Shaylee Czech Senior Security Engineer | CISSP

GRC Compliance Dashboard

Mapping the DevSecOps pipeline's technical capabilities to NIST, CIS, and HIPAA requirements—the language of compliance and risk management. View the architecture diagram →

Overall Score

100%

Dependency & pipeline security (Snyk)

NIST SP 800-53

N
100%

3 of 3 controls met

CIS Controls

C
100%

1 of 1 control met

HIPAA

H
100%

1 of 1 control met

Vulnerability & Patch Management

The CI/CD pipeline enforces shift-left security by automatically scanning for vulnerabilities in code and containers, stopping non-compliant images. CloudWatch monitoring provides centralized logging and real-time security analysis.

NIST SP 800-53: RA-5 (Scanning) CISSP Domain 6: Security Assessment
  • Snyk (SAST) checks package.json for vulnerable dependencies and fails the pipeline on high/critical.
  • Launch Template userdata bootstraps instances from a known baseline; pipeline gates block vulnerable builds.
  • CloudWatch and centralized logging support ongoing monitoring and incident response.

Principle of Least Privilege (PoLP)

Infrastructure is deployed using AWS IAM instance profiles; EC2 instances have no hardcoded credentials and only minimal permissions (CloudWatch, SSM). Terraform runs via GitHub OIDC with scoped IAM.

NIST SP 800-53: AC-3 (Access Enforcement) CISSP Domain 5: Identity & Access Management
  • No SSH to instances; access when needed via SSM Session Manager. GitHub OIDC is used for Terraform and ASG operations.
  • EC2 roles are scoped to CloudWatch and SSM; Terraform (via OIDC) manages infrastructure and Route 53.
  • The application containers themselves run without any cloud credentials.

Secure Baselines & Configuration

Terraform and Launch Template userdata enforce a secure baseline; instances run in private subnets with traffic allowed only from the ALB. No Ansible or separate config management—userdata and Terraform define state.

CIS Control 7 (Configuration Management) CISSP Domain 3: Security Architecture
  • Userdata bootstraps instances to a consistent baseline; Terraform defines security groups and network isolation.
  • Terraform defines network baselines (Security Groups) and prevents drift.
  • Docker images are defined by code (Dockerfile) and are immutable. Full deploy via ASG instance refresh; content-only updates via SSM Send Command.

Data & Communication Protection

The ALB terminates HTTPS/TLS 1.2+ with ACM certificates (automatic renewal). Traffic to instances is HTTP only within the VPC; Nginx serves the app behind the ALB, fulfilling requirements for data in transit.

HIPAA (Technical Safeguard: Encryption) CISSP Domain 4: Network Security
  • ALB enforces SSL/TLS termination with ACM; Nginx serves HTTP only behind it.
  • ACM provides automatic certificate renewal with no on-instance cert management.
  • Instances run in private subnets with no public IPs; only the ALB security group can reach them on port 80.