This guide provides common answers to frequently asked question related to architecture and security practices at Nuclei.
In general, Nuclei adheres to the “Serverless Application Lens” that is part of the “AWS Well-Architected Framework” to ensure that all applications and workloads are architected according to best practices from AWS.
The "Security Pillar" of the framework includes the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.
Nuclei implements all five best practice areas for security in the cloud, including:
- Identity and access management
- Detective controls
- Infrastructure protection
- Data protection
- Incident response
Serverless architectures like Nuclei's address some of today’s biggest security concerns as it removes infrastructure management tasks, such as operating system patching, updating binaries, etc.
Frequently Asked Questions
Which security features of AWS are being used?
In general, we adhere to the “Serverless Application Lens” that is part of the “AWS Well-Architected Framework” to ensure that all applications and workloads are architected according to best practices from AWS. (which includes the “Security Pillar”)
Nuclei's complete technology stack is “serverless”, which eliminates some of the largest security concerns from the beginning:
Traditional AWS Application
Platform, OS, network, data at rest and in transit security shifts to Vendor or Customer
Serverless AWS Application
Platform, OS, network, data at rest and in transit security shifts to AWS
Unlike a traditional application running in the Cloud, with a serverless architecture AWS manages the underlying infrastructure, foundation services, virtualization layers, operating systems, and application platforms (see Shared Responsibility Model – Lambda) which significantly reduces our risk surface and eliminates some of the largest security risks.
We also use several security oriented services from AWS to optimize our security posture, including:
- AWS Organizations (Hard separation of PROD / DEV / TEST resources at the AWS account level)
- AWS Parameter Store and AWS Secrets Manager
- AWS Config
- AWS Security Hub
Is MFA used?
Yes. MFA is mandatory for all AWS IAM user accounts, and we use the Virtual MFA device form factor for all users.
What password policies are set?
At present we are mirroring the recommendations from NIST (Section 5.1.1 – Memorized Secrets)
One exception is that we extend the minimum password length to 18 characters.
For more information on Nuclei's security posture, please contact our network security team at firstname.lastname@example.org.