Skip to content

Security

At Playground Tech, we take security very seriously. We comply with the AWS Solution Provider Program's security requirements to ensure that our customers' data is secure. During the Technical Audit, we demonstrated proficiency in the following areas.

AWS Account Settings

We acknowledge our capabilities in managing contact and security information for both the Management Program Account and member accounts. Our capabilities include the ability to update address information, describe and set alternate contacts, set security challenge questions, understand the procedure on how to close an AWS Account, manage cancellation of services (e.g., AWS Support), and maintain a runbook for Account/Customer Lifecycle.

Cloud Management Account Controls

At Playground Tech, we understand the importance of maintaining appropriate Service Control Policies (SCPs) to ensure that our customers' data and information are secure.

Our Cloud Management Account Controls include:

  • Account unlinking is blocked to prevent any unauthorized changes.
  • Deny access from the root user in AWS Organization member accounts.

Root User Usage

Playground Tech does not use the AWS root user in any account for any purpose other than mandatory root actions such as Amazon Route 53 domain changes and account closure. To ensure the security of root user access, we follow the below guidelines:

  • Playground Tech ensures that root user access is not used in any AWS account on a regular basis.
  • Playground Tech are aware of the most common account level compromises involving a guessed root email address with a phishing attempt or use of commonly used passwords.
  • Playground Tech deny access from the root user in AWS Organization member accounts using a service control policy (SCP) and ensure that no access keys exist for the root user.
  • Playground Tech enforces MFA (Multi Factor Authentication) on all customers and internal root users, without exception, and ensures that root user credentials are securely stored using the 4 eyes principle.
  • Playground Tech created an Amazon EventBridge rule to notify root user login, and we make sure that root user credentials are reset with a strong password.
  • Playground Tech defines, establishes, and enforces the separation of duties and applies dual control for secrets. We enable MFA for the Root account and store the Root password in a Secrets Management platform (1password) and MFA in the physical vault. We separate ownership of the password and MFA into two parties as well.
  • Playground Tech configures alternative contact information for Security, Billing, and Operations and sets up account Security Challenge Questions, which are stored in a Secrets Management platform (1password).
  • Playground Tech ensures that root user access is blocked through an SCP and has an alarm in place for any root user usage that is automated.

It is important to note that root user access must be strictly controlled and should only be used in mandatory actions. We take the security of our customers' data very seriously and we adhere to these guidelines to ensure the safety and security of their AWS accounts. In the event of usage of the Root Account User in the Customers management account (payer account), a notification will be sent on a decided preferred communication channel.

Account Access

At Playground Tech, we utilize centrally managed identities and have individual accounts in our identity provider (IDP). We access our customers' management accounts via federation using temporary credentials. It is important to note that we never use shared credentials. In all circumstances, roles are used unless it is impossible to do so.

It is important to note that under no circumstances are Solution Providers allowed to enter the end customer's account. Playground Tech only accesses the management (payer) account to perform day-to-day activities as required to perform our responsibility as a Solution Provider. We will also access the management (payer) account to perform updates to the service we are delivering. We ensure that MFA and strong password policies are enforced, to manage access to customer resources. We also follow the concept of least privilege and have established a mechanism to evaluate and restrict permissions. We actively revoke and prohibit the customer's ability to elevate permissions via role assumption or new user/role creation, in the management (payer) account to comply with AWS requirements.

We ensure that cross-account roles are used for all access to customer accounts, and there are no one-off IAM accounts for users to authenticate to customer accounts. We also ensure that any historical use of customer provided IAM credentials are deprecated.

We have deployed automation to audit and scan for changes to permissions in the management (payer) account. We notify upon findings and take immediate action to disable the credentials.

Logging & Audit

At Playground Tech, we have the ability to disable or lock out users for suspicious activity in the management (payer) account, such as failed authentication attempts and suspicious login origins.

We implement CloudTrail to track all API activities against all AWS Accounts in the AWS Organization. This is to be able to do any forensic work needed during a potential breach of the account. We implement CloudWatch alarms for the most relevant CloudTrail events and maintain a runbook to make audit logs and dashboards available to customers on demand, in the management (payer) account. We also recommend considering using Amazon Detective, Amazon GuardDuty, and AWS Security Hub to enhance your logging and auditing capabilities.

AWS Access Keys

At Playground Tech, we take great care to ensure that AWS Access Keys are not utilized to access customers' management accounts. The Access Keys used to assume roles in the customer management accounts are rotated every 90 days and cannot be used unless MFA is present.

We have also implemented Trusted Advisor (Cross Account) and configured notifications to help us identify any potential security risks. Additionally, we have a runbook in place that outlines the steps we take to rotate AWS Access Keys, which helps us stay organized and ensure that we do not miss any important steps.

We also have a strict policy in place that prohibits the hardcoding of IAM credentials or Access Keys for any purpose, both for our customers and internal system usage. To further strengthen our security posture, we have implemented a code scanner that prevents sensitive information from being committed to our code repositories.

Lastly, we have configured the AWS Health Dashboard (Cross Account) and notifications to keep us informed about any potential issues that may impact on our services or our customers' services. Overall, these measures help us maintain a prominent level of security and ensure that our customers' data remains protected.

Elevating permissions

At Playground Tech, we ensure that we and our customers are not able to elevate their permissions via role assumption or new user/role creation in the management (payer) account. This includes our internal accounts as well. We actively review and restrict permissions, baselining the group and role membership of identities, and evaluating the specific permissions granted to groups and roles. We also regularly review AWS IAM policies using IAM Access Analyzer and similar tools.