INF-01: Cloud Security Configuration (AWS)
Objective
Maintain secure AWS infrastructure configuration.
Description
AWS infrastructure follows security best practices. Security Groups, NACLs, and IAM policies are configured with least privilege. Infrastructure as Code is used for consistent secure configurations.
Implementation Details
Network Segmentation: Production VPC separate from development. Public subnets for load balancers, private subnets for application/database.
Security Groups: Default deny all inbound. Explicit allow rules for necessary traffic. No 0.0.0.0/0 for sensitive ports.
Infrastructure as Code: Terraform for all infrastructure. Peer review required. Terraform state in encrypted S3 with DynamoDB locking.
AWS Config: Enabled in all regions. Rules check for security misconfigurations (unencrypted resources, public S3 buckets, etc.).
Examples
- Production RDS databases in private subnet, not internet-accessible
- Security groups allow only necessary ports (443 for HTTPS, 5432 for Postgres)
- AWS Config rule alerts when S3 bucket becomes public
- All infrastructure changes require Terraform PR with security review
Audit Evidence
- Network architecture diagram
- Terraform code repository
- AWS Config compliance dashboard
- Security group rules audit
Framework Mapping
SOC 2
- CC6.6 ^[Secure cloud configurations restrict access to infrastructure based on network location and security controls]
- CC7.2 ^[AWS Config monitoring detects misconfigurations that could indicate security issues]
GDPR
- Article 32 ^[Secure cloud infrastructure configuration (VPCs, Security Groups, IAM) are technical measures ensuring security of processing]
Referenced By
This section is automatically generated by make generate-backlinks. Do not edit manually.
Standards:
Policies:
- Engineering Security Policy ^[Infrastructure as code (Terraform/CloudFormation), security scanning (tfsec, checkov), no manual production changes]