Identity, Authentication, and Authorization
Accounts and Credentials
- Shared user accounts should not be used.
- Multi-factor (MFA) authentication MUST be enabled for all user accounts where applicable.
- Access to service account credentials MUST follow the access control of the resources to which the credentials grant access.
- Service account credentials MUST be rotated every 365 days.
- Non-MFA user account credentials (for example, API keys) MUST be rotated every 90 days.
- An identity provider should be used for all external accounts where applicable.
- Security groups should be used to grant access to sensitive data to users.
- All network firewalls must be configured such that the default policy is deny.
- Network firewall rules should deny egress by default.
- All external communication must be encrypted in transit using up-to-date protocols and ciphers.
- All internal communication should be encrypted in transit if possible.
Data Handling and Isolation
- Data must be encrypted at rest.
- Data may be encrypted using provider-managed keys.
- Data of different types should be logically seperated at rest.
- Virtual networks (for example, VPC in AWS) may be used as a mechanism for data and workload isolation.
Examples of different data types:
- User content, such as notification entities or subscriber data
- Production-derived data, such as logs
- DFIR (Digital Forensics and Incident Reponse) artifacts, such as system logs and disk images
Vulnerability and Patch Management
- Resources should be covered by our vulnerability scanning tools in AWS, snyk or deepsource
Change Management and Tracking
- Changes to systems that process user data must be tracked in a corresponding issue, pull request, or other reviewable process.
- Environment audit logs should be enabled and stored in accordance to retention policy
- Application audit logs, if supported and available, should be enabled and stored in accordance with the retention policy
The following practices are meant to provide more specific technical implementation examples to meet the above criteria.
Development and deployment should occur in a minimum of 2 environments, in addition to local development:
- A shared testing, integration, or other non-production environment.
- A production environment that meets or exceeds the requirements in this page.
The environments should be configured as closely as possible as a best practice to reduce errors in deployment due to inconsistent configuration.
Least Privileges Review
AWS Permissions for accounts should be granted only for the needed use and scoped to minimum.