# CPM, UH tasks backlog
## CPM
1. **Cost Reduction**
- [x] Apply EFS Infrequent Access (IA) storage for EFS for cost reduction
- [x] Consideration of reserved instance for RDS(databases)
- [x] Not practical in this setup (databases are stopped/started when needed)
2. **Improvement of managing users and user's rights with IAM**
(time estimation 1-2 Weeks)
[Prepared Table in Excel](https://jitsolutionspl-my.sharepoint.com/:x:/g/personal/oskar_wasiewski_jit_team/EQkfe09IJB9FhzD6gfS_tfABhokPPipA_JWhwJkgcLAFvw?email=marcel.thiel%40jit.team&e=0cx2T5)
Tasks that are plan be covered till the end of the week
- [x] Create tables with different instances/policies
(time estimation <= 1 MD)
- [x] Distinguishing the user group (developer, non-admin, admin, business, read-only-user)
- [x] Distinguish user group privileges (example: privilege for database access for developer)
- [x] Create or use AWS access policies for the user group (for example create or use existing IAM policy for IAM database access. Attach policy to a user group)
- [x] Enforce 2-mfa to AWS
- [x] Create AWS account for Marcel Thiel
- [x] Assign appriopriate privilages to Marcel aws user
- [x] Discuss with Edmund policies to apply from the preapared one
```
- [ ] Transfer current users authority
- [ ] Identify current user rights (outside AWS IAM control (user works with EC2 instances, but appears as inactive on IAM!))
- [ ] Reduce current aws user rights to only needed, currently, every user has admin (full access rights)
- [ ] Get rid of user rights described in the first step and manage user rights by the IAM panel
- [ ] Remove SSH keys from EC2 instances after successful user rights transfer (security risk)
```
3. **Implement a better system for managing SSH users with help of IAM**
(time estimation <= 1 MD)
- [x] Familiarize with the current system
- [x] Recognize available solutions
- [x] Test and create a demo meeting
- [x] Find if SSM solution support user izolation
- [x] It doesn't
- [ ] Prepare documentation on provided solution
- [x] Attach policies with access to instances to specified users
- [x] Recognizing which user should have access to a specific instance and what permissions to that instance(delete, stop, create, etc.).
4. **Number of environments (prod, dev, staging)**
(time estimation <= 2-5 MD)
- [x] Identify the number of environments
- [x] How we can economize/optimise their use
- [x] Can we activate/deactivate them
5. **Database MySQL upgrade**
(time estimation <= 3-6 MD)
- [x] Upgrade Amazon Aurora MySQL 1 databases, the current version will reach the end of life on February 28, 2023 :exclamation:
- Done for instances: dev and analysis-2. MySQL in version 5.7 (AWS Aurora version 2).
- [x] Update analysis-1 database
- Done for all RDS
## Uniquely Health
1. **Access to dashboard**
(time estimation <= 1 MD)
- [x] Contact Maciej, on how to access Dashboard (meeting planned for 02.09.2022)
Tasks that are plan be covered till the end of the week
- [x] Create 2 new Clinician user accounts.
- [x] Document the process of adding new users in Confluence.
https://uniquelyhealth.atlassian.net/wiki/spaces/UQH/pages/12943361/Adding+new+users+to+Dashboard
2. **Improvement of managing users and user's rights with IAM**
(time estimation 1-2 Weeks)
- [x] Similar to the one from CPM :arrow_up:
- [x] The same common Excel table
3. **Secure connection to the database**
(time estimation 1-3 MD)
- [ ] Ensure that database is not publicly accessible
- [x] Enable GuardDuty (analyse cost)
4. **Number of environments (prod, dev, staging)/ Cost saving**
(time estimation 1-2 Week )
- [x] Identify a number of existing environments
- [x] [Documentation up-to-date](https://uniquelyhealth.atlassian.net/wiki/spaces/UQH/pages/4128975/Environments+and+databases)
- [x] Three environments (Development, Production, Staging) on two Kubernetes clusters
- [x] [Infrastructure graph](https://uniquelyhealth.atlassian.net/wiki/spaces/UQH/pages/16777217/Kubernetes+Cluster+on+AWS+EKS)
- [x] How we can economize/optimise their use
- [x] Can we activate/deactivate them?
- [x] Contact Maciej about access to EKS cluster (meeting planned for 02.09.2022)
- [x] Enable access to the billing section with Edmund
- [x] Consideration of different worker instance type (reserved, on-demand, spot)
- [x] Kubernetes instance number autoscaller (Decrease/Increase number of instances based on load)https://karpenter.sh/; Implemented on dev cluster
Cost saving summary
| | Option | Cost reduction / Month | Option status Enabled Yes/No if No reason |
|----|-------------------------------------|-----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1. | Switching all instances to t3.small | 13,392$ per instance | Partialy; Dev instances are turned off as a result of switching off the Testing cluster Prod EKS cluster after changing instances size to t3.small didn't run "Too many pods". Nginx-controller didn't get up, application don't available for public use |
| 2. | Switch off Testing cluster | 56$ | Yes |
| 3. | Turn off Development Database | 24$ | Yes; Currently database is stopped manually, need to import and enable script from CPM |
| 4. | Savings from Kubecost solution | 11,56$ | No; Reserved instaces do not meet our needs at the moment, maybe in the future |
5. **Kubernetes cluster upgrade**
(time estimation <= 1-2 MD)
- [x] Currently, the production environment is deployed on the 1.21 cluster version and the testing environment with version 1.20. AWS adds support for 1.23
6. **GDPR**
(time estimation <= 1 MD)
- [x] Sent current version of GDPR document (with specified what is in place and what can be implemented )
- [x] Completion of the rest of the GDPR document
- [ ] Estimate the cost of GuardDuty
- [x] Contact Maciej about how data is stored on AWS (meeting planned for 02.09.2022)
- [x] Contact Maciej about database structure, what kind of data is stored and what are correlations between data (meeting planned for 02.09.2022)
- [x] Scan current AWS infrastructure with a 3-party solution to analyze infrastructure for GDPR compliant
- [x] Analyse recommendations from the GDPR scan
- [ ] Apply recommendations from GDPR scan
- [ ] Apply AWS best practices regarding GDPR compliance
7. **Import and enable RDS-switch script from CPM AWS**
- [x] Transfer lambda script from aws in cpm to aws in uh
- [x] Enable script to turn off rds database based on database connections
8. **Tracking where user’s login from**
- [ ] Cookies, separate login from dashboard and infrastructure!
- [x] Who log with this credentials
- [x] AWS CloudTrail
- [ ] Set-up process if abnormal activity is noticed
- [ ] Set up GuardDuty
- [ ] Cloud GuardDuty noticed abnormal activity
- [ ] Notify by email
9. Investigate if we need network segmentation
Google Drive
Gist
Clipboard
Sign in with Wallet
