# AWS Image Processing Infrastructure

**Production-ready, security-hardened serverless image processing using AWS always-free tier.**

---

## Security Posture

| Control | Implementation |
|---------|----------------|
| Encryption | KMS (CMK) for S3, SNS, Lambda env vars |
| Access Control | Least-privilege IAM, no public access |
| Audit Logging | CloudTrail, S3 access logs (365 days) |
| Threat Detection | GuardDuty, Security Hub enabled |
| Compliance | AWS Config rules, CIS benchmarks |
| Incident Response | SNS alerts, runbook documented |

**See [SECURITY.md](SECURITY.md) for full security policy.**

---

## Architecture

```
S3 (KMS) → Lambda (hardened) → DynamoDB (encrypted) → SNS (KMS)
                              ↓
                    CloudWatch + GuardDuty + Security Hub
```

### Free Tier Services

| Service | Limit | Safeguard |
|---------|-------|-----------|
| Lambda | 1M invocations/mo | Concurrency limit |
| S3 | 5GB storage | 30-day lifecycle |
| DynamoDB | 25GB storage | 90-day TTL |
| SNS | 1M notifications/mo | Topic policy |
| CloudWatch | 10 alarms | Using 6 alarms |

---

## Quick Start

### Prerequisites

```bash
# AWS CLI configured with appropriate permissions
aws sts get-caller-identity

# Terraform installed
terraform version
```

### Deploy

```bash
# Security scan + deploy
./scripts/deploy.sh

# Upload image
aws s3 cp image.png s3://$(terraform output -raw s3_bucket_name)/uploads/
```

### Destroy

```bash
./scripts/destroy.sh
```

---

## Image Processing

| Filename Pattern | Processing |
|-----------------|------------|
| `image.png` | Resize to 1024x1024 |
| `image_thumb.png` | Resize to 200x200 |
| `image_grayscale.png` | Convert to grayscale |

**Security:** Files >10MB or >4096x4096 rejected. Only JPEG/PNG/WEBP allowed.

---

## Security Features

### Encryption
- S3: SSE-KMS with customer-managed key
- DynamoDB: Encryption at rest
- SNS: KMS-encrypted messages
- Lambda: Encrypted environment variables

### Access Control
- S3: Block all public access (4 controls)
- IAM: Scoped to specific resources/prefixes
- KMS: Key policy restricts usage

### Monitoring
- Lambda errors → SNS alert
- Lambda throttles → Security alert (possible DoS)
- S3 storage >4GB → Cost alert
- KMS key state → Security alert

### Compliance
- GuardDuty: Threat detection (S3, API)
- Security Hub: CIS benchmark compliance
- AWS Config: Resource compliance tracking
- CloudTrail: API audit logging

---

## Files

```
.
├── terraform/                    # Infrastructure as Code (371 lines)
│   ├── providers.tf              # AWS provider, backend config
│   ├── variables.tf              # Input variables
│   ├── locals.tf                 # Local values
│   ├── kms.tf                    # KMS key for encryption
│   ├── s3.tf                     # S3 buckets (images + logs)
│   ├── dynamodb.tf               # DynamoDB table
│   ├── sns.tf                    # SNS topics
│   ├── iam.tf                    # IAM roles and policies
│   ├── lambda.tf                 # Lambda function + triggers
│   ├── cloudwatch.tf             # CloudWatch logs + alarms
│   ├── security.tf               # GuardDuty, Security Hub, Config
│   └── outputs.tf                # Output values
├── lambda/                       # Image processor (207 lines)
│   ├── config.py                 # Configuration constants
│   ├── image_processor.py        # Image processing logic
│   ├── storage.py                # S3 + DynamoDB operations
│   ├── notifications.py          # SNS notifications
│   ├── lambda_function.py        # Main handler (orchestrator)
│   └── requirements.txt          # Pillow dependency
├── scripts/
│   ├── build_lambda.sh           # Build deployment package
│   ├── deploy.sh                 # Security scan + deploy
│   ├── destroy.sh                # Destroy infrastructure
│   └── security_scan.sh          # pip-audit + bandit + validate
├── SECURITY.md                   # Security policy (CISO document)
├── INCIDENT_RESPONSE.md          # Incident response runbook
└── README.md                     # This file
```

---

## Cost Management

| Control | Implementation |
|---------|----------------|
| S3 | Delete objects after 30 days |
| DynamoDB | TTL expires records after 90 days |
| Lambda | 128MB memory, 30s timeout |
| Logs | 30-day retention (CloudWatch) |
| Alerts | 80% of free tier limits |

**Estimated monthly cost: $0** (within always-free tier)

---

## Compliance

This infrastructure meets requirements for:
- **SOC 2**: Encryption, access control, audit logging
- **GDPR**: Data minimization (30-day retention), encryption
- **HIPAA**: BAA-covered services, encryption at rest/transit
- **PCI DSS**: Network segmentation, access control, logging

**Note:** Full compliance requires organizational controls beyond infrastructure.

---

## Incident Response

**See [INCIDENT_RESPONSE.md](INCIDENT_RESPONSE.md) for detailed runbook.**

Quick reference:
- **Security alerts**: SNS topic (output: `security_alerts_topic`)
- **GuardDuty findings**: Security Hub dashboard
- **Logs**: CloudWatch `/aws/lambda/image-processor-prod`

---

## Development

```bash
# Run security scan only
./scripts/security_scan.sh

# Build Lambda package only
./scripts/build_lambda.sh

# Terraform operations
cd terraform
terraform init
terraform plan
terraform apply
```