Submitted originally by: katie.shakman
We were asked about the details of Domino AMI hardening process.
Here's a summary of the main points Domino uses for selection and configuration of Domino AMIs below. In addition to the host preparation process it's important to note that access to the Domino environment is always gated through the Domino Router and and Domino Frontend with all user code being sandboxed within Domino Run containers. The as-built configuration of Domino hosts roughly adheres to the CIS benchmark for Ubuntu LTS.
Domino Amazon Machine Image Selection and Configuration
Domino uses upstream Ubuntu LTS cloud images as a base. Domino regularly sources the latest available AMI ID from Ubuntu Cloud Images to build Domino hosts which adhere to common security best practices.
- Enforce the Ubuntu LTS security channel at least every 24-hours.
- Expose only services relevant to Domino Core and Supporting services.
- Enforce non-privilege accounts to run exposed services.
- Enforce file and process limits.
- Enforce ephemeral port range, networking forward and cache timeout kernel parameters.
- Centrally log all Domino Core and Supporting service activity.
- Generate secure secrets for all services and accounts.
- Generate mutual certificates using secure parameters.
- Segregate local storage for the Domino application and system services via separate EBS volumes.
- Restrict access to instance metadata.
- Disable password authentication.
- Disable remote root login.