Cloud Security Policy

ISO 27001 Control A.5.23 — Effective: March 8, 2026

1. Purpose

This policy establishes the requirements for the secure use of cloud services at H33, in accordance with ISO 27001:2022 control A.5.23 (Information security for use of cloud services). It defines the security controls, responsibilities, and monitoring requirements for H33's cloud infrastructure.

All H33 personnel, contractors, and third parties with access to H33 cloud resources must comply with this policy.

2. Cloud Provider

H33's production infrastructure is hosted on Amazon Web Services (AWS) in the us-east-1 region (Northern Virginia). AWS maintains the following certifications relevant to H33's compliance posture:

• SOC 2 Type II — Annual audit of security, availability, and confidentiality controls
• ISO 27001:2022 — Certified information security management system
• ISO 27017 — Cloud-specific information security controls
• ISO 27018 — Protection of personally identifiable information in public clouds
• HIPAA — BAA available; eligible services configured per AWS HIPAA guidance
• FedRAMP High — US government authorization for high-impact workloads

H33 operates under the AWS Shared Responsibility Model: AWS secures the infrastructure (physical, network, hypervisor), and H33 secures the configuration, data, identity, and application layers.

3. Architecture

The following diagram illustrates H33's production cloud architecture:

3.1 Key Architecture Decisions

• All data stores reside in private subnets with no public IP addresses
• The Application Load Balancer is the sole internet-facing endpoint
• CloudFront provides edge caching, DDoS mitigation, and TLS termination
• Elastic Beanstalk manages deployment, scaling, and health monitoring
• No SSH/RDP access to production instances from the public internet

4. Network Security

4.1 VPC Configuration

• CIDR: 10.0.0.0/16 (65,536 addresses)
• Public subnets: ALB endpoints only, across 2+ availability zones
• Private subnets: EC2 instances, RDS, ElastiCache, across 2+ availability zones
• NAT Gateway: Private subnet outbound internet access (patch downloads, external API calls)

4.2 Security Groups

4.3 Network ACLs

• Default deny on all private subnets
• Explicit allow rules for required traffic only
• No public SSH (port 22) or RDP (port 3389) access from any source

5. Data Protection

5.1 Encryption at Rest

5.2 Encryption in Transit

• TLS 1.2 or higher required for all external connections
• CloudFront enforces HTTPS-only (HTTP redirected to HTTPS)
• ALB configured with AWS TLS 1.2+ security policy
• RDS connections require SSL/TLS (rds.force_ssl = 1)
• ElastiCache in-transit encryption enabled
• Internal VPC traffic encrypted where supported by AWS service

5.3 Application-Layer Encryption

Beyond infrastructure-level encryption, H33's cryptographic engine provides additional protection:

• FHE (BFV/CKKS): Data processed without decryption — server never sees plaintext biometric templates or sensitive fields
• Dilithium (ML-DSA): Post-quantum digital signatures for attestation and document validation
• Kyber (ML-KEM): Post-quantum key encapsulation for secure key exchange
• SPHINCS+ (SLH-DSA): Stateless hash-based signatures for long-term verification
• SHA3-256: Post-quantum secure hashing for integrity verification

6. Identity and Access Management

6.1 IAM Principles

• Least Privilege: All IAM policies grant minimum required permissions
• MFA Required: Multi-factor authentication mandatory for all AWS console access
• Root Account: Secured with hardware MFA, never used for daily operations, access keys deleted
• Group-Based Policies: Permissions assigned via IAM groups, not individual users
• Service Roles: EC2 instances and Lambda functions use IAM roles (no long-lived credentials)

6.2 Access Key Management

• Access keys rotated every 90 days maximum
• Unused access keys deactivated after 30 days of inactivity
• Access key usage audited via CloudTrail and IAM Credential Report
• Programmatic access uses IAM roles where possible (preferred over access keys)

7. Logging and Monitoring

7.1 CloudTrail

• Enabled in all AWS regions (not limited to us-east-1)
• Management events: all read/write API calls logged
• S3 data events: read/write operations on sensitive buckets
• Log file integrity validation enabled
• Logs delivered to dedicated S3 bucket with versioning and MFA-delete protection

7.2 CloudWatch

• Custom metrics for application-level monitoring (request latency, error rates, auth success/failure)
• Alarm thresholds for CPU, memory, disk, network anomalies
• Dashboard for real-time operational visibility
• Log groups with defined retention periods (90 days minimum)

7.3 Drata Continuous Monitoring

• 100+ automated control checks across AWS infrastructure
• Continuous evidence collection for SOC 2 and ISO 27001 controls
• Automated alerts for control drift or compliance gaps
• Integration with AWS, GitLab, and identity providers

8. Incident Response

Cloud security incidents follow the H33 Incident Response procedure. The notification chain for cloud-specific events is:

1. Detection: CloudWatch alarm or Drata alert triggers
2. Notification: SNS topic delivers alert to email and Slack (#security-incidents)
3. Triage: Security Officer assesses severity within defined SLAs (see Security Event Reporting Procedure)
4. Containment: Isolate affected resources (Security Group modification, instance stop, key revocation)
5. Investigation: CloudTrail log analysis, VPC flow log review, application log forensics
6. Recovery: Restore from known-good state, patch vulnerability, verify integrity
7. Post-Incident: Root cause analysis, lessons learned, control updates

9. Shared Responsibility Matrix

10. Review

This Cloud Security Policy is reviewed annually by the CEO/CISO, or more frequently when there are significant changes to H33's cloud architecture, provider certifications, or the threat landscape.

Next scheduled review: March 2027