Standards Compliance #
Our development team designs and maintains architecture, access rules, logging, and monitoring/alerting in our production cloud environment that aim to achieve compliance with the CIS AWS Benchmark. An internal review is performed annually for all scored, Level 1 controls, with the reviewers, date, and benchmark score recorded. Remediations for noncompliances are maintained, prioritized, and tracked per our development policies.
Being that CIS updates recommendations, bumping the benchmark to newest versions is considered along with each annual review.
Changes to the Cloud Environment #
Changes to the Cloud Environment include:
- Provisioning new compute & storage resources
- Updating configurations & images for compute & storage resources
- Updating Virtual Private Cloud & Security Group rules
- Provisioning IPs and networking resources
- Modifying DNS records
- Updating TSL certificates
- Rotating credentials
All changes are subject to:
- A change to deployment, architecture & cloud environment documentation in the codebase
- A review of the methodology and documented changes
- The developer requesting changes must explain any risks associated with the change, mitigations, and advance testing methods that may be used.
- Advance testing in our development environment or a staging environment
- Requirement of generating a rollback strategy
- Requirement of providing an audit log of actions taken upon deployment
- Verification via manual testing, access & network logging, load testing, etc. as appropriate by the release engineer.
Notification of Changes: We will notify our client and customers of changes to the cloud environment in cases where the change is likely to disrupt services or access (e.g. planned downtime). We will communicate the planned change and the associated risks at least 1 week prior to the change being implemented.
Cloud-related Access Policy #
Only release engineers are provided access to the Cloud Environment. Release engineer accounts have minimal necessary authorizations to make environmental changes and run standard deployments; only technical leads have administrator level access. Release engineers may only execute deployments from a predetermined branch, in which all code has underwent Secure Development. Access to the Cloud Environment itself is controlled by encryption keys. NK technical leads may grant, revoke, or rotate these keys as needed during personnel additions, removals, and potential leaks.
Training & Certification #
All Nested Knowledge technical leads receive at minimum AWS Cloud Practitioner certification, qualifying them to review cloud environment changes. New release engineers are supervised during their first 5 deployments or cloud environment modifications.
Compliance Statement #
All Employees and Contractors who access Nested Knowledge’s information systems will be provided with and required to review the Cloud-Related Access Policy.
| Author | Date of Revision/Review | Comments/Description |
|---|---|---|
| K. Holub | 12/12/2025 | Review |
| K. Holub | 2/24/2023 | Addition of CIS benchmark |
| K. Cowie | 11/21/2021 | Minor Changes |
