Pre-prod security checks for AG

[andrewpatto]

We have tentative approval from the MCRI CAB to deploy to AWS wrapping AG data.

• [ ] Review of all API entry points by @andrewpatto

Go through all the code and trace API entrypoint to service - and make sure it has permission checks

• [ ] AWS policy checks by @williamputraintan

Review all the policies deployed to AWS written by marco and patto

• [ ] Docker/container/build process/supply chain security review @brainstorm

Review the build/container setup of the elsa-data image itself and review for security improvements

• [ ] Q/A with @brainstorm

Get Roman to ask security questions and us answer them to his satisfaction (try to get some fresh thinking on anything we might have missed/not thought about)

[andrewpatto]

@mmalenic @DoxasticFox This is an issue for us to put in any review suggestions to make us happy before we (full) deploy to prod and enable actual sharing of data (I can defer the S3 permissions in a way that we will be able to deploy to prod before actually switching on "sharing")