NVS Account Architecture¶
Account Details¶
| Field | Value |
|---|---|
| Account Name | NVS (Nova Virtual Solutions) |
| Account ID | 234828143517 |
| Account Type | Member account under Org |
| Primary Region | ap-southeast-1 (Singapore) — RDS, future compute |
| Current Compute Region | ap-northeast-1 (Tokyo) — EC2 pending migration (DA-13) |
| PHI in Scope | None currently — screenshot feature not yet implemented. Account is being brought to HIPAA standards in preparation. Full scope activates when screenshot feature goes live. |
Purpose¶
Hosts the Laravel VA management application and screenshot service. VA employees support US healthcare clientele. The account is not yet handling PHI — the screenshot feature that will capture PHI is not yet implemented. HIPAA controls are being deployed proactively so the account is compliant before PHI goes live.
Deployed Infrastructure (IaC — tofu/accounts/nvs/)¶
| Service | Resource | Status | Notes |
|---|---|---|---|
| KMS | prod-nvs-kms-ebs |
✅ Deployed | EC2 EBS encryption |
| KMS | prod-nvs-kms-s3 |
✅ Deployed | S3 + IAM module |
| KMS | prod-nvs-kms-rds |
✅ Deployed | RDS (Singapore) |
| KMS | prod-nvs-kms-cloudtrail |
✅ Deployed | CloudTrail logs |
| S3 | prod-nvs-s3-access-logs-* |
✅ Deployed | Server access logs target |
| S3 | prod-nvs-va-screenshots-* |
✅ Deployed | PHI scope — SSE-KMS, versioned, logged |
| CloudTrail | nvs-trail |
✅ Deployed | Multi-region, KMS encrypted |
| GuardDuty | — | ✅ Deployed | SNS alerts on High/Critical findings |
| Security Hub | — | ✅ Deployed | AWS Foundational + NIST 800-53 Rev 5 |
| AWS Config | nvs-config-recorder |
✅ Deployed | + HIPAA conformance pack (21 rules) |
| IAM | SSM instance profile, Access Analyzer | ✅ Deployed | |
| RDS | prod-nvs-hris (MariaDB 10.11) |
✅ Deployed | Retained as active prod/backup DB — no other backup in place. DA-13 will connect Laravel. |
| VPC | — | ⏳ Deferred (DA-13) | New VPC planned for compute migration |
RDS Details¶
| Field | Value |
|---|---|
| Identifier | prod-nvs-hris |
| Engine | MariaDB 10.11 |
| Instance | db.t3.micro |
| Region | ap-southeast-1 (Singapore) |
| VPC | Default Singapore VPC (temporary — DA-13 will create dedicated VPC) |
| Database | hris |
| Username | laravel |
| Encryption | KMS CMK prod-nvs-kms-rds |
| Backups | 7-day retention, daily window 01:00–02:00 SGT |
| Deletion protection | Enabled |
| Public access | Disabled |
Security Hub Standards¶
HIPAA Security standard is not available in ap-southeast-1. Equivalent coverage via:
- AWS Foundational Security Best Practices v1.0.0 — baseline AWS security controls
- NIST SP 800-53 Rev 5 — HIPAA technical safeguards are derived from NIST 800-53 (AC, AU, SC, SI control families)
Network Architecture (Current)¶
ap-northeast-1 (Tokyo) — temporary
└── EC2: Laravel app (public IP, pending migration)
ap-southeast-1 (Singapore)
└── Default VPC
└── RDS: MariaDB 10.11 (prod-nvs-hris) — private subnets
Target architecture (DA-13):
ap-southeast-1 (Singapore)
└── Dedicated VPC (10.0.0.0/16)
├── Public Subnets → ALB (HTTPS only)
└── Private Subnets
├── EC2: Laravel app (migrated from Tokyo)
└── RDS: MariaDB 10.11 (already here)
IAM Identity Center (SSO)¶
Configured with Microsoft Entra ID as SAML 2.0 IdP. See IAM Identity Center for full setup details.
Open Items¶
| Item | Jira | Notes |
|---|---|---|
| EC2 migration Tokyo → Singapore | DA-13 | Compute, Cloudflare cutover |
| EBS encryption on existing volumes | DA-14 | Requires snapshot + volume swap |
| S3 remote state backend | DA-15 | Before multi-person tofu usage |
| Laravel S3 file storage migration | DA-12 | BLOCKED — requires app code refactor + PHI audit |
| WAF on Laravel ALB | — | Phase 3 |
| RDS data migration (Tokyo → Singapore) | DA-11 | hris dump → RDS restore pending |