# Security Scan Report **Date:** 2026-02-22 **Scanner:** Manual + bandit + pip-audit **Scope:** All source files (terraform/, lambda/, scripts/) --- ## Executive Summary | Category | Status | Findings | |----------|--------|----------| | Secrets/Tokens | ✓ Pass | 0 issues | | SAST (Python) | ✓ Pass | 0 issues | | SAST (Terraform) | ✓ Pass | 0 issues | | Dependencies | ⚠ Warning | 1 known vulnerability (version constrained) | | IAM Policies | ✓ Pass | No wildcards | | Input Validation | ✓ Pass | Implemented | --- ## 1. Secrets and Tokens Scan **Tool:** grep patterns **Result:** ✓ PASS | Check | Pattern | Result | |-------|---------|--------| | AWS Access Keys | `AKIA[0-9A-Z]{16}` | Not found | | Hardcoded passwords | `password = "..."` | Not found | | API keys | `api_key = "..."` | Not found | | Private keys | `BEGIN RSA PRIVATE` | Not found | | Base64 secrets | `b64decode(...)` | Not found | --- ## 2. SAST: Python (bandit) **Tool:** bandit **Result:** ✓ PASS ``` Total lines of code: 159 Total issues (by severity): Undefined: 0 Low: 0 Medium: 0 High: 0 ``` Files scanned: - `lambda/config.py` - `lambda/image_processor.py` - `lambda/storage.py` - `lambda/notifications.py` - `lambda/lambda_function.py` --- ## 3. SAST: Terraform **Tool:** Manual review **Result:** ✓ PASS | Control | Status | Evidence | |---------|--------|----------| | S3 public access blocked | ✓ | `block_public_acls = true` (4 controls) | | KMS encryption | ✓ | `aws_kms_key.main` with rotation | | DynamoDB encryption | ✓ | `server_side_encryption { enabled = true }` | | DynamoDB PITR | ✓ | `point_in_time_recovery { enabled = true }` | | Least-privilege IAM | ✓ | Scoped to specific ARNs, no wildcards | | GuardDuty enabled | ✓ | `aws_guardduty_detector.main` | | Security Hub enabled | ✓ | `aws_securityhub_account.main` | | S3 access logging | ✓ | Separate logs bucket configured | ### IAM Policy Review All IAM policies use scoped resources: ```hcl Resource = "${aws_s3_bucket.images.arn}/uploads/*" # S3 prefix (safe) Resource = "${aws_s3_bucket.images.arn}/processed/*" # S3 prefix (safe) Resource = "${aws_cloudwatch_log_group.lambda.arn}:*" # Log streams (safe) ``` No dangerous wildcards (`Action = "*"`, `Resource = "*"`) found. --- ## 4. Dependency Scan (pip-audit) **Tool:** pip-audit **Result:** ⚠ WARNING (Accepted Risk) | Package | Version | Vulnerability | Fix Version | Status | |---------|---------|---------------|-------------|--------| | Pillow | 10.4.0 | GHSA-cfh3-3jmp-rvhc (DoS) | 12.1.1 | **Cannot upgrade** | **Risk Acceptance:** Pillow 12.1.1 requires Python 3.9+. Current Lambda runtime is Python 3.11, but the build environment is Python 3.8. The vulnerability is a potential DoS via malformed image files, which is mitigated by: 1. **Input validation** - `MAX_FILE_SIZE = 10MB` limit 2. **Dimension validation** - `MAX_DIMENSION = 4096` limit 3. **Format validation** - Only JPEG/PNG/WEBP allowed 4. **Timeout protection** - Lambda 30s timeout **Recommendation:** Upgrade build environment to Python 3.9+ when feasible. --- ## 5. Input Validation **Result:** ✓ PASS | Validation | Implementation | Location | |------------|----------------|----------| | File size | `MAX_FILE_SIZE = 10MB` | `config.py:5` | | Image dimensions | `MAX_DIMENSION = 4096` | `config.py:4` | | Allowed formats | `{'JPEG', 'JPG', 'PNG', 'WEBP'}` | `config.py:3` | | Decompression bomb | `width * height <= MAX_DIMENSION^2` | `image_processor.py:22` | --- ## 6. Security Controls Summary | Control | Implemented | Location | |---------|-------------|----------| | Encryption at rest | ✓ KMS | `kms.tf`, `s3.tf`, `dynamodb.tf` | | Encryption in transit | ✓ TLS (AWS enforced) | N/A | | Access control | ✓ Least privilege IAM | `iam.tf` | | Audit logging | ✓ CloudTrail + S3 logs | `s3.tf`, `lambda.tf` | | Threat detection | ✓ GuardDuty + Security Hub | `security.tf` | | Compliance monitoring | ✓ AWS Config | `security.tf` | | Security alarms | ✓ 4 CloudWatch alarms | `cloudwatch.tf` | | Input validation | ✓ Size, format, dimension | `config.py`, `image_processor.py` | --- ## 7. Recommendations 1. **Short-term:** - [ ] Upgrade build environment to Python 3.9+ for Pillow security updates - [ ] Enable VPC for Lambda (optional, free tier compatible) 2. **Long-term:** - [ ] Add S3 Object Lock for compliance - [ ] Implement request signing for S3 uploads - [ ] Add CloudWatch Synthetics canary for monitoring --- ## 8. Conclusion The codebase passes all security scans with no critical or high-severity findings. The single dependency vulnerability (Pillow DoS) is mitigated by input validation controls and is an accepted risk due to Python version constraints. **Overall Security Posture:** ✓ PRODUCTION READY --- **Next Scan:** Schedule quarterly or after significant changes.