An Auditor’s Checklist for Securing Laravel Backends on AWS
AWS IAM: Principle of Least Privilege for Laravel Applications
A fundamental tenet of secure cloud deployments is adhering to the principle of least privilege. For Laravel applications hosted on AWS, this translates to meticulously configuring Identity and Access Management (IAM) roles and policies. Avoid using overly permissive policies like AdministratorAccess. Instead, create granular policies that grant only the necessary permissions for your application’s components to interact with AWS services.
Consider a typical Laravel application using S3 for file storage, RDS for its database, and ElastiCache for caching. The IAM role attached to the EC2 instance (or ECS task, or Lambda function) running your Laravel application should reflect these specific needs.
Example IAM Policy for a Laravel Application
This policy grants read/write access to a specific S3 bucket, read-only access to RDS (assuming read replicas or specific database access patterns), and `Get` operations for ElastiCache. Adjust resource ARNs to match your environment.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::your-laravel-bucket",
"arn:aws:s3:::your-laravel-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": "arn:aws:rds-db:us-east-1:123456789012:db-cluster:your-rds-cluster-identifier:db-user:your-db-user"
},
{
"Effect": "Allow",
"Action": [
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheSecurityGroups",
"elasticache:DescribeCacheParameters",
"elasticache:DescribeCacheEngineVersions",
"elasticache:DescribeReplicationGroups"
],
"Resource": "*"
}
]
}
Auditor Check: Verify that the IAM role attached to the application’s compute resource (EC2, ECS, Lambda) has a custom IAM policy. Ensure the policy’s Resource elements are specific (e.g., individual S3 buckets, specific RDS instances) and not wildcarded where possible. Check that actions are limited to what the application *actually* needs.
Database Security: RDS and Secrets Management
Directly embedding database credentials in Laravel’s .env file is a common vulnerability. For production environments on AWS, leverage AWS Secrets Manager or AWS Systems Manager Parameter Store to securely store and retrieve database credentials. This allows for credential rotation and centralizes management.
Integrating Secrets Manager with Laravel
You’ll need an AWS SDK for PHP and a mechanism to fetch the secret at application startup or on demand. A common pattern is to fetch the secret during the application’s bootstrap phase.
First, ensure your IAM role has permissions to access Secrets Manager:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:your-laravel-db-secret-XXXXXX"
}
]
}
Next, create a service provider in Laravel to fetch and configure the database connection using the retrieved credentials. This example assumes you’re using the default mysql driver.
Create a new file, e.g., app/Providers/DatabaseSecretsServiceProvider.php:
<?php
namespace App\Providers;
use Illuminate\Support\ServiceProvider;
use Illuminate\Support\Facades\DB;
use Aws\SecretsManager\SecretsManagerClient;
use Aws\Exception\AwsException;
class DatabaseSecretsServiceProvider extends ServiceProvider
{
/**
* Register services.
*
* @return void
*/
public function register()
{
//
}
/**
* Bootstrap services.
*
* @return void
*/
public function boot()
{
$this->app->singleton('db.connection.config', function ($app) {
$region = env('AWS_SECRETS_MANAGER_REGION', 'us-east-1');
$secretName = env('DB_SECRET_NAME'); // e.g., your-laravel-db-secret
if (!$secretName) {
throw new \Exception("DB_SECRET_NAME environment variable is not set.");
}
$secretsManager = new SecretsManagerClient([
'version' => 'latest',
'region' => $region,
]);
try {
$result = $secretsManager->getSecretValue([
'SecretId' => $secretName,
]);
if (!isset($result['SecretString'])) {
throw new \Exception("SecretString not found in Secrets Manager response.");
}
$credentials = json_decode($result['SecretString'], true);
if (json_last_error() !== JSON_ERROR_NONE) {
throw new \Exception("Failed to decode JSON from Secrets Manager.");
}
if (!isset($credentials['username']) || !isset($credentials['password']) || !isset($credentials['host']) || !isset($credentials['dbname'])) {
throw new \Exception("Required database credentials (username, password, host, dbname) not found in secret.");
}
// Configure the database connection dynamically
config([
'database.connections.mysql.host' => $credentials['host'],
'database.connections.mysql.port' => $credentials['port'] ?? 3306, // Default MySQL port
'database.connections.mysql.database' => $credentials['dbname'],
'database.connections.mysql.username' => $credentials['username'],
'database.connections.mysql.password' => $credentials['password'],
]);
// Return a dummy value or the config array if needed elsewhere
return config('database.connections.mysql');
} catch (AwsException $e) {
// Log the error and potentially fail fast
\Log::error("Error retrieving database credentials from AWS Secrets Manager: " . $e->getMessage());
throw new \Exception("Failed to retrieve database credentials.");
} catch (\Exception $e) {
\Log::error("Error configuring database connection: " . $e->getMessage());
throw new \Exception("Failed to configure database connection.");
}
});
// Optionally, you can force the configuration to be loaded here if needed
// $this->app->make('db.connection.config');
}
}
Register this service provider in your config/app.php file:
/*
* Application Service Providers...
*/
App\Providers\AppServiceProvider::class,
App\Providers\AuthServiceProvider::class,
// ... other providers
App\Providers\DatabaseSecretsServiceProvider::class, // Add this line
App\Providers\EventServiceProvider::class,
App\Providers\RouteServiceProvider::class,
// ...
And set the necessary environment variables in your .env file (or preferably, via your deployment system’s configuration):
AWS_SECRETS_MANAGER_REGION=us-east-1 DB_SECRET_NAME=your-laravel-db-secret
Auditor Check: Confirm that database credentials are not hardcoded in the application’s codebase or .env files. Verify that credentials are being fetched from a secure store like AWS Secrets Manager or Parameter Store. Review the IAM policy for the application’s compute resource to ensure it only has permissions for secretsmanager:GetSecretValue on the specific secret ARN.
Application Firewalling: AWS WAF with Laravel
Protecting your Laravel application from common web exploits (SQL injection, XSS, etc.) is crucial. AWS Web Application Firewall (WAF) can be integrated with Application Load Balancers (ALB) or CloudFront distributions to filter malicious traffic before it reaches your application.
Configuring AWS WAF Rules
AWS WAF offers managed rule sets (e.g., for SQL injection, XSS) and the ability to create custom rules. For a Laravel application, consider the following:
- Managed Rules: Enable AWS managed rules for common threats like
SQL injection,Cross-site scripting (XSS), andPHP injection. - Rate-based Rules: Implement rate limiting to mitigate brute-force attacks on login forms or API endpoints.
- Custom Rules: Create custom rules for specific application vulnerabilities or to block known malicious IP addresses/ranges. For instance, blocking requests that don’t originate from expected API gateways or trusted sources.
- Geo-blocking: If your application has regional restrictions, configure WAF to block traffic from disallowed countries.
When integrating WAF with an ALB, you associate a WAF Web ACL with the ALB listener. For CloudFront, you associate it with the CloudFront distribution.
Example: Blocking requests with common XSS patterns
Within your WAF Web ACL, you can add a rule like this:
Rule: Block XSS Attempts
Type: Regular rule
If a request:
matches the statement
Inspect: Body, URI path, Query string, Headers
String and text transformation: Lowercase, URL decode, HTML decode
String comparison: Contains
String to match: <script>
(Add similar conditions for other XSS patterns like 'onerror=', 'javascript:')
Then: Block
Auditor Check: Verify that AWS WAF is enabled and associated with the application’s public-facing endpoint (ALB or CloudFront). Review the configured Web ACLs and associated rules. Ensure that managed rule sets for common vulnerabilities are enabled and that custom rules are in place to address application-specific risks. Check that the WAF logging is enabled and configured to send logs to CloudWatch Logs or S3 for analysis.
Laravel Application Logging and Monitoring on AWS
Robust logging and monitoring are essential for detecting and responding to security incidents. Laravel’s default logging can be configured to send logs to AWS CloudWatch Logs, providing a centralized, searchable, and auditable log repository.
Configuring Laravel to Log to CloudWatch
You’ll need the AWS SDK for PHP and a custom log handler. First, ensure your IAM role has permissions to write to CloudWatch Logs:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/laravel/your-app-name:*"
}
]
}
Create a custom log channel in config/logging.php. This example uses the monolog/monolog library, which Laravel leverages.
// config/logging.php
'channels' => [
// ... other channels
'cloudwatch' => [
'driver' => 'monolog',
'handler' => Monolog\Handler\StreamHandler::class,
'with' => [
'stream' => 'php://stdout', // Or a file if not using a dedicated log forwarder
'level' => env('LOG_LEVEL', 'debug'),
],
'formatter' => Monolog\Formatter\JsonFormatter::class, // Use JSON for structured logging
'processors' => [
Monolog\Processor\WebProcessor::class, // Adds request data like IP, URL
Monolog\Processor\IntrospectionProcessor::class, // Adds file and line number
],
],
'cloudwatch_json' => [
'driver' => 'monolog',
'handler' => App\Logging\CloudWatchJsonHandler::class, // Custom handler
'level' => env('LOG_LEVEL', 'debug'),
],
],
Create the custom handler app/Logging/CloudWatchJsonHandler.php. This handler will use the AWS SDK to send logs to CloudWatch. You’ll need to install the AWS SDK if you haven’t already: composer require aws/aws-sdk-php.
<?php
namespace App\Logging;
use Monolog\Handler\AbstractProcessingHandler;
use Monolog\LogRecord;
use Aws\CloudWatchLogs\CloudWatchLogsClient;
use Aws\Exception\AwsException;
class CloudWatchJsonHandler extends AbstractProcessingHandler
{
protected $client;
protected $logGroupName;
protected $logStreamName;
protected $sequenceToken = null;
public function __construct(array $config = [])
{
parent::__construct();
$this->client = new CloudWatchLogsClient([
'version' => 'latest',
'region' => $config['region'] ?? env('AWS_DEFAULT_REGION', 'us-east-1'),
]);
$this->logGroupName = $config['log_group_name'] ?? env('CLOUDWATCH_LOG_GROUP_NAME', '/aws/laravel/your-app-name');
$this->logStreamName = $config['log_stream_name'] ?? env('CLOUDWATCH_LOG_STREAM_NAME', 'laravel-app-' . date('Y-m-d-H')); // Rotate hourly or daily
// Ensure the log group and stream exist
$this->ensureLogGroupExists();
$this->ensureLogStreamExists();
}
protected function ensureLogGroupExists()
{
try {
$this->client->describeLogGroups(['logGroupNamePrefix' => $this->logGroupName]);
} catch (AwsException $e) {
if ($e->getAwsErrorCode() === 'ResourceNotFoundException') {
$this->client->createLogGroup(['logGroupName' => $this->logGroupName]);
} else {
throw $e;
}
}
}
protected function ensureLogStreamExists()
{
try {
$result = $this->client->describeLogStreams([
'logGroupName' => $this->logGroupName,
'logStreamNamePrefix' => $this->logStreamName,
]);
// If stream exists, try to get its sequence token
if (!empty($result['logStreams'])) {
foreach ($result['logStreams'] as $stream) {
if ($stream['logStreamName'] === $this->logStreamName) {
$this->sequenceToken = $stream['uploadSequenceToken'] ?? null;
break;
}
}
}
} catch (AwsException $e) {
if ($e->getAwsErrorCode() === 'ResourceNotFoundException') {
$this->client->createLogStream([
'logGroupName' => $this->logGroupName,
'logStreamName' => $this->logStreamName,
]);
$this->sequenceToken = null; // New stream starts with null token
} else {
throw $e;
}
}
}
protected function write(LogRecord $record): void
{
$logEvent = [
'logGroupName' => $this->logGroupName,
'logStreamName' => $this->logStreamName,
'logEvents' => [
[
'message' => $record->formatted, // Already formatted by Monolog's JsonFormatter
'timestamp' => $record->datetime->getTimestamp() * 1000, // Milliseconds
],
],
];
if ($this->sequenceToken) {
$logEvent['sequenceToken'] = $this->sequenceToken;
}
try {
$result = $this->client->putLogEvents($logEvent);
$this->sequenceToken = $result['nextSequenceToken'];
} catch (AwsException $e) {
// Handle potential throttling or other AWS errors
// For simplicity, we're just logging to stderr here, but a more robust
// solution might involve retries or a fallback mechanism.
error_log("Failed to send log to CloudWatch: " . $e->getMessage());
}
}
}
Update your .env file or deployment configuration:
LOG_CHANNEL=cloudwatch_json
CLOUDWATCH_LOG_GROUP_NAME=/aws/laravel/your-app-name
CLOUDWATCH_LOG_STREAM_NAME=laravel-app-{{ date('Y-m-d-H') }} # Example for hourly rotation
AWS_DEFAULT_REGION=us-east-1
Auditor Check: Confirm that Laravel’s logging is configured to send logs to AWS CloudWatch Logs. Verify that the IAM role has the necessary permissions for CloudWatch Logs. Review the log group and stream configurations. Ensure that sensitive information is not being logged (e.g., passwords, API keys) by checking log content and potentially implementing log filtering or sanitization. Check that log retention policies are configured appropriately in CloudWatch Logs.
Secure Session Management with Redis and Encryption
Laravel’s default file-based session storage is not ideal for distributed environments like AWS. Using Redis for session storage offers better performance and scalability. Crucially, session data should be encrypted to protect sensitive user information.
Configuring Redis Session Driver and Encryption
Ensure you have Redis installed and accessible (e.g., via AWS ElastiCache). Update your .env file:
SESSION_DRIVER=redis REDIS_HOST=your-redis-host.xxxxxx.ng.0001.use1.cache.amazonaws.com REDIS_PASSWORD=null # or your Redis password REDIS_PORT=6379
Laravel automatically encrypts session data if the APP_KEY is set. This encryption uses AES-256-CBC. Ensure your APP_KEY is strong and kept secret.
Auditor Check: Verify that the SESSION_DRIVER is set to redis (or another secure, distributed store). Confirm that the APP_KEY is set and is a strong, randomly generated key. Check that Redis is configured securely (e.g., with authentication if not using IAM roles for ElastiCache access). Ensure that session data is indeed being encrypted by examining the data stored in Redis (it should appear as ciphertext if encrypted).
Laravel Forge/Envoyer and AWS Deployment Security
If you’re using deployment tools like Laravel Forge or Envoyer, their integration with AWS is a critical security surface. These tools typically manage SSH keys and server provisioning.
SSH Key Management and Server Access
Forge/Envoyer will generate SSH keys to access your AWS EC2 instances. These keys should be treated with the same care as your root AWS credentials.
- Key Rotation: Regularly rotate SSH keys used by your deployment tools.
- Access Control: Limit which users have access to the Forge/Envoyer dashboard.
- Server Hardening: Ensure that servers provisioned by these tools have unnecessary ports closed and are configured with security groups that adhere to least privilege.
- IAM Roles for EC2: Instead of embedding AWS access keys directly into the server for provisioning or other AWS interactions, use IAM roles attached to the EC2 instances.
Auditor Check: Review the SSH keys used by Forge/Envoyer. Confirm they are not hardcoded anywhere and are managed securely within the deployment platform. Verify that server access is restricted via AWS Security Groups and Network ACLs. Ensure that the deployment process itself doesn’t require embedding AWS credentials directly on the server; IAM roles should be preferred.