Security | SuiteIQ

Infrastructure

SuiteIQ runs entirely on Amazon Web Services (AWS) in the us-east-1 region.

✓ VPC isolation — application servers, databases, and caches run in private subnets with no direct internet access
✓ Security groups — defense-in-depth: ALB accepts only HTTPS; ECS accepts only from ALB; RDS and Redis accept only from ECS
✓ AWS Fargate — serverless containers with no host OS to patch; container images scanned on every push
✓ WAF — AWS WAFv2 with managed rulesets (OWASP common, known-bad inputs, IP reputation) and per-IP rate limiting

✓ In transit — TLS 1.2+ enforced on all public endpoints (CloudFront, ALB). HSTS headers.
✓ At rest — PostgreSQL (RDS) encrypted with AWS-managed KMS keys. S3 buckets use AES-256 server-side encryption. CloudWatch logs encrypted with customer-managed KMS CMK with automatic key rotation.
✓ Secrets — database credentials stored in AWS Secrets Manager; never committed to source control or logs

✓ AWS Cognito — enterprise identity provider with SRP (Secure Remote Password) protocol; passwords never transmitted in cleartext
✓ MFA — TOTP-based multi-factor authentication; mandatory in production
✓ httpOnly session cookies — browser never accesses or stores JWT tokens; refresh tokens stored server-side only
✓ Hospital-scoped isolation — every API call is verified against the user's hospital claim; users at one hospital cannot access another hospital's data
✓ Role-based access — admin, nurse, and coordinator roles with least-privilege enforcement at the resolver level
✓ Rate limiting — per-IP token bucket (100 req/s, burst 200) to prevent brute-force and abuse
✓ User enumeration protection — identical error messages for invalid email and wrong password

✓ Application audit log — append-only record of every privileged action (user management, hospital provisioning, configuration changes) with actor identity, IP address, and timestamp
✓ AWS CloudTrail — management events captured across all regions with log file validation
✓ Structured logging — JSON-formatted application logs with sensitive data redaction (phone numbers and emails are masked before logging)
✓ Container Insights — ECS cluster performance and resource utilization monitoring

✓ CI/CD — automated linting, testing (282 tests), and deployment via GitHub Actions
✓ OIDC federation — no long-lived AWS credentials; GitHub Actions assumes an IAM role via OIDC for each deploy
✓ Immutable image tags — ECR tag immutability prevents overwriting released container images
✓ Distroless runtime — production containers run on a minimal base image with no shell, no package manager, no attack surface
✓ GraphQL complexity limits — server rejects overly complex nested queries to prevent resource exhaustion

If you discover a security vulnerability, please report it to security@suiteiq.io. We take all reports seriously and will respond within 48 hours.