Logical ID Strategy Options With General Network Security & International Privacy Regulations In Mind #343
Comments
|
IANAL, however I can provide my own views on this. Any logical ID strategy should not void your privacy obligations, so long as they are consistent and don't conflict with any specified requirements. You should strive to ensure your infrastructure is understandable to yourself and other who are a part of your organization and hence I'd avoid the hash option for readability purposes - it would make it less readable/understandable and therefore introduce a greater risk of misconfiguration. That said, the best strategy would be to override logical ID naming with terms that make sense within your business context, such as system names, component names, business unit names, etc. (Former2 obviously doesn't have that information). A side note that Former2 is a best-effort tool and you should review all outputs it creates to ensure they are valid and sane, including testing in a non-production environment. Also refer to the security section to ensure you understand how your AWS credentials are handled. |
|
Thank you so much. I really, genuinely appreciate your feedback, along with
your disclaimers and disclosures in mind. Take care.
…On Tue, Aug 8, 2023, 8:49 PM Ian Mckay ***@***.***> wrote:
IANAL, however I can provide my own views on this.
Any logical ID strategy should not void your privacy obligations, so long
as they are consistent and don't conflict with any specified requirements.
You should strive to ensure your infrastructure is understandable to
yourself and other who are a part of your organization and hence I'd avoid
the hash option for readability purposes - it would make it less
readable/understandable and therefore introduce a greater risk of
misconfiguration.
That said, the *best* strategy would be to override logical ID naming
with terms that make sense within your business context, such as system
names, component names, business unit names, etc. (Former2 obviously
doesn't have that information).
A side note that Former2 is a best-effort tool and you should review all
outputs it creates to ensure they are valid and sane, including testing in
a non-production environment. Also refer to the security
<https://github.com/iann0036/former2#security> section to ensure you
understand how your AWS credentials are handled.
—
Reply to this email directly, view it on GitHub
<#343 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BBRJROOLP5K37GZLSHOHQW3XULUBJANCNFSM6AAAAAA3JIY5I4>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
I have another question. I don't expect you to explain all of the steps of anything in detail though. But do I change the logical IDs Before or After using the Former2 tool? I have already been studying about and implementing setting up the AWS CDK on my local machine. Thank you for your time, and thank you in advance for your help. And again, I really, sincerely appreciate your help that you have given so far. Take care. |
|
Hi @daryllynnhq, You can adjust the Logical ID strategy as you please, but Former2 won't give you any guidance on that. |
Hi, just from a general network security standpoint, and with local U.S. and international privacy regulations that online businesses and marketers have to stay aware of kept in mind, even though I'm mostly sure that you are not a lawyer or anything like that, what is your recommendation on which Logical ID Strategy option on the Former2 website to choose from, with both strong security, but also not "getting lost" in my own project, kept in mind? I noticed that it talked about hashes for a suffix for one or two of the options, so I don't want to get myself confused somewhere in the middle of setting up my infrastructure. I want to have the best security that I can get, or can afford, depending on how much profit I have made or kept at any one point in time, but I also want it to be balanced with being convenient as possible, and easy as possible to maintain. These governmental privacy regulations departments can be some really mean characters, and I have heard that they really mean business, and they want to see businesses make every effort to comply with the requirements, especially with the European GDPR, which can be enforced upon a U.S. Business, even though they aren't in Europe, because the European Union has a treaty with the U.S., and because the U.S. business is online and still handling personal information and data of European citizens, depite the business being headquartered somewhere else, in a different country/continent. Thank you in advance for any help, and also thank you for your time. I really appreciate any help, but if you can't advise on it, or not completely, I completely understand. No hard feelings.
The text was updated successfully, but these errors were encountered: