Excuse the aeronautical reference but I am a product of 80's/90's Air Cadet, Flight Training, Chemical Nuclear Biological Defence Training, general Cold War mentality before the mid 90's foray into ideally/hopefully endless positive energy and overly enthusiastic software engineering mentality.  In the past we were partial to checklists and up front planning - I still feel the need for some process planning to figure out if we missed something.


Checklist 

RefItemLabelsProposalsDetails

User 2FA

security

MFA





filtering

S3 Object Lambda attached to S3 Object Lambda Access Point

For redacted or enriched views of base S3 object



Lambda code signingsecurity


Lambda API / User tracking

security

traceability

CloudTrail logs

Lambda VPC private subnet placementsecurityNATGW or VPC endpoint is required - note Cloudwatch is a public service

Long term storage

access

compliance

durability

finops

redundancy

retention

S3 Intelligent-Tiering
4 levels to S3 Glacier Deep Archive








compliance

standards

Macie for Personally Identifiable Information (PII) via ML in S3 buckets for HIPAA, GDPR

Encryption at rest

encryption

security

DynamoDB

RDS

EBS encryption via KMS 

Lambda environment variable encryption at rest








Encryption in transit



cloud always-free tier minimum cost - maximum coverage

Cloud#PublicCloudFreeTier