Steadybase
Security & Trust

Infrastructure Security

EC2 hardening, network security, and the target ECS architecture.

Infrastructure Security

Steadybase currently runs on AWS EC2 with plans to migrate to ECS Fargate. This page covers the current infrastructure security posture and the target architecture.

Current Architecture

┌─────────────────────────────────────────┐
│  AWS EC2 (t4g.medium, us-west-2)       │
│  Instance: i-063afb7f24a64376a         │
│  Elastic IP: 34.210.217.25            │
│                                         │
│  ┌──────────────────────────────────┐   │
│  │  Nginx (reverse proxy)          │   │
│  │  - TLS 1.2+ (Let's Encrypt)    │   │
│  │  - Security headers (Helmet)    │   │
│  │  - Path blocking (.git, .env)   │   │
│  └──────────────┬───────────────────┘   │
│                 │                        │
│  ┌──────────────▼───────────────────┐   │
│  │  PM2 (process manager)          │   │
│  │  - Auto-restart on crash        │   │
│  │  - Log rotation                 │   │
│  │  - Cluster mode                 │   │
│  └──────────────┬───────────────────┘   │
│                 │                        │
│  ┌──────────────▼───────────────────┐   │
│  │  Express Server (:3000)         │   │
│  │  - Auth middleware              │   │
│  │  - Rate limiting                │   │
│  │  - CORS                         │   │
│  └──────────────────────────────────┘   │
└─────────────────────────────────────────┘

         ▼ (mTLS)
┌─────────────────────────────────────────┐
│  Temporal Cloud (us-west-2)             │
│  Namespace: quickstart-steadybase       │
└─────────────────────────────────────────┘

What's Hardened

ControlStatusDetails
TLS 1.2+Implementednginx with Let's Encrypt, auto-renewal
Security headersImplementedHelmet: X-Frame-Options, X-Content-Type-Options, HSTS
Sensitive path blockingImplementednginx blocks .git, .env, node_modules
File permissionsImplemented600 on .env and sensitive config files
Process managementImplementedPM2 with auto-restart, log rotation
Temporal mTLSImplementedClient certificate authentication

Known Gaps

:::warning These gaps are documented transparently and prioritized in our roadmap. :::

Critical

GapRiskRemediation
Port 3000 open externallyDirect API access bypassing nginx proxyAdd iptables rule: iptables -A INPUT -p tcp --dport 3000 -j DROP (allow only localhost)
SELinux in permissive modeReduced OS-level isolationSwitch to enforcing mode with appropriate policies
No automated backupsData loss riskDaily encrypted backups to S3

High Priority

GapRiskRemediation
No firewall rulesOpen network surfaceConfigure iptables/security groups
CloudWatch inactiveNo centralized monitoringEnable CloudWatch agent
No health checksSilent failuresAdd health check endpoints + monitoring

Target Architecture (ECS Fargate)

The planned migration to ECS Fargate improves security through:

  • Container isolation — Each service runs in its own container
  • No SSH access — Fargate tasks have no shell access
  • IAM roles — Fine-grained permissions per service
  • ALB — Application Load Balancer replaces direct nginx
  • Secrets Manager — Secrets injected at runtime, not stored on disk
  • VPC — Private subnets for application containers

See ECS Migration for the full target architecture.

Network Security Recommendations

For immediate hardening of the current EC2 architecture:

  1. Close port 3000 — Restrict to localhost only via iptables
  2. Security groups — Allow only 80, 443 from public; SSH from known IPs only
  3. Enable SELinux — Switch from permissive to enforcing
  4. Configure fail2ban — Protect SSH from brute-force attempts
  5. Enable CloudWatch — Centralized logging and alerting

Previous

Data Protection

Next

Compliance Roadmap

On this page