# Cloud Infrastructure Security TSI prioritizes the security of its cloud infrastructure to ensure the availability, integrity, and confidentiality of its platform and user data. We employ a comprehensive set of security measures across various layers, including network security, access control, vulnerability management, and secure configuration. ### Network Security * **DDoS Protection:** TSI utilizes AWS WAF (Web Application Firewall) and CloudFront to mitigate Distributed Denial of Service (DDoS) attacks, ensuring platform availability even under high traffic loads. * **Rate Limiting:** Rate limiting is implemented to prevent abuse and further mitigate potential DDoS attacks by restricting the number of requests from any single source. * **DNSSEC:** DNSSEC (Domain Name System Security Extensions) is enabled to protect against DNS spoofing and ensure the integrity of DNS records, preventing users from being redirected to malicious websites. * **VPC and Security Groups:** TSI utilizes Virtual Private Clouds (VPCs) for secure network segmentation and implements strict security group rules to control traffic flow within the network. This limits the impact of potential breaches and isolates sensitive components. ### Access Control * **IAM User Policies:** Fine-grained IAM (Identity and Access Management) user policies are implemented to enforce the principle of least privilege. This ensures that users and services only have access to the resources they need to perform their tasks, minimizing the potential damage from compromised credentials. ### Vulnerability Management * **Penetration Testing:** TSI regularly conducts penetration testing to identify and address potential vulnerabilities. All identified vulnerabilities are promptly remediated to maintain a high level of security. * **Static Application Security Testing (SAST):** SonarQube is integrated into the CI/CD pipeline to perform static code analysis and detect security vulnerabilities early in the development process. This helps prevent vulnerabilities from reaching production. * **Docker Image Scanning:** Regular vulnerability scans are performed on Docker images stored in AWS ECR (Elastic Container Registry) to ensure that containerized applications are free from known security flaws. ### Secure Configuration * **Email Security:** Anti-spoofing mechanisms, including SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance), are implemented to protect email integrity and prevent spoofing attacks. * **Secret Keys Management:** TSI stores all sensitive credentials exclusively in AWS Secrets Manager. During application bootstrap, each microservice retrieves only the secrets it is authorized to access—using IAM role-based authentication—so no credentials ever transit the CI/CD pipeline, build artifacts, or source control. Secrets remain encrypted in transit and at rest, enforcing least-privilege access and minimizing the risk of exposure across the platform.. TSI is committed to continuously improving its security posture and implementing industry best practices to protect user data and platform integrity. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://tsi-docs.tkmatrix.com/security/cloud-infrastructure-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.