- Serve traffic behind a load balancer that has a WAF
- Network segregation for database (separate subnets)
- Make sure you serve https and have a cert that’s valid. Redirect to https if http
- Restrict ports on LB
At some point later:
- Endpoint monitoring and threat detection
- VPC flow logging
- Execute backend as non root
- Dependency / artifact scanning
- Cloud SIEM to monitor common actions taken
- Make sure no hard coded creds. Ie, use role-base auth with cloud providers
- Reproducible infrastructure builds with infra as code
- Email domain protection
- Grab misspellings of domain names to prevent squatting
- Serve traffic behind a load balancer that has a WAF
- Network segregation for database (separate subnets)
- Make sure you serve https and have a cert that’s valid. Redirect to https if http
- Restrict ports on LB
At some point later:
- Endpoint monitoring and threat detection
- VPC flow logging
- Execute backend as non root
- Dependency / artifact scanning
- Cloud SIEM to monitor common actions taken
- Make sure no hard coded creds. Ie, use role-base auth with cloud providers
- Reproducible infrastructure builds with infra as code
- Email domain protection
- Grab misspellings of domain names to prevent squatting