Security best practices
- IAM best practices: use least privilege for deployment
- Make sure not to use the root account for deployment operations. We advise to create a trusted group (min. 2) of admin users with their own IAM account whose actions can be monitored. Make sure to follow the steps described in this article to follow the root account best practices.
- Deeploy does not need public accessible resources. The only way public traffic can access Deeploy is via the AWS load balancer. We advise to only whitelist specific IP addresses in the load balancer security group.
- Deeploy uses one access key to access a S3 bucket. We advise to rotate this key every month and to use the AWS Secret Manager for rotation.
- Deeploy uses database credentials that we advise to rotate using the AWS Secret Manager.
- We advise to use data encryption where possible: S3 server-side encryption, Node Pool: Elastic Block Store, RDS for PostgreSQL.