Current Security Controls
Already Implemented
| Control | Implementation |
|---|---|
| MFA | AWS Cognito (optional per user) |
| Encryption at rest | RDS, EBS, S3 |
| Encryption in transit | TLS 1.2+ everywhere |
| Network segmentation | 3-VPC architecture |
| RBAC | Organization and project roles |
| Security scanning | CI/CD pipeline |
| Audit logging | Partial (user activity) |
| Least privilege | IAM roles per service |
Evidence Locations
- Terraform configs:
statux-infra/environments/prod/ - Auth guards:
statux-api/libs/auth/ - CI workflows:
.github/workflows/security.yml