Documentation

DevSecOps Journey

Journey to DevOps with security in mind

> **Info** > > Set up AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations and AWS Foundational Security Best Practices.

AWS Secure Multi Environments

- Account per Environment - Organization with OU - SCP Policy - AWS SSO [ manually or use CloudFormation]

Identity and Access Management

- Set up IAM Password Policy. - Create an IAM role for contacting AWS support for incident handling. - Enable AWS Config rules to audit root account status. - Enable IAM Access Analyzer in each region. - IAM best practices

Logging & Monitoring

- Enable CloudTrail in all regions and deliver events to CloudWatch Logs. - Object-level logging for all S3 buckets is enabled by default. - CloudTrail logs are encrypted using AWS Key Management Service. - All logs are stored in the S3 bucket with access logging enabled. - Logs are automatically archived into Amazon Glacier after the given period(defaults to 90 days). - Set up CloudWatch alarms to notify you when critical changes happen in your AWS account. - Enable AWS Config in each regions to automatically take configuration snapshots. - Enable SecurityHub and subscribe available standards. - Subscribe CIS benchmark standard. - Subscribe PCI DSS standard. - Subscribe AWS Foundational security best practices standard. - Enable GuardDuty in each regions.

Networking & Computing

- Remove all rules associated with default route tables, default network ACLs and default security groups in the default VPC in all regions. - Enable AWS Config rules to audit unrestricted common ports in Security Group rules. - Enable VPC Flow Logs with the default VPC in all regions. - Enable default EBS encryption for newly created volumes.

Secure IaC Pipeline using Terraform

- Lint checks - SAST checks - Compliance checks

Secure Codebase

- git secrets pre-commit hooks - AWS Secrets Management - AWS Secure Parameter store - AWS Secrets Manager - BridgeCrew free scanning for Terraform source code.

ChatOps

- Send CloudWatch, Security Hub, and GuardDuty notification to slack