Found Description
Production stand-up (early in the engagement). Create the production AWS account in the Canadian region (ca-central-1), organizationally separate from staging, with Organization-level federation. This requires AWS Organization administrator credentials Parx alone cannot exercise Apply the Parx-built Terraform modules to the production account: baseline service-control policies (data residency, root denial, multi-factor authentication, public-S3 denial, security-service denial), customer-managed KMS keys, least-privilege IAM roles, CloudWatch alarms and log shipping, S3 with seven-year Object Lock retention, AWS Secrets Manager with rotation lambdas Activate the CI/CD production pipeline with environment-gated deploys (manual approval required for production) Production deployment of the signed-receipt KMS asymmetric migration (already validated in dev and staging) Production deployment of the operational key-custody infrastructure (already validated in dev and staging): rotating servic...