proxy-task-def.json

3. Create an ECS cluster and service

• Create an ECS cluster (if you don’t already have one), as follows:

  1aws ecs create-cluster --cluster-name CipherStashCluster

• Create a service to run and maintain the desired number of instances of the task definition:

  1aws ecs create-service --cluster CipherStashCluster --service-name CipherStashProxyService --task-definition cipherstash-proxy --desired-count 1 --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=[subnet-abcdefg], securityGroups=[sg-123456], assignPublicIp=ENABLED}"

4. Check your deployment

• Check the service and task status:

  1aws ecs list-services --cluster CipherStashCluster
  2aws ecs describe-services --cluster CipherStashCluster --services CipherStashProxyService
  3aws ecs list-tasks --cluster CipherStashCluster --service-name CipherStashProxyService

Notes and considerations

• Security: Make sure sensitive data such as keys and passwords are managed securely, preferably using AWS Secrets Manager or Parameter Store.
• Networking: Configure network settings properly to allow your ECS tasks to communicate with other services.
• Scaling and management: Monitor the service and adjust scaling as necessary.

With CipherStash Proxy in place, you can now use the entire CipherStash product suite to secure your data:

• CipherStash Audit: Audit your database queries and data access logs
• CipherStash Encrypt: Encrypt your data at rest and in transit
• CipherStash Identify: Identify and mask sensitive data in your database (coming soon!)