AWS Platform Guide

AWS Managed Services

thoughtbot recommends the following AWS services in its platform:

Service SOC HITRUST CSF HIPAA BAA GDPR
EC2
RDS Postgres
OpenSearch
EKS
KMS
CloudWatch
CloudWatch Logs
Secrets Manager
Config
Route 53
ECR
S3
CloudTrail
DynamoDB
ELB
ACM
SNS
SQS

You should be familiar with the AWS Shared Responsibility model. You can learn more on AWS’s compliance page.

AWS also has further security documentation for its services:

AWS Service

Security Documentation

Notes

AWS Landing Zone

https://docs.aws.amazon.com/whitepapers/latest/nhs-cloud-security-guidance-using-aws/overall-security-governance—aws-landing-zones.html

Relevant to most of the Principles covered by the Good Practice Guide, a Landing Zone is a solution available from AWS that automatically creates an environment consisting of a set of related AWS accounts configured in such a way as to establish security (and cost-related) guardrails for AWS usage by a wide variety of teams with minimum friction. The environment includes the foundations of identity management, logging and monitoring, governance, security, and network design, the specifics of which may be implemented using decisions made in examining each of the principles covered in the overall security governance document.

AWS Control Tower

https://docs.aws.amazon.com/controltower/latest/userguide/security.html

AWS Control Tower is a well-architected service that can help your organization meet your compliance needs with controls and best practices. Additionally, third-party auditors assess the security and compliance of a number of the services you can use in your landing zone as a part of multiple AWS compliance programs. These include SOC, PCI, FedRAMP, HIPAA, and others.

Your compliance responsibility when using AWS Control Tower is determined by the sensitivity of your data, your company’s compliance objectives, and applicable laws and regulations.

AWS Config

https://docs.aws.amazon.com/config/latest/developerguide/security.html

Templates for conformance packs (selected few, there are many available). Provide example mappings of controls to implementation.

https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_top_20.html

https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-csf.html

https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-hipaa_security.html

https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-fedramp-moderate.html

https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-fedramp-low.html

Included within the Landing Zone solution, this service tracks configuration settings of AWS resources over time against a desired-state baseline, and raises alerts (and optionally triggers remedial action) when changes are detected.

The service also enables configuration to be audited, in order to demonstrate compliance (or otherwise) against a baseline. See the AWS Config Developer Guide for a detailed description of how to use it.

Recommended best practice guidelines:

  • Leverage tagging for AWS Config, which makes is easier to manage, search for, and filter resources.

  • Confirm your delivery channels have been properly set, and once confirmed, verify that AWS Config is recording properly.

AWS Secrets Manager

https://docs.aws.amazon.com/secretsmanager/latest/userguide/security.html

AWS CloudTrail

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html

AWS EKS

https://docs.aws.amazon.com/eks/latest/userguide/security.html

AWS CloudFormation

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/security.html

AWS S3

https://aws.amazon.com/s3/security/

AWS IAM Identity Center (SSO)

https://docs.aws.amazon.com/singlesignon/latest/userguide/security.html

AWS Managed Prometheus

https://aws.amazon.com/prometheus/

AWS Managed Grafana

https://aws.amazon.com/grafana/

AWS Platform Guide

The guide for building and maintaining production-grade Kubernetes clusters with built-in support for SRE best practices.

Work with us to scale your application, improve stability, and increase the rate of defect-free deployments.