Xperlock - Cloud Security and Compliance for AWS

Xperlock works by configuring and orchestrating a wide set of AWS services. These services are grouped below by the roles they play in the solution:

To ensure strict environment separation and secure connectivity:

• AWS Organizations: Used to isolate workloads across multiple AWS accounts, enforcing least-privilege access at the org level.
• Amazon VPC: Sets up dedicated virtual networks for different environments (e.g., dev, staging, prod), each with tightly controlled access.
• AWS Transit Gateway: Connects these VPCs with centralized routing and simplified inter-VPC communication, while enforcing isolation boundaries.

To establish strong policy enforcement, access management, and operational control:

• AWS Control Tower: Provides a governed landing zone with preconfigured blueprints, SCPs, and lifecycle management.
• Service Control Policies (SCPs): Used to restrict and control actions across AWS accounts to meet security policies.
• IAM & AWS Identity Center: Manage fine-grained access for both human users and service roles across your accounts.
• AWS Systems Manager: Enables centralized operational control, including patching, inventory collection, and secure shell access.

To provide full transparency into activity, changes, and performance:

• Amazon CloudWatch Logs: Captures logs from across the environment for real-time visibility.
• AWS CloudTrail: Records API calls and user activity for audit and forensic purposes.
• Amazon S3: Central repository for storing logs, backups, and audit trails in a secure, durable way.
• Amazon Kinesis Data Streams & Firehose: Enables real-time streaming of logs to destinations like S3 or third-party SIEM tools.

To track resource configurations and detect misalignment with compliance baselines:

• AWS Config: Continuously evaluates resource states against policy rules, with drift detection and remediation support.
• AWS Security Hub: Aggregates findings from multiple sources and maps them to compliance standards like CIS, HIPAA, and PCI.

To secure sensitive data and ensure business continuity:

• AWS KMS: Manages customer master keys for encryption at rest across services.
• AWS Secrets Manager: Stores and rotates credentials, API keys, and tokens securely.
• AWS Network Firewall & AWS WAF: Provides perimeter protection against unauthorized access and web-based threats.
• AWS Backup: Automates backups across AWS services and ensures compliance with retention policies.