tecRacer Security Review

As a customer, you use AWS infrastructure to run your applications and to allow access to them from the Internet or intranet. For security within the cloud, AWS provides active security systems by default and undergoes regular external audits – but you, as a customer, are responsible for correctly making all other necessary security configurations. AWS calls this the shared responsibility model.

To support you and the work you have done, we are reviewing your architecture. The review is not done from a purely technical perspective as we align it with your individual use case, industry-specific requirements, and substantial risks.

Our consultants are thus able to identify the gaps and suggest improvements – something that fully automated reviews can only do to a limited extent or not at all.

The tecRacer Security Review is based on the following recommendations and standards, among others: 

• Typical industry project experience
• AWS whitepapers and best practices
• Recommendations from the ISO 27.000 series
• Security benchmarks from the Center for Internet Security (CIS)
• European Union Agency for Network and Information Security (ENISA)
• Controls from the Cloud Security Alliance (CSA)
• German Federal Office for Security (BSI) IT basic protection catalogs
• National Institute of Standards and Technology (NIST) SP 800 series 

The tecRacer Security Review consists of a kickoff meeting where you give us an overview of your architecture, systems, and use cases. We are then given read-only access to your accounts and infrastructure via a temporary CloudFormation stack deployed by you.

In the following days, we audit your account, VPCs, and the AWS services you use for security issues, compile our findings in a document, prioritize issues with risk classes and levels of compliance, and ultimately recommend actions to fix them.

Depending on your preference, Audited are up to three levels: AWS configuration (account, IAM rights, EC2, RDS, VPC, S3, …), operating system configuration of the EC2 instances (Windows, Linux), and your Docker/Kubernetes setup.

The results of our review are written in a document with approximately 80-160 pages. The document contains three sections, each providing the intended recipients – management, IT management or IT security (CISO), and technicians – with factual information and transparent action recommendations.

All results are structured into risk classes and degrees of fulfillment. So you and your team can prioritize and work through point by point.

We can send you the results in JSON format to support your workflows so they allow an import to Jira, for example. Of course, you can also receive the raw data of our scans in JSON format upon request.
All scan data is stored in an encrypted and audit-proof manner and deleted by default after three months to prevent leaks of this critical information.