- • OAuth 2.0 via external provider
- • JWT + PKCE auth flow
- • TLS everywhere
- • Security groups scope ingress
- • CloudFront CDN + WAF
- • S3 buckets (OAI-protected)
- • ALB → ECS / Lambda
- • RDS PostgreSQL (Multi-AZ)
- • PostgreSQL primary
- • Static assets on S3
- • CDN-cached GET responses
- • Daily snapshots retained 30d