Security spike

[malak-coforma]

Description

Requirements

• Document decision on how we want to secure the endpoints

Next Steps

• Generate follow up cards with @malak-coforma

Tech Notes

For the individual endpoints, how do we want to do this? Keys? What about JWT token (ie: showing we can support front end?) as well as an API key (to allow it to integrate with another service).

A strong argument in favor of JWT tokens: design has created some wireframes of what a front end could look like based on the user roles shared with us in the challenge documentation. It would be great to be positioned to support a front end in this way, as I think it could be a compelling way to potentially frame our decisions in our final write up.

Extra: Tech Challenge Instructions

Assumptions

The following assumptions should be considered when designing and implementing the Challenge submission:

1. It is not required that the solution is exclusively based on AWS services. Open-source tools, libraries and technologies can be used.
2. The scripts, tooling and instructions to instantiate any service to be hosted within the AWS region must be part of the Challenge submission.
3. For the scope of this challenge, the vendor can configure AWS environment to have inbound access from and outbound access to the Internet.
4. For the scope of this challenge, Internet-available repositories can be accessed and used (e.g. operating systems, packages, libraries, containers, etc.).
5. Consider the highest security standards as if receiving, sending and hosting Personal Identifiable Information and Protected Health Information, even for this Challenge. All system interfaces should be secured appropriately. Note: No PII or PHI shall be included in the submission.
6. CMS will not purchase or accept a purchased license for any product or service (e.g., domain names, HTTPS certificates, etc.) other than those provided to CMS by AWS. CMS will not accept licenses where using the product or service for this evaluation falls outside acceptable use.
7. No services that obligate future expenditures (such as reserved instances) are permitted.
8. For maintainability, the vendor must use Java as a programming language, AWS
   CloudFormation or Terraform for deploying infrastructure, and OpenAPI for documenting interface contracts.

AWS Installation Requirements

1. The Quoter's provided solution will be installed and operated in a single AWS provisioned account.
2. System infrastructure deployment should be done via AWS CloudFormation or Terraform.
3. Installation, testing, and uninstall scripts from the Quoter will be run from an EC2 T- series instance running Amazon Linux 2.
4. The Quoter shall provide an IAM policy file that can be applied to the EC2 instance for running all install/test/uninstall scripts.
5. All resources should be tagged to indicate the Quoter associated with the resource.
6. The solution must create and deploy to its own Virtual Private Cloud (VPC).
7. Solutions must choose from FedRAMP approved Cloud services.

[malak-coforma]

Login page already 50%. Authenticating before Swagger documentation. Taking offline for discussion.

[malak-coforma]

From @TheDanMiller:

That's sort of what I was getting at with the dummy token. Even better if it gets returned from the API
Less risk of something getting lost in documentation

Another thought: could make an assumption about the documentation being gated behind VPN access so we can focus on standing up systems this week?

[malak-coforma]

Basically done, @caoabunga is being picky about it. We can mark this as done, but create a tech debt/bonus feature card:

• would like to use basic auth headers instead of auth tokens

[malak-coforma]

This was moved to the "done" column, not sure why the issue didn't close out. Manually closing out now.

[malak-coforma]

Oh, follow up ticket is #38 btw.