API Co-signer Security Checklist and Recommended Defense and Monitoring Systems - Fireblocks Developer Docs

Co-signer security checklist

Only authorized personnel with high-level privileges and full trust from your organization may perform the Co-signers installation.
Use a clean, hardened machine for the Callback Handler server, restricting access exclusively to authorized personnel or service accounts.
Configure your network rules, cloud resources, and required policies according to the instructions provided in each API Co-signer installation guide.
Use the Callback Handler to log all approval requests, and consider utilizing it to implement additional programmatic protection logic against malicious withdrawals.
Create Policy rules that prevent API users from initiating transfers above a specific amount threshold within a certain timeframe, and require additional manual approval. These rules should apply globally to all withdrawals and withdrawals from specific external user wallets.
Fireblocks advises against disabling Linux UEFI secure boot on your API Co-signer virtual machine, as this goes beyond the security risks introduced by not validating kernel code. We recommend working around any issues you have instead. Using TrendMicro Deep Security agent on Ubuntu 20.04 is one option for secure boot support.

Configuring Multiple API Co-signers in High Availability

⌘I

Co-signer security checklist