“Securing Connectivity for Arçelik’s Homewhiz IoT: A Strategic Approach”

About the Customer

Arçelik is a major company operating in Turkey and internationally, specializing in the production of white goods and electronic appliances. Arçelik has developed a smart home application called “Homewhiz” for its IoT projects, allowing users to remotely manage smart devices. This application runs entirely on AWS and operates with a serverless backend (Api Gateway + Cloudfront + Lambda).

Customer Challenge

In a system that handles traffic at a very high scale, managing and securing the traffic is crucial. Additionally, Lambda functions require Virtual Private Cloud (VPC) access, and after VPC connection, they need to access RDS databases. Access to RDS databases must be restricted to specific ports and CIDR ranges. Furthermore, Lambda service, by its nature, is a public service that sends traffic to subnets only through public IPs, posing a challenge to ensuring secure and restricted data transfer to private databases.

Partner Solution

As the entrusted partner in this collaborative venture, “Yönetim.Academy” approached Arçelik’s Homewhiz IoT project with a strategic and comprehensive solution, employing Terraform to orchestrate the intricate architecture. The challenges presented by the high-scale traffic management and the need for secure Lambda function and RDS database interactions were met with a meticulous design aimed at not just solving the problems at hand but also answering the critical question of “why” each step was taken.

The first strategic move involved the creation of dedicated subnets exclusively for Lambda functions. Why? This approach ensures a clear segregation of resources, optimizing the network layout for Lambda operations. By providing unique subnets for Lambda functions, the partner solution addressed the necessity for controlled and efficient access tailored specifically to the requirements of these serverless components.

Having carved out these specialized subnets, the next crucial decision was to grant only HTTPS permission (port 443) to the network access control lists associated with these Lambda subnets. Why HTTPS and why restrict to a specific port? HTTPS, as a secure communication protocol, aligns with best practices for data in transit. Restricting access to a specific port enhances security by minimizing the attack surface, adhering to the principle of least privilege. And just like many other public AWS services, Lambda uses 443 HTTPS port for communication.

With Lambdas having gained access to the designated subnets, the next “why” revolved around ensuring their interactions with the RDS databases were secure and controlled. Elastic network interfaces and security groups were introduced to create a tightly controlled environment. Why? Elastic network interfaces act as a bridge, limiting the Lambdas’ reach to the specific actions required for database access. Security groups configured to allow only database interactions were the cornerstone of creating a finely tuned access control mechanism.

Subsequently, the RDS security groups were updated to only allow traffic from these restricted subnet CIDRs. Why limit access to specific CIDRs? This step narrows down the entry points for communication, fortifying the system’s defenses against potential unauthorized access and external threats. It’s a strategic move toward creating a secure communication channel between the public Lambda functions and the private RDS databases.

This orchestration of network interfaces, security groups, and subnet configurations exemplifies a strategic alignment with the principle of least privilege. Each decision in the partner solution was rooted in a careful consideration of security best practices and the specific needs of the Homewhiz IoT project.

Results and Benefits

The partner solution delivered tangible results and compelling benefits, each directly tied to the strategic decisions made to address the challenges presented:

The emphasis on HTTPS, specific port access, and controlled network configurations ensures not only efficient but also highly secure traffic management within the system.

The creation of dedicated subnets optimized for Lambda functions answers the “why” by providing a segregated and controlled environment tailored to the specific needs of these serverless components.

Elastic network interfaces, security groups, and subnet configurations not only secure the database access but also answer the “why” by aligning with the principle of least privilege, minimizing potential attack vectors.

The strategic decisions regarding network interfaces and security groups exemplify a secure and controlled approach to connecting public services (Lambda) to private services (RDS). The “why” behind these decisions is rooted in creating a robust and least-privileged access model.

The use of Terraform serves not just as a tool for infrastructure as code but as a strategic decision to enhance consistency, repeatability, and ease of maintenance in the system’s deployment and management.

The overall security posture benefits from a thoughtful orchestration of access controls, meeting the project’s specific needs while aligning with industry best practices.

The partner solution adheres to security best practices, emphasizing the “why” at each step. This strategic alignment ensures that the implemented measures not only address immediate challenges but also contribute to the long-term security and reliability of the system.

In essence, the partner solution crafted by “Yönetim.Academy” is more than a set of technical configurations; it is a strategic response to the challenges posed by Arçelik’s Homewhiz IoT project. Each decision is underpinned by a clear understanding of security principles, industry best practices, and the unique requirements of the project. The result is a resilient, secure, and strategically aligned infrastructure ready to support the demands of a high-scale IoT application.