AWS Security | Notion

All accounts have MFA required
Root account key is disabled
Root account requires hardware MFA device to access
All services located in US-East-1 (N. Virginia)
VPCs for staging and production are separate
Any SSH sessions are required to use private key auth, no passwords
All data is encrypted at rest and if it it is accessed from outside the AWS VPC, it is also encrypted in transit
Almost all servers have no external access, we use a VPN that is accessed via mutual TLS authentication (self generated certificate)
HTTPS
- Signature ECDSA with SHA-256
- Certificate managed with AWS
Slowly switching over to node-to-node encryption (even for internal only access)