The security assessment involved a comprehensive review of the organization’s AWS environment, including production, non-production, and shared services accounts. Interviews were conducted with stakeholders and key IT staff to gather insights along with reviews of various documents and runbooks that were maintained. This was followed by a detailed examination of the infrastructure, both manually and utilizing automated tools to collect and process information pertaining to the AWS accounts and resources in order to validate configurations and identify potential issues.

Tgix’s security team performed the following activities:

• Evaluated the systems and network components, ensuring that they followed usage and configuration best practices, e.g. with up-to-date AMIs, well-managed route tables, and separate NAT Gateways for each AZ.
• Assessed IAM policies to ensure appropriate access controls.
• Ensured encryption standards for data at rest and in motion using AWS Key Management Service (KMS).
• Reviewed the use of AWS CloudWatch, CloudTrail, and Config for logging and monitoring.
• Conducted internal scans to identify potential vulnerabilities within the AWS environment. This included checking for outdated software, misconfigurations, and other security weaknesses.
• Performed external penetration testing to simulate real-world attacks and identify vulnerabilities that could be exploited by external threats.
• Assessed the application architecture and data flows to ensure sensitive participant data (PII) was properly isolated and protected.
• Evaluated the use of DevSecOps practices, including the integration of security scanning tools in CI/CD pipelines and AWS Secrets Manager for managing sensitive information.
• Reviewed existing backup and DR strategies to identify gaps.
• Assessed IT operational procedures, including logging, monitoring, alerting, and system updates.
•