Security and Compliance
AWS Managed Services
thoughtbot recommends the following AWS services in its platform:
Service | ||||
---|---|---|---|---|
EC2 |
| |||
RDS Postgres |
| |||
OpenSearch |
| |||
EKS |
| |||
KMS |
| |||
CloudWatch |
| |||
CloudWatch Logs |
| |||
Secrets Manager | ||||
Config | ||||
Route 53 | ||||
ECR | ||||
S3 | ||||
CloudTrail | ||||
DynamoDB | ||||
ELB | ||||
ACM | ||||
SNS | ||||
SQS |
You should be familiar with the AWS Shared Responsibility model. You can learn more on AWS’s compliance page.
AWS also has further security documentation for its services:
AWS Service | Security Documentation | Notes |
---|---|---|
https://docs.aws.amazon.com/whitepapers/latest/nhs-cloud-security-guidance-using-aws/overall-security-governance---aws-landing-zones.html | Relevant to most of the Principles covered by the Good Practice Guide, a Landing Zone is a solution available from AWS that automatically creates an environment consisting of a set of related AWS accounts configured in such a way as to establish security (and cost-related) guardrails for AWS usage by a wide variety of teams with minimum friction. The environment includes the foundations of identity management, logging and monitoring, governance, security, and network design, the specifics of which may be implemented using decisions made in examining each of the principles covered in the overall security governance document. | |
AWS Control Tower | https://docs.aws.amazon.com/controltower/latest/userguide/security.html | AWS Control Tower is a well-architected service that can help your organization meet your compliance needs with controls and best practices. Additionally, third-party auditors assess the security and compliance of a number of the services you can use in your landing zone as a part of multiple AWS compliance programs. These include SOC, PCI, FedRAMP, HIPAA, and others. Your compliance responsibility when using AWS Control Tower is determined by the sensitivity of your data, your company’s compliance objectives, and applicable laws and regulations. |
https://docs.aws.amazon.com/config/latest/developerguide/security.html Templates for conformance packs (selected few, there are many available). Provide example mappings of controls to implementation.
| Included within the Landing Zone solution, this service tracks configuration settings of AWS resources over time against a desired-state baseline, and raises alerts (and optionally triggers remedial action) when changes are detected. The service also enables configuration to be audited, in order to demonstrate compliance (or otherwise) against a baseline. See the AWS Config Developer Guide for a detailed description of how to use it. Recommended best practice guidelines:
| |
AWS Secrets Manager |
|
|
AWS CloudTrail |
|
|
AWS EKS |
|
|
AWS CloudFormation |
|
|
AWS S3 |
| |
AWS IAM Identity Center (SSO) |
|
|
AWS Managed Prometheus |
| |
AWS Managed Grafana |
|
GitHub
thoughtbot also recommends the use of GitHub for source control and CI/CD workflows. GitHub supports compliance with a number of frameworks, including GDPR, SOC 1/2, and FEDRAMP. You can learn more at GitHub’s security page.
Procedures and Practices
thoughtbot implements the following procedures and practice to help with compliance:
Integrate cloud access with single sign on
Separate workflows by development life cycle
Encrypt all data at rest and in transit
Unique customer controlled encryption keys for each data store
Network isolation for data stores and backend services
Organization-wide AWS backup policies
Organization-wide AWS security policies
Organization-wide AWS config controls
Enforce SDLC workflows using CI/CD
Automated vulnerability scans for infrastructure and application dependencies
Encrypted logs with archives
Audit logs for infrastructure access and changes