Skip to content

Add ISO 27001 / SOC2 / Vanta compliance requirements to coding standard #37

Description

@akuzminsky

Problem

The coding standard lacks a dedicated section on compliance requirements (ISO 27001, SOC2, Vanta).
Without this, AI coding assistants and new contributors make incorrect assumptions about data
classification and retention — e.g., treating access logs as "ephemeral data" when they are
compliance-required audit records.

What's needed

A new chapter/document covering compliance requirements that InfraHouse infrastructure must meet.
Topics to cover (non-exhaustive):

  • Data classification — which data is compliance-governed (access logs, audit trails,
    CloudTrail, VPC flow logs) vs truly ephemeral (build artifacts, Athena query results)
  • Retention requirements — minimum retention periods mandated by ISO/SOC2
    (e.g., 365 days for logs)
  • Cross-region replication — Vanta test: "S3 backup configured for redundancy across
    regions (AWS)" requires CRR on S3 buckets; this is not optional nice-to-have
  • Destruction safeguards — production buckets containing compliance data must NOT default
    to force_destroy; only test environments should opt in explicitly
  • Vanta controls mapping — key Vanta tests and what infrastructure properties satisfy them
  • Encryption requirements — at rest and in transit, which keys to use where
  • Audit trail integrity — requirements around immutability and tamper evidence

Why

This context is critical for making correct infrastructure decisions. Without it codified:

  • AI tools suggest unsafe defaults (force_destroy=true on audit logs)
  • Contributors may skip CRR thinking it's gold-plating
  • Review feedback lacks an authoritative reference to point to

Seen in

infrahouse/terraform-aws-website-pod#121 — incorrect suggestion
to default force_destroy=true on access log buckets that are compliance-required.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions