Each one of these will need to be referenced and described in more detail:
Things we already implement at Bitwise:
Security
[ ] Roles
Assume_Role = grants privileges within AWS
Explicitly Assume roles to manage resources
[ ] MFA (required)
Secure access for accounts
Required of basic account have extremely low privileges
New services we would like to implement or dive deeper with based on our research:
[ ] 1. AWS Secrets Manager ( Remove our current way of hard coding secrets)
Applies to Database Keys, API Keys
Allows us to audit these Keys (e.g. accidental key deletion)
[ ] 2. AWS Control Tower
Allows us to manage multi-account environments
Governs AWS workloads (security, operations, and internal compliance)
Ties into IAM
Simplifies account creation and ensures policies are applied to accounts
Controls what resources get deployed in our environment based on policies
[ ] 3. AWS CloudTrail
Inspects user activity
[ ] 4. AWS KMS ( if sensitive data)
Encrypt data across AWS workloads
Can encrypt at server-side or client side.
[ ] 5. Amazon Macie (if HIPPA compliant)
Protects sensitive data at scale
Automatic detection for PII
[ ] 6. AWS GuardDuty (unusual unauthorized malicious activity within AWS)
Managed threat detection
Tracks to see unexpected or unusual escalations of privileges, exposed credentials, or communications with malicious IP address.(maybe this can be something that we can secure outbound traffic with?)
EC2 malware detection
Detects unauthorized deployments or deployments to never used region.
Detects unusual API calls
Detects to see if password change gets strength reduction
[ ] 7. AWS Config
Can track verbose configuration history of resources (e.g. OS configs)
Tracks resource relationships (e.g. SGs with EC2s)
Snapshot of resource configs
Integrates with AWS Organizations, CloudTrail, Security Hub
[ ] 8. AWS Security Hub
Unified security and compliance center
Comprehensive view of security state
Check ENV against security industry standards and practices
[ ] 9. AWS Firewall Manager
Simplifies WAF administration
Helps protect cloudfront distros
Helps protect resources that share same tags
[ ] 10. AWS Network Firewall
Network protection for VPC’s
Scales automatically with your network traffic
Define firewall rules that give you fine-grained control over network traffic.
Intrusion prevention system that provides traffic flow inspection
Web filtering to stop known bad URLs
Enforce policies to prevent VPC’s from accessing domains using an unauthorized protocol
[ ] 11. AWS Shield
Integrates with CloudFront and Route53 to protect against known infrastructure attacks
AWS Shield Advanced: higher level protection that monitors EC2, ELC, CloudFront, Global Accelerator, Route53
Can provide application layer DDoS mitigation
Protection groups for resources, improves accuracy of detection/reduces false positives
Is your feature request related to a problem? Please describe.
Currently, our devops structure and documentation is scattered.
Describe the solution you'd like.
We should have a central repository of information for our devops references that are related to our developer experience. We started a cross reference list here: https://docs.google.com/document/d/1ogVmLmemhszBxBdktnffeCAPy_AD529SC8lm0bEqHq8/edit
Each one of these will need to be referenced and described in more detail:
Things we already implement at Bitwise:
New services we would like to implement or dive deeper with based on our research:
[ ] 1. AWS Secrets Manager ( Remove our current way of hard coding secrets) Applies to Database Keys, API Keys Allows us to audit these Keys (e.g. accidental key deletion)
[ ] 2. AWS Control Tower
Allows us to manage multi-account environments
Governs AWS workloads (security, operations, and internal compliance)
Ties into IAM
Simplifies account creation and ensures policies are applied to accounts
Controls what resources get deployed in our environment based on policies
[ ] 3. AWS CloudTrail Inspects user activity
[ ] 4. AWS KMS ( if sensitive data)
Encrypt data across AWS workloads
Can encrypt at server-side or client side.
[ ] 5. Amazon Macie (if HIPPA compliant)
Protects sensitive data at scale
Automatic detection for PII
[ ] 6. AWS GuardDuty (unusual unauthorized malicious activity within AWS) Managed threat detection Tracks to see unexpected or unusual escalations of privileges, exposed credentials, or communications with malicious IP address.(maybe this can be something that we can secure outbound traffic with?) EC2 malware detection Detects unauthorized deployments or deployments to never used region. Detects unusual API calls Detects to see if password change gets strength reduction
[ ] 7. AWS Config Can track verbose configuration history of resources (e.g. OS configs) Tracks resource relationships (e.g. SGs with EC2s) Snapshot of resource configs Integrates with AWS Organizations, CloudTrail, Security Hub
[ ] 8. AWS Security Hub Unified security and compliance center Comprehensive view of security state Check ENV against security industry standards and practices
[ ] 9. AWS Firewall Manager Simplifies WAF administration Helps protect cloudfront distros Helps protect resources that share same tags
[ ] 10. AWS Network Firewall Network protection for VPC’s Scales automatically with your network traffic Define firewall rules that give you fine-grained control over network traffic. Intrusion prevention system that provides traffic flow inspection Web filtering to stop known bad URLs Enforce policies to prevent VPC’s from accessing domains using an unauthorized protocol
[ ] 11. AWS Shield Integrates with CloudFront and Route53 to protect against known infrastructure attacks AWS Shield Advanced: higher level protection that monitors EC2, ELC, CloudFront, Global Accelerator, Route53 Can provide application layer DDoS mitigation Protection groups for resources, improves accuracy of detection/reduces false positives
Describe alternatives you've considered
No response
Additional context
No response