Pre-Production Checklist

Space Duck Launch Checklist

Complete these items before going live with a Space Duck deployment. Check each item as you complete it — progress is saved locally in your browser.

0 of 23 items complete

🔒 Security Hardening 0/5

Rotate all Beak Keys before go-liveEnsure no development or test keys are active in production. Issue fresh keys from the Beak Key Manager.
Enable Cognito MFA for admin accountsAll T2+ accounts with admin access must have MFA enabled in AWS Cognito user pool settings.
Configure Turnstile bot protection on all formsCloudflare Turnstile must be active on signup, login, and password reset forms.
Verify Lambda IAM roles are least-privilegeEach Lambda function should only have permissions required for its specific task. Audit with IAM Access Analyzer.
Enable CloudTrail logging in us-east-1All API Gateway and Lambda calls should be logged. Verify CloudTrail is active and S3 log bucket is configured.

📧 SES/SNS Sandbox Exit 0/4

Request SES production accessSubmit an AWS SES sandbox exit request. Required before sending emails to non-verified addresses in production.
Verify sending domain with DKIM and SPFAdd DKIM records and SPF policy for your sending domain. Verify in SES console that all records resolve correctly.
Configure SNS topic for delivery notificationsSet up bounce and complaint handling via SNS. High bounce rates will suspend SES sending.
Test transactional email flows end-to-endConfirm welcome email, cert issuance notification, and password reset emails all arrive and render correctly.

🌐 Domain Validation 0/3

Verify ACM certificate is issued and activeCheck AWS Certificate Manager in us-east-1. Certificate must be ISSUED status (not PENDING) before CloudFront will serve HTTPS.
Set DNS apex and www CNAME to CloudFront distributionBoth the apex domain and www subdomain should resolve to your CloudFront distribution domain (*.cloudfront.net).
Test custom domain returns HTTP 200curl -I https://yourdomain.com should return 200 with Content-Type: text/html. Check both apex and www.

Bot Agent Registration 0/4

Register at least one production ORCHESTRATOR agentYour ORCHESTRATOR agent must be registered and bonded before deploying WORKER or AGENT types.
Issue Birth Certificates for all agentsEvery agent must have a valid Birth Certificate before making Peck Protocol calls in production.
Assign correct trust tiers to all agentsReview agent trust tier assignments. Downgrade any agents in production that have test T2 elevations.
Test a full Peck Protocol handshake in productionVerify that bonded agents can successfully exchange an authenticated peck request and the audit trail records it.

📊 Monitoring Setup 0/4

Configure CloudWatch alarms for Lambda error ratesSet alarms for >1% error rate on all production Lambda functions with SNS notification to on-call email.
Set up API Gateway 5xx error alertingCreate a CloudWatch metric filter on API Gateway logs and alert on >5 5xx errors in a 5-minute window.
Verify /beak/system/status reflects real infrastructure stateManually degrade a Lambda and confirm /beak/system/status returns "degraded". Restore and confirm "operational".
Enable DynamoDB capacity alarmsSet CloudWatch alarms on DynamoDB consumed capacity. Alert at 80% of provisioned capacity.

🏅 Cert Issuance Test 0/3

Perform a full test cert issuance with a real accountCreate a new T1 account and complete the cert issuance flow. Download the PDF cert and verify the HMAC signature.
Verify cert is viewable at /share-cert.htmlConfirm the public cert share URL resolves correctly and shows the correct duckling name and issuance timestamp.
Test cert audit trail in DynamoDBOpen the DynamoDB cert table and confirm the issuance event is recorded with correct timestamp, duckling ID, and trust tier.