AWS
When the audit selects AWS, we build the infrastructure layer from these native services — all codified with Terraform/OpenTofu modules.
Account & isolation
Section titled “Account & isolation”- AWS Organizations with separate accounts to isolate environments and blast radius (e.g. production vs. non-production, plus a shared/management account).
- Guardrails and baseline policies applied org-wide.
Networking
Section titled “Networking”- VPC with public/private subnets across multiple Availability Zones.
- Route tables, internet and NAT gateways, and security groups.
- Private networking for data stores so they’re never directly exposed.
Identity & access
Section titled “Identity & access”- IAM roles and policies, least-privilege by default.
- IRSA (IAM Roles for Service Accounts) so Kubernetes workloads assume scoped AWS permissions without long-lived keys.
Compute & Kubernetes
Section titled “Compute & Kubernetes”- Amazon EKS as the managed control plane for the containerization layer.
- Managed node groups and/or Fargate, with cluster autoscaling.
- RDS / Aurora for relational databases — multi-AZ, automated backups, point-in-time recovery.
- S3 for object storage, artifacts, and backups, with lifecycle policies.
Ingress, DNS & TLS
Section titled “Ingress, DNS & TLS”- ALB / NLB for load balancing, fronting the cluster ingress.
- Route 53 for DNS, ACM for managed TLS certificates.
Security & encryption
Section titled “Security & encryption”- KMS for encryption keys; encryption at rest enabled across data stores and volumes.
- Secrets Manager for application and platform secrets (surfaced into the cluster via the secrets workflow).
Baseline telemetry
Section titled “Baseline telemetry”- CloudWatch for cloud-level metrics and logs at the account boundary — complemented by the full Grafana observability stack running in-cluster.