Security Rules System

This document describes the new Security Rules system that has been integrated into the CloudForge Community (CFC) core API. The system provides configurable security profiles that can be applied to Jenkins deployments on both EC2 and Fargate runtimes.

Overview

The Security Rules system follows the same pattern as the existing RuntimeRules and TopologyRules, providing a consistent and extensible approach to security configuration. It integrates seamlessly with the SystemContext and RuleKit infrastructure.

Components

1. SecurityProfile Enum

Located at: com.cloudforgeci.api.interfaces.SecurityProfile

public enum SecurityProfile { 
    DEV, 
    STAGING, 
    PRODUCTION 
}

2. SecurityConfiguration Interface

Located at: com.cloudforgeci.api.interfaces.SecurityConfiguration

Extends the base IConfiguration interface and provides the kind() method to return the security profile type.

3. Security Configuration Implementations

DevSecurityConfiguration

Location: com.cloudforgeci.api.core.security.DevSecurityConfiguration
Purpose: Development environment with minimal security restrictions
Features:
- SSH access from anywhere (0.0.0.0/0)
- Jenkins port accessible from anywhere
- HTTP/HTTPS accessible from anywhere
- NFS access from Jenkins instances

StagingSecurityConfiguration

Location: com.cloudforgeci.api.core.security.StagingSecurityConfiguration
Purpose: Testing environment with moderate security restrictions
Features:
- SSH access restricted to VPC CIDR
- Jenkins port only accessible from ALB security group
- HTTP/HTTPS accessible from anywhere (needed for external testing)
- NFS access restricted to Jenkins instances

ProductionSecurityConfiguration

Location: com.cloudforgeci.api.core.security.ProductionSecurityConfiguration
Purpose: Production environment with hardened security for compliance
Features:
- SSH access restricted to bastion/VPN CIDR (10.0.1.0/24)
- Jenkins port only accessible from ALB security group
- HTTPS only (HTTP redirects to HTTPS)
- NFS access restricted to Jenkins instances
- ALB access logging enabled with S3 bucket (6-year retention, lifecycle management)
- WAF protection enabled
- Cognito OIDC authentication auto-provisioned (when domain + SSL configured)
- Compliance validation for PCI-DSS, HIPAA, SOC 2, GDPR

4. SecurityRules Class

Located at: com.cloudforgeci.api.core.rules.SecurityRules

Manages the installation and wiring of security configurations based on the selected security profile.

5. SystemContext Integration

The SystemContext has been updated to include:

SecurityProfile security field
Slot<CfnWebACL> wafWebAcl slot for future WAF integration
Updated start() method to accept SecurityProfile parameter
Updated debugPath() method to include security information

Usage Examples

Basic Usage (Default DEV Security)

// Uses SecurityProfile.DEV by default
JenkinsFactory.createEc2(scope, "MyJenkins", cfc);
JenkinsFactory.createFargate(scope, "MyJenkins", cfc);

Explicit Security Profile Selection

// Development environment
JenkinsFactory.createEc2(scope, "DevJenkins", cfc, SecurityProfile.DEV);

// Staging environment
JenkinsFactory.createEc2(scope, "StagingJenkins", cfc, SecurityProfile.STAGING);

// Production environment
JenkinsFactory.createEc2(scope, "ProdJenkins", cfc, SecurityProfile.PRODUCTION);

Complete Example

public class MyJenkinsDeployment {
    public static void deploy(Construct scope, String id, DeploymentContext cfc) {
        // Development deployment
        JenkinsFactory.createEc2(scope, id + "Dev", cfc, SecurityProfile.DEV);
        
        // Staging deployment
        JenkinsFactory.createFargate(scope, id + "Staging", cfc, SecurityProfile.STAGING);
        
        // Production deployment
        JenkinsFactory.createEc2(scope, id + "Production", cfc, SecurityProfile.PRODUCTION);
    }
}

Security Profiles Comparison

Feature	DEV	STAGING	PRODUCTION
SSH Access	Anywhere (0.0.0.0/0)	VPC CIDR	Bastion/VPN CIDR (10.0.1.0/24)
Jenkins Port	Anywhere	ALB Security Group	ALB Security Group
HTTP Access	Anywhere	Anywhere	Redirects to HTTPS
HTTPS Access	Anywhere	Anywhere	Anywhere
NFS Access	Jenkins Instances	Jenkins Instances	Jenkins Instances
WAF Protection	None	None	Placeholder for future

Integration Points

The Security Rules system integrates with the following components:

ALB (Application Load Balancer): Security group rules for HTTP/HTTPS access
Domain/Subdomain: DNS configuration for external access
ACM Certificate: SSL/TLS certificate management
EFS: Network File System security group rules
VPC: Virtual Private Cloud configuration
Multi-AZ: Multi-Availability Zone deployment
Auto Scaling Group: EC2 instance scaling
Jenkins: Application-specific security configurations
S3: Object storage security (future enhancement)
Lambda: Serverless function security (future enhancement)
ECR: Container registry security (future enhancement)
EKS: Kubernetes cluster security (future enhancement)
CloudWatch: Monitoring and logging security
WAF: Web Application Firewall - ✅ Fully implemented (required for PCI-DSS)
Backup: Data backup security (future enhancement)
CloudFront: CDN security (future enhancement)

Future Enhancements

Recently Completed ✅

~~WAF Integration~~ - ✅ COMPLETED: Full AWS WAF v2 implementation, required for PCI-DSS compliance
~~Compliance Frameworks~~ - ✅ COMPLETED: SOC2, HIPAA, PCI-DSS, GDPR fully implemented with multi-framework support
~~IAM Integration~~ - ✅ COMPLETED: Fine-grained IAM policies based on security profiles (see IAM_RULES.md)
~~Security Monitoring~~ - ✅ COMPLETED: CloudWatch alarms, GuardDuty integration, certificate expiration monitoring

Planned Enhancements

Additional Security Profiles: Industry-specific security profiles (Financial Services, Healthcare, Government)
Advanced Encryption: Customer-managed KMS keys for all encryption at rest
S3 Security Rules: Comprehensive S3 bucket security configurations
Lambda Security Rules: Serverless function security and VPC integration
ECR Security Rules: Container registry security scanning and access control
EKS Security Rules: Kubernetes cluster security and pod security policies
CloudFront Security: CDN security configurations and origin access identity

Testing

The system includes comprehensive validation rules that ensure:

Required security groups are present
Security group rules are properly configured
Network access is appropriately restricted based on the security profile
Integration with existing runtime and topology configurations

Migration Guide

Existing deployments using the old SystemContext.start() method will need to be updated to include the SecurityProfile parameter:

Before:

SystemContext.start(scope, TopologyType.JENKINS_SERVICE, RuntimeType.EC2, cfc);

After:

SystemContext.start(scope, TopologyType.JENKINS_SERVICE, RuntimeType.EC2, SecurityProfile.DEV, cfc);

The JenkinsFactory methods have been updated to maintain backward compatibility while providing the new security functionality.

Overview​

Components​

1. SecurityProfile Enum​

2. SecurityConfiguration Interface​

3. Security Configuration Implementations​

DevSecurityConfiguration​

StagingSecurityConfiguration​

ProductionSecurityConfiguration​

4. SecurityRules Class​

5. SystemContext Integration​

Usage Examples​

Basic Usage (Default DEV Security)​

Explicit Security Profile Selection​

Complete Example​

Security Profiles Comparison​

Integration Points​

Future Enhancements​

Recently Completed ✅​

Planned Enhancements​

Testing​

Migration Guide​