Data Encryption: 100% of data is encrypted in transit and at rest.
Infrastructure as Code: All our infrastructure is managed as code and goes through code review.
Least Privilege: All IAM policies, credentials, permissions, and roles are scoped down to the minimum necessary permissions.
Network Segregation: Production, Sandbox and Staging accounts all live within their own separate accounts and are constrained through VPCs.
Hardened Hosts: Unused services/ports are removed, and containers are built off a minimal Alpine image running as a non-root user. Only a well-controlled set of hosts accept ingress traffic.
Intrusion Detection System: We run an IDS that alerts us on anomalous network connections (i.e. to algorithmically generated domain names, the Tor network, etc), suspicious reconnaissance activity, and more.
S3 Public Access Blocks: Due to our use of bucket-level and account-level s3 public access blocks, it is not possible for us to have s3 buckets publicly exposed to the internet.
AWS Root User Disabled: All our AWS root users are disabled through the use of service control policies.