Use Different sub-account for each environment Least Privilege principle access for each user. Create the right IAM policies Use KMS to store and manage keys Use encryption for database, and s3 buckets for compliance End-to-end data encryption in transition state using SSL certificates
Strictly use Multi-Factor Authentication for all user login Separate database instances for each environment in the private subnet Enable cloudTrail for logging account activity Use secret managers to protect secrets needed to access your applications, services and IT resources
Must Have
Good To Have
Role-Based access control to storages Periodically storage backups
Use provided native encryption capabilities (KMS Keys) for encryption data at rest Enable logging and auditing to monitor storage activity
Must Have
Good To Have
Automated Hardening/ secure configuration, self-healing Patch management of applications and libraries of the operating system Creating secure accounts with required privilege's only (i.e, user management)
Must Have
Role-based access control to monitoring tools
Must Have
Resource Monitoring System and application logs monitoring Automated security information and event alerting on slak and email etc
Good To Have
Authorized login only Role-based access control for a user to give the only project-specific access to the user Developers can only see the logs Only admin can create a user No build runs on the master node to prevent programs from accessing the Jenkins home directory and other server files Use Docker containers as Linux agents (nodes) Jenkins pipeline for each environment has IAM users (with required access only) for accessing the AWS resources during the execution Only whitelisted IPs can connect to the Jenkins server using ssh Clean workspace directory (source code) as soon as build finishes Update Jenkins and plugins regularly
Must Have
Use credentials to store and mask sensitive data such as token or API keys
Good To Have
Only the account owner can create or delete the repository Only the project manager has the admin permission of repositories The only Project manager/lead should have written access to main branches Delete protection for main branches No secret or environment files should be pushed to the repository Only developers working on the project will have access to the repository Use ssh keys to access remote git repositories Update git periodically to keep safe from vulnerabilities
Must Have
The master branch has only the production code Require two-step authentication for every bitbucket/GitHub user account Static analysis tools detect Code-smells, bugs, and vulnerabilities. Use CodeGrip or a similar tool to scan repository code, generate reports, and notify over slack
Good To Have
Follow OWASP Secure Coding Practices (Codegrip like tool can scan this) Strictly avoid the use of credentials in source code. AWS access key and secret key etc Use secure and updated IDE's and plugins
Must Have
Treat each activity as an event and log each event that happens Use static analysis security testing tools (SAST) like CodeGrip Code review for each pull request Dependency-check to identify any known vulnerable components
Good To Have