Dev Ramps - CI/CD Built for Real-World AWS Environments

IAM and Permissions Model

Dev Ramps uses IAM AssumeRole to access your AWS accounts with the minimum permissions required for deployment operations. You maintain full control over what Dev Ramps can and cannot do.

Least Privilege by Default

The IAM role you grant Dev Ramps is scoped to only the actions needed for deployment. No admin access, no wildcard permissions.

Transparent Permissions

The exact IAM policy is visible during setup. You know exactly what permissions you're granting before you grant them.

No Persistent Credentials

Dev Ramps never stores AWS credentials. Every action uses temporary credentials from STS AssumeRole, automatically rotated.

Revocable Access

Delete the IAM role at any time to immediately revoke all Dev Ramps access. You remain in complete control.

IAM permissions review acct-prod · us-west-2

Dev Ramps

→

OIDC

→

STS AssumeRole

→

Temp credentials

Allowed actions (scoped)

ecs:UpdateService, ecs:DescribeServices

Deploy and monitor ECS services

ecr:GetAuthorizationToken, ecr:PutImage

Push container images to your registry

s3:PutObject, s3:GetObject

Read and write deployment artifacts

cloudwatch:DescribeAlarms

Monitor alarms for auto-rollback

Explicitly denied

iam:*, sts:* (except AssumeRole)

Cannot modify IAM roles or policies

kms:Decrypt (customer keys)

Cannot read your encrypted secrets

Your custom policies

Additional permissions from additional_iam_policies.json are merged in. You define exactly what extra access is needed.

Delete the role anytime

Least privilege by default

No persistent credentials

Fully transparent policies

Revocable at any time

You see every permission before you grant it. And you can revoke it anytime.

AWS Organization

DevelopmentAWS Account

us-east-1

Isolated VPC

IAM boundary

Security groups

Database + cache

StagingAWS Account

us-east-1

Isolated VPC

IAM boundary

Security groups

Database + cache

ProductionAWS Account

us-west-2

Isolated VPC

IAM boundary

Security groups

Database + cache

no access

Separate AWS accounts

No VPC peering

Isolated data per environment

Cross-env access prohibited

Strongest isolation boundary AWS provides. Enforced by default.

Environment and Account Isolation

Each environment runs in its own AWS account with complete isolation. Development resources cannot access production data, and staging cannot affect production infrastructure.

Account-Level Separation

Dev, staging, and production run in separate AWS accounts. This is the strongest isolation boundary AWS provides.

Network Isolation

Each environment has its own VPC with no default peering. Network traffic cannot flow between environments without explicit configuration.

Data Isolation

Databases, caches, and storage are provisioned per-environment. Production data is never accessible from lower environments.

Secrets Management

Secrets are stored in AWS Secrets Manager within your accounts and injected into services at runtime. Dev Ramps never sees or stores your secrets—they stay in your AWS environment.

AWS Secrets Manager

All secrets are stored in AWS Secrets Manager with encryption at rest using KMS keys you control.

Automatic Rotation

Configure automatic rotation for database credentials and API keys. Dev Ramps handles rotation without downtime.

Audit Trail

All secret access is logged via CloudTrail. Know exactly when and how secrets are accessed.

No Plaintext Secrets

Secrets are never stored in environment variables, config files, or logs. Injected at runtime via secure channels only.

Secrets management UI showing global and staged secrets with masked values

Pipeline events audit log showing deployment events with timestamps, stages, and event details

Audit Logs and Approvals

Every action is logged with full context. Deployments, approvals, configuration changes, and user actions are captured in a tamper-evident audit log that satisfies compliance requirements.

Complete History

Every deployment, every approval, every configuration change is recorded. Answer "who changed what and when" for any resource.

Approval Workflows

Require manual approval before production deployments. Approvers see infrastructure diffs and can approve or reject with comments.

Searchable and Exportable

Search audit logs by date, user, resource, or action type. Export to CSV or integrate with your SIEM.

Retention Policies

Configure log retention to meet your compliance requirements. Enterprise plans support extended retention periods.

Encryption

Data protection at every layer

Encryption in Transit

All communication between Dev Ramps and your AWS accounts uses TLS 1.3. API calls, webhook deliveries, and log streaming are encrypted end-to-end.

Encryption at Rest

Your infrastructure is provisioned with encryption enabled by default. EBS volumes, RDS databases, S3 buckets, and secrets are all encrypted using KMS.

Your Keys, Your Control

Encryption uses KMS keys in your AWS accounts. You control key policies, rotation schedules, and access. Dev Ramps never has access to your encryption keys.

Compliance

Built for regulated environments

Dev Ramps is designed to support teams operating in regulated industries. Our security controls align with common compliance frameworks.

SOC 2 Type II

Dev Ramps is currently pursuing SOC 2 Type II certification. Our controls are designed to meet the Trust Services Criteria for security, availability, and confidentiality.

GDPR Ready

Dev Ramps processes minimal personal data. Your application data stays in your AWS accounts and never passes through our systems. Data processing agreements are available.

HIPAA Eligible

For healthcare organizations, Dev Ramps can be configured to support HIPAA compliance. Business Associate Agreements are available for Enterprise customers.

PCI DSS Support

Dev Ramps supports deployment patterns compliant with PCI DSS requirements, including network segmentation, access controls, and audit logging.

Need to discuss specific compliance requirements?

Contact our security team

Our Practices

How we secure Dev Ramps

Security isn't just a feature—it's how we operate.

Secure Development

All code changes go through security review. We use static analysis, dependency scanning, and automated security testing in our CI pipeline.

Penetration Testing

We conduct regular third-party penetration tests and address findings promptly. Summary reports are available to Enterprise customers upon request.

Incident Response

We have documented incident response procedures and maintain 24/7 on-call coverage. Security incidents are communicated transparently to affected customers.

Employee Security

All employees complete security awareness training. Access to production systems requires hardware security keys and is logged.

Vendor Management

Third-party vendors are evaluated for security before integration. We minimize data shared with vendors and require security commitments.

Responsible Disclosure

We welcome security researchers to report vulnerabilities through our responsible disclosure program. Valid reports are acknowledged and addressed promptly.

Questions about security?

Our security team is available to discuss your specific requirements, answer questions, and provide documentation for your security review.

Contact security team View security docs