Settings

Encryption at rest enforced

All storage resources must have encryption enabled

Block public S3 buckets

No S3 bucket can have public access enabled

No wildcard IAM policies

IAM policies cannot use * for resource or action

Cost alert at 80% budget

Notify team when environment hits 80% of budget

Auto-destroy idle dev stacks

Dev stacks with no activity for 7 days are destroyed

VPC flow logs required

All VPCs must have flow logs enabled for audit

Production requires PR approval

All prod deploys must go through a reviewed pull request

Require resource tagging

All resources must have team, env, and cost-center tags