mharb/tf-aws-lambda-imageprocessing
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1 Commit 1 Branch 0 Tags
dev
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
mharb b8745e093b Project Genesis 
Signed-off-by: mharb <mharb@noreply.localhost>
2026-02-22 05:37:03 +00:00
lambda
Project Genesis
2026-02-22 05:37:03 +00:00
scripts
Project Genesis
2026-02-22 05:37:03 +00:00
terraform
Project Genesis
2026-02-22 05:37:03 +00:00
.gitignore
Project Genesis
2026-02-22 05:37:03 +00:00
INCIDENT_RESPONSE.md
Project Genesis
2026-02-22 05:37:03 +00:00
README.md
Project Genesis
2026-02-22 05:37:03 +00:00
SECURITY_SCAN.md
Project Genesis
2026-02-22 05:37:03 +00:00
SECURITY.md
Project Genesis
2026-02-22 05:37:03 +00:00

README.md

AWS Image Processing Infrastructure

Production-ready, security-hardened serverless image processing using AWS always-free tier.

Security Posture

Control Implementation
Encryption KMS (CMK) for S3, SNS, Lambda env vars
Access Control Least-privilege IAM, no public access
Audit Logging CloudTrail, S3 access logs (365 days)
Threat Detection GuardDuty, Security Hub enabled
Compliance AWS Config rules, CIS benchmarks
Incident Response SNS alerts, runbook documented

See SECURITY.md for full security policy.

Architecture

S3 (KMS) → Lambda (hardened) → DynamoDB (encrypted) → SNS (KMS)
                              ↓
                    CloudWatch + GuardDuty + Security Hub

Free Tier Services

Service Limit Safeguard
Lambda 1M invocations/mo Concurrency limit
S3 5GB storage 30-day lifecycle
DynamoDB 25GB storage 90-day TTL
SNS 1M notifications/mo Topic policy
CloudWatch 10 alarms Using 6 alarms

Quick Start

Prerequisites

# AWS CLI configured with appropriate permissions
aws sts get-caller-identity

# Terraform installed
terraform version

Deploy

# Security scan + deploy
./scripts/deploy.sh

# Upload image
aws s3 cp image.png s3://$(terraform output -raw s3_bucket_name)/uploads/

Destroy

./scripts/destroy.sh

Image Processing

Filename Pattern Processing
image.png Resize to 1024x1024
image_thumb.png Resize to 200x200
image_grayscale.png Convert to grayscale

Security: Files >10MB or >4096x4096 rejected. Only JPEG/PNG/WEBP allowed.

Security Features

Encryption

  • S3: SSE-KMS with customer-managed key
  • DynamoDB: Encryption at rest
  • SNS: KMS-encrypted messages
  • Lambda: Encrypted environment variables

Access Control

  • S3: Block all public access (4 controls)
  • IAM: Scoped to specific resources/prefixes
  • KMS: Key policy restricts usage

Monitoring

  • Lambda errors → SNS alert
  • Lambda throttles → Security alert (possible DoS)
  • S3 storage >4GB → Cost alert
  • KMS key state → Security alert

Compliance

  • GuardDuty: Threat detection (S3, API)
  • Security Hub: CIS benchmark compliance
  • AWS Config: Resource compliance tracking
  • CloudTrail: API audit logging

Files

.
├── terraform/                    # Infrastructure as Code (371 lines)
│   ├── providers.tf              # AWS provider, backend config
│   ├── variables.tf              # Input variables
│   ├── locals.tf                 # Local values
│   ├── kms.tf                    # KMS key for encryption
│   ├── s3.tf                     # S3 buckets (images + logs)
│   ├── dynamodb.tf               # DynamoDB table
│   ├── sns.tf                    # SNS topics
│   ├── iam.tf                    # IAM roles and policies
│   ├── lambda.tf                 # Lambda function + triggers
│   ├── cloudwatch.tf             # CloudWatch logs + alarms
│   ├── security.tf               # GuardDuty, Security Hub, Config
│   └── outputs.tf                # Output values
├── lambda/                       # Image processor (207 lines)
│   ├── config.py                 # Configuration constants
│   ├── image_processor.py        # Image processing logic
│   ├── storage.py                # S3 + DynamoDB operations
│   ├── notifications.py          # SNS notifications
│   ├── lambda_function.py        # Main handler (orchestrator)
│   └── requirements.txt          # Pillow dependency
├── scripts/
│   ├── build_lambda.sh           # Build deployment package
│   ├── deploy.sh                 # Security scan + deploy
│   ├── destroy.sh                # Destroy infrastructure
│   └── security_scan.sh          # pip-audit + bandit + validate
├── SECURITY.md                   # Security policy (CISO document)
├── INCIDENT_RESPONSE.md          # Incident response runbook
└── README.md                     # This file

Cost Management

Control Implementation
S3 Delete objects after 30 days
DynamoDB TTL expires records after 90 days
Lambda 128MB memory, 30s timeout
Logs 30-day retention (CloudWatch)
Alerts 80% of free tier limits

Estimated monthly cost: $0 (within always-free tier)

Compliance

This infrastructure meets requirements for:

  • SOC 2: Encryption, access control, audit logging
  • GDPR: Data minimization (30-day retention), encryption
  • HIPAA: BAA-covered services, encryption at rest/transit
  • PCI DSS: Network segmentation, access control, logging

Note: Full compliance requires organizational controls beyond infrastructure.

Incident Response

See INCIDENT_RESPONSE.md for detailed runbook.

Quick reference:

  • Security alerts: SNS topic (output: security_alerts_topic)
  • GuardDuty findings: Security Hub dashboard
  • Logs: CloudWatch /aws/lambda/image-processor-prod

Development

# Run security scan only
./scripts/security_scan.sh

# Build Lambda package only
./scripts/build_lambda.sh

# Terraform operations
cd terraform
terraform init
terraform plan
terraform apply
Reference in New Issue View Git Blame Copy Permalink
Description
Amazon Cloud event-driven image processing powered by S3, DynamoDB, serverless functions, and SNS.
Readme 54 KiB
Languages
HCL 55.1%
Python 33.1%
Shell 11.8%