Security¶
Encryption¶
- RDS — storage is always encrypted (AWS-managed key by default, or
storage_encryption_key_arn). - EFS — always encrypted (AWS-managed key by default, or
efs_encryption_key_arn). - In transit — the ALB terminates TLS with an ACM certificate validated in your Route 53 zone; SES SMTP uses TLS on port 587.
Secrets¶
All sensitive values live in AWS Secrets Manager, readable only by the EC2 instance role:
| Secret | Contents | Manager |
|---|---|---|
| App key | BookStack APP_KEY | module.bookstack_app_key |
| DB master credentials | RDS-managed master username/password | module.rds (AWS-managed) |
| SES SMTP password | SES SMTP password | module.ses_smtp_password |
| Google OAuth client secret | OAuth client secret | supplied by the caller (google_oauth_client_secret) |
The instance-profile IAM policy (datasources.tf) grants secretsmanager:GetSecretValue on exactly these four secret ARNs — nothing broader.
Master credential scope
The RDS module uses an AWS-managed master password, and the application reads it via the database_secret_name. This means the EC2 role can read the database master/superuser credential rather than a narrowly-scoped application user. If you require least-privilege DB access, provision a dedicated application user as a follow-up and point BookStack at it.
Network posture¶
- The RDS security group (managed by
module.rds) allows MySQL only from within the VPC CIDR. - The EFS security group allows NFS only from within the VPC CIDR.
- SSH is closed by default; open it explicitly with
ssh_cidr_block(+key_pair_name).
Email sending restrictions¶
The SES IAM user's policy restricts the FromAddress to the Route 53 zone domain, so the instances cannot send mail from arbitrary domains. The SMTP IAM access key auto-rotates on the smtp_key_rotation_days schedule.
Application artifact (supply chain)¶
bookstack_prebuilt_package_url is downloaded over HTTPS at boot and unpacked into the application's vendor/ directory. It is integrity-checked: the boot-time pre_runcmd verifies the download against bookstack_prebuilt_package_sha256 and, on a mismatch (a tampered or replaced object, or a corrupt download), deletes the file and fails the bootstrap — so untrusted code is never unpacked into the application. This also pins the content: swapping the object without updating the hash will fail verification rather than silently ship new code.
Still treat the hosting location as a supply-chain dependency:
- Serve it from a location you control and whose write access is restricted.
- Keep
bookstack_prebuilt_package_urlandbookstack_prebuilt_package_sha256updated together. - Setting
bookstack_prebuilt_package_sha256 = nulldisables verification (not recommended); settingbookstack_prebuilt_package_url = nullfalls back to building dependencies at boot instead.
Provider isolation¶
The aws.dns aliased provider lets Route 53 records be managed in a separate account from the application resources, supporting an isolated DNS account if your organization uses one.