@@ -21,15 +21,15 @@ Apply these patterns automatically when generating IaC:
2121
2222## Encryption
2323
24- | Component | Default (Dev) | Default (Prod) | Override Trigger |
25- | --------------- | --------------------------- | -------------------------- | ---------------- |
26- | S3 buckets | SSE-S3 (AES-256) | SSE-KMS (customer-managed) | "no encryption" |
27- | RDS/Aurora | Encrypted (AWS-managed key) | Encrypted (CMK) | - |
28- | DocumentDB | Encrypted (AWS-managed key) | Encrypted (CMK) | - |
29- | EBS volumes | Encrypted | Encrypted | - |
30- | ALB | TLS 1.2+ only | TLS 1.2+ only | - |
31- | Secrets Manager | AWS-managed key | CMK | - |
32- | CloudFront | TLS 1.2+ | TLS 1.2+ | - |
24+ | Component | Default (Dev) | Default (Prod) | Override Trigger |
25+ | ----------------- | --------------------------- | -------------------------- | ---------------- |
26+ | S3 buckets | SSE-S3 (AES-256) | SSE-KMS (customer-managed) | "no encryption" |
27+ | RDS/Aurora | Encrypted (AWS-managed key) | Encrypted (CMK) | - |
28+ | Amazon DocumentDB | Encrypted (AWS-managed key) | Encrypted (CMK) | - |
29+ | EBS volumes | Encrypted | Encrypted | - |
30+ | ALB | TLS 1.2+ only | TLS 1.2+ only | - |
31+ | Secrets Manager | AWS-managed key | CMK | - |
32+ | CloudFront | TLS 1.2+ | TLS 1.2+ | - |
3333
3434### Why SSE-S3 for dev, SSE-KMS for prod
3535
@@ -56,13 +56,13 @@ When serving static content via CloudFront:
5656
5757## VPC Placement
5858
59- | Component | Default (Dev) | Default (Prod) |
60- | ------------- | -------------------------------- | -------------------------------- |
61- | Fargate tasks | Private subnet + NAT Gateway | Private subnet + NAT Gateway |
62- | ALB | Public subnet | Public subnet |
63- | RDS/Aurora | Private subnet (no public IP) | Private subnet (no public IP) |
64- | DocumentDB | Private subnet (no public IP) | Private subnet (no public IP) |
65- | Lambda | VPC-attached if DB access needed | VPC-attached if DB access needed |
59+ | Component | Default (Dev) | Default (Prod) |
60+ | ----------------- | -------------------------------- | -------------------------------- |
61+ | Fargate tasks | Private subnet + NAT Gateway | Private subnet + NAT Gateway |
62+ | ALB | Public subnet | Public subnet |
63+ | RDS/Aurora | Private subnet (no public IP) | Private subnet (no public IP) |
64+ | Amazon DocumentDB | Private subnet (no public IP) | Private subnet (no public IP) |
65+ | Lambda | VPC-attached if DB access needed | VPC-attached if DB access needed |
6666
6767### Why private subnets for compute
6868
@@ -93,13 +93,13 @@ Consult `awsiac` MCP for IAM policy patterns by service.
9393
9494## Security Groups
9595
96- | Component | Default Inbound | Default Outbound |
97- | ------------ | ---------------------------- | ------------------ |
98- | ALB | 443 from 0.0.0.0/0 | Fargate SG only |
99- | Fargate | ALB SG only (on app port) | 443 (HTTPS), DB SG |
100- | RDS/Aurora | Fargate SG only (on DB port) | None |
101- | DocumentDB | Fargate SG only (port 27017) | None |
102- | Lambda (VPC) | None | 443, DB SG |
96+ | Component | Default Inbound | Default Outbound |
97+ | ----------------- | ---------------------------- | ------------------ |
98+ | ALB | 443 from 0.0.0.0/0 | Fargate SG only |
99+ | Fargate | ALB SG only (on app port) | 443 (HTTPS), DB SG |
100+ | RDS/Aurora | Fargate SG only (on DB port) | None |
101+ | Amazon DocumentDB | Fargate SG only (port 27017) | None |
102+ | Lambda (VPC) | None | 443, DB SG |
103103
104104### Why deny-by-default
105105
@@ -156,15 +156,15 @@ Before deployment, run available checks:
156156
157157## Logging & Monitoring
158158
159- | Component | Default (Dev) | Default (Prod) |
160- | --------------- | ---------------------- | -------------------------- |
161- | CloudTrail | Account-level (shared) | Account-level (shared) |
162- | VPC Flow Logs | Disabled | Enabled (S3 destination) |
163- | ALB Access Logs | Disabled | Enabled (S3 destination) |
164- | Container logs | CloudWatch Logs | CloudWatch Logs |
165- | RDS/Aurora logs | Error log only | Error + slow query + audit |
166- | DocumentDB logs | Profiler (slow ops) | Profiler + audit |
167- | S3 Access Logs | Disabled | Enabled |
159+ | Component | Default (Dev) | Default (Prod) |
160+ | ---------------------- | ---------------------- | -------------------------- |
161+ | CloudTrail | Account-level (shared) | Account-level (shared) |
162+ | VPC Flow Logs | Disabled | Enabled (S3 destination) |
163+ | ALB Access Logs | Disabled | Enabled (S3 destination) |
164+ | Container logs | CloudWatch Logs | CloudWatch Logs |
165+ | RDS/Aurora logs | Error log only | Error + slow query + audit |
166+ | Amazon DocumentDB logs | Profiler (slow ops) | Profiler + audit |
167+ | S3 Access Logs | Disabled | Enabled |
168168
169169### Why minimal logging in dev
170170
@@ -180,7 +180,7 @@ When user requests "production" or "prod", additionally enable:
180180- [ ] ALB Access Logs
181181- [ ] S3 Access Logs
182182- [ ] RDS Performance Insights
183- - [ ] DocumentDB profiler + audit logs exported to CloudWatch Logs
183+ - [ ] Amazon DocumentDB profiler + audit logs exported to CloudWatch Logs
184184- [ ] AWS WAF on ALB (if public-facing web app)
185185- [ ] GuardDuty (recommend, don't auto-enable)
186186- [ ] Run ` checkov ` or ` cfn-nag ` before deployment
0 commit comments