This document outlines the security controls implemented in this Terraform foundation. These controls align with common compliance frameworks (HIPAA, SOC 2, ISO 27001, HITRUST) without being prescriptive to any specific framework.

┌─────────────────────────────────────────────────────────────┐
│                    Shared VPC                                │
│  ┌─────────────────┐  ┌─────────────────┐                   │
│  │  Public Subnet  │  │  Public Subnet  │  ← ALB only       │
│  │    (AZ-a)       │  │    (AZ-b)       │                   │
│  └────────┬────────┘  └────────┬────────┘                   │
│           │                    │                             │
│  ┌────────▼────────┐  ┌────────▼────────┐                   │
│  │ Private Subnet  │  │ Private Subnet  │  ← Workloads      │
│  │    (AZ-a)       │  │    (AZ-b)       │    (no public IP) │
│  └─────────────────┘  └─────────────────┘                   │
│                                                              │
│  Default SG: DENY ALL (no rules)                            │
└─────────────────────────────────────────────────────────────┘

1. Security Groups: Each tenant has isolated SGs; cross-tenant traffic is denied by default
2. ABAC (Attribute-Based Access Control): IAM policies require Tenant tag match
3. Resource Tagging: All resources tagged with Tenant, App, Environment

• S3 logs bucket: Versioning enabled, lifecycle to Glacier at 90 days
• CloudWatch Logs: Configurable KMS encryption
• Immutable: S3 Object Lock available (enable for compliance)

• IMDSv2 Enforced: Prevents SSRF-based credential theft
• Hop Limit = 1: Containers cannot access node metadata
• Encrypted EBS: All node volumes encrypted
• Private Subnets: No public IPs on worker nodes

• No EC2 Management: Fargate abstracts host security
• Task IAM Roles: Least-privilege per service
• awsvpc Network Mode: Each task gets own ENI

• VPC Optional: Deploy in VPC for database access
• X-Ray Tracing: Request tracking enabled
• Reserved Concurrency: Prevent noisy-neighbor DoS

# Secrets Manager with automatic rotation
resource "aws_secretsmanager_secret" "db" {
  recovery_window_in_days = 30  # Prod: prevent accidental deletion
}

• No Public Access: publicly_accessible = false
• Security Group: Only allows traffic from tenant base SG
• TLS Required: Certificate validation enforced
• IAM Auth: Token-based authentication available

1. ECR Image Scanning: Enabled by default (scan_on_push = true)
2. Dependency Scanning: Use Dependabot or Snyk in CI/CD
3. tfsec: Security scanning in GitHub Actions workflow
4. AWS Inspector: Enable for EC2/EKS vulnerability assessment

1. GuardDuty: Enable for threat detection
2. Security Hub: Aggregate findings across services
3. CloudWatch Alarms: CPU, connections, storage alerts configured
4. SNS Topics: Wire alarms to PagerDuty/Slack

• CloudTrail (account-level, usually in audit account)
• AWS Config Rules
• GuardDuty
• Security Hub
• AWS WAF (per-application decision)
• MFA enforcement (IAM policy)
• Password policies (IAM)
• Backup policies (AWS Backup)

Security features with cost impact: