From a57355a2729bcf41d9a46b89e7c9312d1883e6c5 Mon Sep 17 00:00:00 2001
From: Paul Schwarzenberger <paul@celidor.net>
Date: Thu, 25 Jan 2024 11:10:32 +0000
Subject: [PATCH] review module options

---
 docs/security.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/security.md b/docs/security.md
index 161b7964..ea199f55 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -4,6 +4,10 @@
 It's very important to implement your certificate authority (CA) in a secure way:
 
 * each CA should be in a dedicated AWS account
+* carefully select CA options for this module:
+    * use ECDSA algorithms rather than RSA (default)
+    * don't make CRL public unless needed (default)
+    * review other options from a security perspective
 * very carefully control AWS IAM principals and permissions 
 * restrict permissions allowing invocation of all Lambda functions
 * limit access to CA source code repository and CI/CD pipeline