- All accounts have MFA required
- Root account key is disabled
- Root account requires hardware MFA device to access
- All services located in US-East-1 (N. Virginia)
- VPCs for staging and production are separate
- Any SSH sessions are required to use private key auth, no passwords
- All data is encrypted at rest and if it it is accessed from outside the AWS VPC, it is also encrypted in transit
- Almost all servers have no external access, we use a VPN that is accessed via mutual TLS authentication (self generated certificate)
- HTTPS
- Signature ECDSA with SHA-256
- Certificate managed with AWS
- Slowly switching over to node-to-node encryption (even for internal only access)