Introduction
In today’s digital landscape, having a professional online presence is crucial for showcasing your expertise and attracting new opportunities. For my personal project, EdwinMolina.me, I aimed to build more than just a portfolio website. My goal was to create a secure, scalable, and highly available web platform, leveraging the robust capabilities of Amazon Web Services (AWS) while adhering to industry-leading security best practices. Drawing from frameworks like OWASP, MITRE ATT&CK, and NIST, I developed a solution that prioritizes both performance and security. This post outlines the project's development journey, detailing the infrastructure, security measures, and continuous improvement practices I implemented.
Project Objectives
- Create a Responsive, Professional Portfolio Website: Build an intuitive and visually appealing user interface to effectively showcase my skills and past projects.
- Implement Scalable and Highly Available AWS Infrastructure: Design the platform to handle varying traffic loads with minimal latency and maximum uptime.
- Adhere to Security Best Practices (OWASP, MITRE, NIST) and Implement TLS/SSL Encryption: Safeguard the platform against common vulnerabilities and ensure secure communication.
- Leverage Serverless Technologies (Lambda, DynamoDB) for Cost Efficiency and Automation: Implement an automated cost monitoring system to stay within budget while maintaining optimal performance.
- Adopt a Zero Trust Security Model: Ensure that every user and device is continually authenticated, and access is granted based on the principle of least privilege.
- Implement AWS Multi-Account Organization: Use AWS Organizations to separate workloads and manage security and compliance across multiple accounts in a scalable and secure manner.
Tools & Technologies
- Front-End Development: HTML, CSS
- AWS Services: EC2 (Elastic Compute Cloud), Application Load Balancer (ALB), Route 53, Lambda, DynamoDB
- Security Frameworks & Tools: OWASP Top Ten, MITRE ATT&CK, NIST Cybersecurity Framework (CSF), OWASP ZAP (Zed Attack Proxy), AWS IAM (Identity and Access Management)
- Monitoring & Logging: AWS CloudTrail, GuardDuty, CloudWatch
- Infrastructure Automation & IaC (Infrastructure as Code): AWS CloudFormation, Terraform, AWS Organizations
- Cost Monitoring & Alerts: AWS Cost Explorer, CloudWatch Events, SNS (Simple Notification Service)
Implementation Strategy
Environment Setup
- Front-End Development: Crafted a clean and responsive front-end using HTML and CSS, optimizing the user interface for both performance and user experience.
- AWS Infrastructure Setup: Deployed EC2 instances and ALB for scalability, and configured Route 53 for DNS management and failover routing, ensuring high availability.
Security Implementation
- TLS/SSL Encryption: Implemented HTTPS using AWS Certificate Manager (ACM) to ensure secure data transmission.
- OWASP, MITRE, and NIST Integration: Adopted the principles of the OWASP Top Ten and MITRE ATT&CK frameworks to address the most common security risks, including XSS and injection attacks. Additionally, the NIST Cybersecurity Framework (CSF) guided the security lifecycle, ensuring that security was proactively integrated into every phase of the platform’s development. This included vulnerability management, secure architecture design, continuous monitoring, and incident response preparedness.
- Zero Trust Security Model: Built the platform on a Zero Trust approach, ensuring all users, devices, and network traffic were continuously verified before granting access. Access was strictly controlled using AWS IAM for role-based access control (RBAC) and least-privilege access policies.
- AWS Multi-Account Organization: Used AWS Organizations to create multiple accounts for different workloads, ensuring better isolation, granular security controls, and clear separation of environments (e.g., development, staging, and production).
- OWASP ZAP Security Assessment: Conducted thorough security testing with OWASP ZAP, identifying potential vulnerabilities and implementing solutions to mitigate risks.
ZAP Vulnerability Assessment & Fixes
- Medium-Risk Fixes:
- Content Security Policy (CSP) Header Not Set: Configured Apache to enforce a strong CSP to prevent XSS attacks.
- Missing Anti-Clickjacking Header: Added the X-Frame-Options header to mitigate clickjacking threats.
- Low-Risk Fixes:
- Server Leaks Version Information: Hid the server version in HTTP headers by adjusting Apache security settings.
- Strict-Transport-Security (HSTS) Not Set: Enabled HSTS to enforce HTTPS across all connections, mitigating the risk of MITM attacks.
- X-Content-Type-Options Missing: Added the X-Content-Type-Options header to prevent MIME-type sniffing.
Cost Monitoring & Automation
- AWS Cost Explorer: Tracked usage patterns and identified cost anomalies to ensure financial efficiency.
- CloudWatch Events & Lambda: Automated cost analysis and triggered alerts if usage exceeded defined cost thresholds.
- SNS Notifications: Sent real-time alerts via email or Slack when cost limits were reached, enabling proactive financial monitoring.
Real-Time Monitoring & Logging
- CloudTrail and GuardDuty: Tracked user actions and detected potential security threats in real time.
- CloudWatch Dashboards: Created custom dashboards to monitor application performance and health metrics, allowing for proactive troubleshooting and maintenance.
Conclusion
The development of EdwinMolina.me was an invaluable learning experience that combined key areas of cybersecurity, cloud infrastructure, and automation. By leveraging AWS services such as EC2, ALB, Lambda, and DynamoDB, I built a secure, scalable platform that can handle varying traffic loads with minimal disruption.
Security was a top priority, with a Zero Trust approach enforced through continuous authentication and least-privilege access policies. I also employed AWS Organizations for multi-account management, ensuring the platform remains isolated and secure across different environments.
Incorporating industry-standard frameworks such as OWASP, MITRE ATT&CK, and the NIST Cybersecurity Framework ensured that security was embedded throughout the lifecycle of the platform. Regular vulnerability assessments using OWASP ZAP helped identify and resolve potential threats, while cost monitoring automation ensured financial efficiency. This project not only strengthened my skills in cloud infrastructure management and security best practices but also deepened my knowledge of penetration testing, vulnerability management, and cost optimization strategies. Through EdwinMolina.me, I’ve demonstrated my ability to build and manage secure, scalable web platforms—skills I am eager to bring to a cybersecurity analyst role.