Security

Hydrix security posture overview.

This page gives clients a high-level summary of the default security posture for Hydrix-managed sites.

What clients can expect

Private-by-default site hosting with blocked public bucket access
HTTPS-only delivery through AWS-managed certificates and CloudFront
AWS WAF protection at the edge for common web threats and abusive traffic
Per-site Cognito identity isolation rather than a shared global site user pool
Role-based access with separate super-admin, admin, and user roles
Encryption at rest for standard S3 and DynamoDB data stores
Centralized logging, audit visibility, and operational monitoring

Isolation

Hydrix provisions each site as its own logical environment with isolated identity and data boundaries.

Edge and transport

Sites are delivered through managed AWS edge and storage services with HTTPS enforcement and WAF coverage.

Authentication

Protected routes use site-scoped Cognito authentication and role-based access controls. MFA/2FA is planned work and is not part of the current default site authentication experience.

Data protection

Standard deployments use private storage patterns and AWS-managed encryption features for stored data.

Email protection

When Hydrix manages email for a site, the domain is configured with SPF, DKIM, DMARC, and SES-verified domain controls.

Monitoring

CloudWatch, CloudTrail, CloudFront, and WAF logging support alerting, operational review, and auditability.

Shared responsibility

Hydrix secures the managed infrastructure baseline. Clients remain responsible for:

their site application code and business logic
user lifecycle management and access approvals
third-party scripts and browser-side integrations
endpoint security on administrator devices
DNS or registrar actions performed outside Hydrix-managed AWS accounts

Need a deeper review?

Use this page as the first-pass trust overview. For project-specific review, pair it with implementation details, operational documentation, and direct security review as needed.