Remediation Roadmap¶

Last updated: 2026-04-04 — reflects DA-18 (HA/DR completions)

Full machine-readable tracker: checklists/remediation-tracker.yml (repo root)

Phase 1 — Critical: Encryption & Network¶

These items must be completed before any PHI workload is live in AWS.

ID	Task	Status	Terraform
REM-001	Deploy KMS CMKs in NVS	✅ Done (DA-11)	`tofu/modules/kms`
REM-002	Deploy KMS CMKs in NHC	✅ Done (DA-15)	`tofu/modules/kms`
REM-003	Encrypt existing EBS volumes (NVS)	❌ Pending (DA-14)	`tofu/modules/ec2`
REM-004	New EC2 EBS volumes encrypted (NHC)	✅ Done (DA-15) — EC2 module enforces KMS encryption on root volume	`tofu/modules/ec2`
REM-005	Enforce SSE-KMS on all S3 buckets (NVS)	✅ Done (DA-11)	`tofu/modules/s3`
REM-006	Enforce HTTPS on Django API	✅ Done (DA-15 Phase 3) — ALB (TLS 1.2+1.3) + WAF deployed, HTTP→HTTPS redirect, DNS verified	`tofu/modules/alb`, `tofu/modules/waf`
REM-007	Enforce HTTPS on Laravel	❌ Pending	`tofu/modules/waf`
REM-008	NHC VPC — private subnets, NAT Gateway	✅ Done (DA-15)	`tofu/modules/vpc`
REM-008b	NVS VPC hardening — move EC2 off public IP	⏳ Deferred (DA-13)	`tofu/modules/vpc`

EBS Encryption Note

Encrypting existing EBS volumes requires: snapshot → create encrypted copy → swap the volume. This requires a maintenance window. Plan accordingly.

ID	Task	Status	Terraform
REM-009	CloudTrail (multi-region) in NVS	✅ Done (DA-11)	`tofu/modules/cloudtrail`
REM-010	CloudTrail (multi-region) in NHC	✅ Done (DA-15)	`tofu/modules/cloudtrail`
REM-011	VPC Flow Logs in NVS	⏳ Deferred (DA-13)	`tofu/modules/vpc`
REM-011b	VPC Flow Logs in NHC	⏳ Pending (DA-15 Phase 5)	`tofu/modules/vpc`
REM-012	AWS Config + HIPAA conformance pack (NVS)	✅ Done (DA-11)	`tofu/modules/config`
REM-012b	AWS Config + HIPAA conformance pack (NHC)	✅ Done (DA-15)	`tofu/modules/config`
REM-013	GuardDuty (NVS; org-delegated admin pending)	✅ Partial (DA-11)	`tofu/modules/guardduty`
REM-013b	GuardDuty (NHC)	✅ Done (DA-15)	`tofu/modules/guardduty`
REM-014	Security Hub + NIST 800-53 (NVS)	✅ Done (DA-11)	`tofu/modules/securityhub`
REM-014b	Security Hub + NIST 800-53 (NHC)	✅ Done (DA-15)	`tofu/modules/securityhub`

ID	Task	Status	Terraform
REM-015	MFA enforcement SCP at Org level	❌ Pending	`tofu/org/scp/require-mfa.json`
REM-016	IAM audit + least-privilege remediation	❌ Pending	`tofu/modules/iam`
REM-017	SSM Session Manager (replace SSH)	✅ Done (DA-15) — all EC2 use SSM, no SSH keys	`tofu/modules/ec2`
REM-018	Cross-account IAM role NVS → NHC	❌ Pending	`tofu/modules/iam`

ID	Task	Status	Terraform
REM-019	KMS-encrypted screenshot S3 bucket (NVS)	✅ Done (DA-11)	`tofu/modules/s3`
REM-020	CloudWatch alarm on screenshot bucket	❌ Pending	`tofu/accounts/nvs`
REM-021	Document screenshot PHI handling policy	✅ Done	`docs/data-flows/screenshot-phi-handling.md`

ID	Task	Status	Terraform
REM-022	AWS Backup plan + encrypted vault (NHC)	✅ Done (DA-15)	`tofu/modules/backup`
REM-023	Cross-region backup (NHC → us-west-2)	✅ Done (DA-18) — `nhc-dr-backup-vault` with dedicated KMS key	`tofu/accounts/nhc/backup_dr.tf`
REM-024	RDS Multi-AZ (Django MySQL)	✅ Done (DA-18) — auto-failover enabled	`tofu/accounts/nhc/rds.tf`
REM-025	RDS Multi-AZ (WP CMS MariaDB)	✅ Done (DA-18) — auto-failover enabled	`tofu/accounts/nhc/rds.tf`
REM-026	EC2 Auto-Recovery alarms	✅ Done (DA-18) — all 4 instances	`tofu/modules/ec2`
REM-027	ElastiCache Redis (managed, encrypted)	✅ Done (DA-18) — at-rest KMS + in-transit TLS	`tofu/modules/elasticache`

ID	Task	Status	Doc
REM-028	Formal security risk assessment	❌ Pending — sign-off required	`docs/gap-analysis/index.md`
REM-029	Incident response plan	✅ Draft	`docs/policies/incident-response.md`
REM-030	Breach notification procedure	✅ Draft	`docs/policies/breach-notification.md`
REM-031	Contingency / DR plan	✅ Draft	`docs/policies/contingency-plan.md`
REM-032	Data retention policy	✅ Draft	`docs/policies/data-retention.md`
REM-033	Workforce training program	✅ Draft	`docs/policies/workforce-training.md`
REM-034	Third-party BAA audit	❌ Pending — SaaS tools not inventoried	`docs/baa/index.md`