• Customer-managed KMS CMK with annual rotation → no AWS root access.
• S3 Object Lock Compliance Mode 7 years → even root cannot delete.
• IRSA pod identity → Velero backup pod has no long-lived keys.
• Signed URLs 15 min expiry for clinician downloads → zero anonymous access.
• Pen-test + evidence package → auditor-ready ZIP + SHA-256 manifest.

Deep-Dive Engineering Scope

• Multi-Region KMS Root-of-Trust
  • MRK (Multi-Region KMS CMK) deployed in eu-central-1 primary + eu-west-1 replica.
  • Key policy least-privilege : only Velero IRSA role + legal-hold Lambda.
  • Annual rotation enabled + CloudTrail KMS events → Glacier 7-year.
• Immutable WORM Vault
  • S3 Bucket with Object Lock Compliance Mode 7 years + Legal Hold ON.
  • Bucket Policy explicit deny : DeleteObject + PutObjectAcl + s3:BypassGovernanceRetention.
  • S3 Inventory daily CSV → stored in separate audit account.
• Pod-Level Identity (IRSA)
  • OIDC provider federated between EKS and AWS IAM.
  • Velero ServiceAccount annotated with IRSA role → zero AWS_ACCESS_KEY_ID in pod.
  • Session tagging : cost-centre, environment → CloudTrail identity.
• Signed URL Downloader
  • Lambda (Python) generates presigned GET URL 15 min expiry + IP whitelist.
  • CloudFront WAF rate-limit 100 req/IP/5 min → prevents brute-force
  • Access logged to Centralized CloudWatch + S3 access logs.
• Compliance Evidence Package
  • Pen-test scoped to backup endpoints → zero critical findings.
  • SHA-256 checksum manifest of every object → signed with GPG.
  • Legal-hold register (CSV) with object key, retention expiry, case ID.

Enterprise Deliverables

• KMS key policy JSON + S3 bucket Terraform + IRSA role YAML.
• Signed URL generator Lambda (zip) + Terraform module.
• Evidence bundle: pen-test PDF, SHA-256 manifest, legal-hold CSV.
• Board-level slide : risk before vs after, fine avoidance, audit timeline.