Tech Checklist

Identity & Access Management

Use IAM roles and policies — restrict permissions based on least privilege. COST
Use SSO (e.g., Okta, Google Workspace) if possible.
Enable MFA for all critical accounts.
Enforce password policies (rotation, complexity, reuse prevention)
Disable root account access; enable root MFA and monitor its use
Remove unused IAM users and access keys regularly
Audit IAM role trust policies (avoid overly broad assumptions)
Periodically review permissions and apply Access Analyzer or IAM Access Advisor

Infrastructure Security

Network segmentation — use VPCs, private subnets, and security groups.
Configure firewall rules to limit access to your infrastructure.
Private DB access (If possible cut the DB Public IP, ie. move to private subnet) COST
Enable encryption (in-transit and at-rest) for all data. COST
- S3, RDS, DynamoDB, EBS, etc. — enable AWS-managed or customer-managed keys (KMS).
Enforce security group least access (e.g., restrict by CIDR blocks)
Use WAF (Web Application Firewall) for public apps
Use Shield Standard (free) or Shield Advanced for DDoS protection COST
Configure NACLs where appropriate.
Use private subnets for critical systems (SOC 2 prefers it)
Scan AMIs for vulnerabilities before use (Amazon Inspector, Trivy, etc.)

Code & Application Security

Static code analysis tools (e.g., SonarQube, GitHub Advanced Security, CodeQL)
Use dependency scanning (Snyk, Dependabot, Trivy, or OWASP Dependency-Check)
Protect secrets in code (use from secrets manager→ jenkins credentials in your case) DONE
Linting and security checks in CI/CD pipelines
Secure software development lifecycle (SDLC) documentation
Code review enforcement and approval workflows DONE

Logging & Monitoring

Set up AWS CloudTrail, CloudWatch, and Config to log changes, access, and events. COST
Use a SIEM/log aggregator (e.g., Datadog, Splunk, or ELK, Signoz). DONE
Set alerts for suspicious activity (e.g., unauthorized access attempts). (Threat Detection Mechanism using CloudTrail, CloudWatch, SNS and GuradDuty optionally) COST
Enable GuardDuty for threat detection (you mentioned this under audit trails — good!) COST
Periodic reviews of logs and alerts with documented actions
Store logs in S3 with bucket versioning and retention policies
Set up log integrity controls (prevent tampering/deletion)

Change Management

Use version control (e.g., Git) and CI/CD pipelines. DONE
Track deployments and ensure changes go through review and approval processes (Branch Protections and Apporvals before merging by dev team). DONE
Deployment changes are logged (CloudTrail, CI/CD logs)
Emergency changes are documented and approved after the fact
Keep an audit trail of who approved what and when

Backups and Disaster Recovery

Implement automated backups (e.g., RDS snapshots). DONE
Test and document the restore procedures for databases.
Define a disaster recovery plan and recovery time objectives (RTOs).
Multi AZ / Cluster setups for DB for high availability COST
Define and test RTO (Recovery Time Objective) and RPO (Recovery Point Objective)
Test DR plan at least annually and record results
Backups should be encrypted and access-controlled
Store critical backups in cross-region S3 or Glacier (optional but useful)

Vulnerability Management

Secrets Management:

Move all secrets/env variables into AWS Secrets Manager(cost), SSM Parameter Store(standard params are free)
Implement access controls for secret managers
Rotate secrets periodically using automation (Lambda or AWS Secret Manager rotation)
Production Database Security:
- Enable encryption at rest and in transit COST
- Audit RDS - Postgres Monitoring
- Rotate DB credentials periodically.
Audit Trails:
- Enable CloudTrail, centralized loging of API calls. COST
- GuardDuty, Config rules (baseline security posture). COST
Jenkins Hardening:
- RBAC
- Secrets injection credentials plugins, not plain text. DONE
- Backup Jenkins regularly. DONE
- Jenkins Recovery Plan DONE