Standards Compliance #
Our development team designs and maintains architecture, access rules, logging, and monitoring/alerting in our production cloud environment that aim to achieve compliance with the CIS AWS Benchmark. An internal review is performed annually for all scored, Level 1 controls, with the reviewers, date, and benchmark score recorded. Remediations for noncompliances are maintained, prioritized, and tracked per our development policies.
Being that CIS updates recommendations, the benchmark is updated to newest versions with each annual review.
Changes to the Cloud Environment #
Changes to the Cloud Environment include:
- Provisioning new compute & storage resources
- Updating configurations & images for compute & storage resources
- Updating Virtual Private Cloud & Security Group rules
- Provisioning IPs and networking resources
- Modifying DNS records
- Updating TSL certificates
All changes are subject to:
- A change to deployment, architecture & cloud environment documentation in the codebase
- A review of the methodology and documented changes
- The developer requesting changes must explain any risks associated with the change, mitigations, and advance testing methods that may be used.
- Advance testing in our development environment or a staging environment
- Requirement of generating a rollback strategy
- Requirement of providing a full audit log of actions taken upon deployment
- Verification via manual testing, access & network logging, load testing, etc. as appropriate by the release engineer.
Notification of Changes: We will notify our client and customers of changes to the cloud environment in cases where the change is likely to disrupt services, workflows, or introduce new security vulnerabilities. We will communicate the planned change and the associated risks at least 1 week prior to the change being implemented.
Cloud-related Access Policy #
Only release engineers are provided access to the Cloud Environment. Release engineer accounts have minimal necessary authorizations to make environmental changes and run standard deployments; only technical leads have administrator level access. Release engineers may only execute deployments from a predetermined branch, in which all code has underwent Secure Development. Access to the Cloud Environment itself is controlled by encryption keys. NK technical leads may grant, revoke, or refresh these keys as needed during personel additions, removals, and potential leaks.
Training & Certification #
All Nested Knowledge developers with production access (release engineers) receive at minimum AWS Cloud Practitioner certification. New release engineers are supervised during their first 5 deployments or Cloud Environment modifications.
Compliance Statement #
All Employees and Contractors who access Nested Knowledge’s information systems will be provided with and required to review the Cloud-Related Access Policy.
