Skip to main content

Security Principles

The GovTech Multicloud Platform implements a defense-in-depth security strategy with multiple layers of protection:

Least Privilege

Every user and service receives only the permissions necessary for their specific function

Zero Trust Network

All network communication is explicitly allowed; default deny for all traffic

Encryption Everywhere

Data encrypted at rest and in transit using AWS KMS and TLS 1.3

Continuous Monitoring

24/7 threat detection with CloudTrail, GuardDuty, and Security Hub

Security Layers

Our security architecture consists of five critical layers:

1. Identity and Access Management (IAM)

Three-tier functional hierarchy based on risk level:
  • Level 1 - Critical: Network Admin, EKS Admin, Database Admin, Terraform Operator
  • Level 2 - Operational: Container Deploy, ALB Operator, CI/CD Operator
  • Level 3 - Read Only: Secrets Read, Monitor, Security Auditor
All Level 1 (Critical) access requires:
  • Hardware MFA (YubiKey recommended)
  • Approval from a second responsible party
  • Time-limited sessions (maximum 8 hours)
  • Immediate CloudWatch alerts on all actions

2. Network Security

Zero Trust Networking with Kubernetes NetworkPolicies: 
Architecture:
  Internet → WAF → ALB → Ingress Controller → Frontend Pods

                                          Backend Pods

                                         Database Pods
  • Frontend can only communicate with Backend
  • Backend can only communicate with Database and AWS APIs (port 443)
  • Database cannot initiate any outbound connections
  • Default deny all traffic policy

3. Encryption & Key Management

AWS KMS (Key Management Service) provides centralized encryption:
  • RDS Databases: Encrypted at rest with KMS
  • S3 Buckets: Server-side encryption (SSE-KMS)
  • EBS Volumes: Encrypted volumes for Kubernetes PVCs
  • Secrets Manager: All secrets encrypted with KMS
  • CloudTrail Logs: Encrypted audit logs
  • Automatic Key Rotation: Annual rotation enabled

4. Threat Detection

Three-layer monitoring system:
1

CloudTrail - Audit Logging

Records every API call made in the AWS account:
  • Who performed the action
  • When it occurred
  • Source IP address
  • Success or failure
2

GuardDuty - Threat Detection

AI-powered intrusion detection analyzing:
  • VPC Flow Logs for suspicious network traffic
  • CloudTrail for unusual API activity
  • DNS logs for communication with malicious domains
  • EKS audit logs for Kubernetes threats
3

Security Hub - Centralized Dashboard

Aggregates findings from:
  • GuardDuty (threats)
  • IAM Access Analyzer (excessive permissions)
  • Amazon Inspector (vulnerabilities)
  • CIS AWS Foundations Benchmark compliance

5. Application Protection

AWS WAF (Web Application Firewall) protects the application from:
  • SQL injection attacks
  • Cross-site scripting (XSS)
  • Known malicious inputs (Log4Shell, SSRF)
  • Botnet and Tor exit node traffic
  • Rate limiting (2000 requests per IP per 5 minutes)

Compliance Frameworks

The platform is designed to meet government security requirements:
Automated compliance checking for:
  • IAM password policies
  • MFA enforcement
  • Root account security
  • VPC security group rules
  • S3 bucket public access
  • CloudTrail configuration
Continuous monitoring of:
  • Encryption at rest and in transit
  • Least privilege access
  • Network segmentation
  • Logging and monitoring
  • Incident response readiness
Government-grade security controls:
  • Multi-factor authentication
  • Audit trail retention (365 days in production)
  • Encryption key management
  • Access control separation
  • Continuous monitoring

Security Incident Response

Alert Levels

SeverityTriggerResponse TimeAction
CriticalRoot account usage, unauthorized API callsImmediateAlert DevOps team, investigate within 15 minutes
HighGuardDuty finding, suspicious network activity1 hourReview logs, assess impact, contain threat
MediumCost anomaly, unusual deployment4 hoursInvestigate source, validate legitimacy
LowSecurity Hub compliance drift24 hoursReview configuration, plan remediation

Automated Responses

Automatic Protective Actions:
  • IP addresses exceeding rate limits are blocked by WAF
  • Sessions without MFA cannot access Level 1 resources
  • Production database deletion is prevented by IAM policy
  • Operations outside us-east-1 region are denied

Security Best Practices

For Developers

# Never commit secrets to Git
cp kubernetes/secrets.yaml.template kubernetes/secrets.yaml
echo "secrets.yaml" >> .gitignore

# Use AWS Secrets Manager via IRSA
# No hardcoded credentials in code

For DevOps Engineers

  1. Always use MFA for AWS console and CLI access
  2. Rotate access keys every 90 days (preferably use temporary credentials)
  3. Review CloudTrail logs weekly for unusual activity
  4. Test Network Policies before deploying to production
  5. Scan container images for vulnerabilities before pushing to ECR

For Security Auditors

  • Review GuardDuty findings
  • Check for users without MFA
  • Verify no public S3 buckets
  • Confirm CloudTrail is enabled

Quick Verification Commands

# Check current IAM user and MFA status
aws iam get-user
aws iam list-mfa-devices

# View recent CloudTrail events
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=Username,AttributeValue=$USER \
  --max-results 10

# List active access keys
aws iam list-access-keys --user-name $USER

# Check GuardDuty findings
aws guardduty list-findings --detector-id <detector-id>

# Verify Security Hub status
aws securityhub get-findings --filters '{"SeverityLabel": [{"Value": "CRITICAL", "Comparison": "EQUALS"}]}'

Next Steps

IAM Policies

Explore detailed IAM groups, roles, and permissions

Network Policies

Understand Kubernetes network segmentation

Secrets Management

Learn how to securely manage credentials

Compliance

Review audit procedures and compliance reports

Build docs developers (and LLMs) love

Get started for freeTalk to us