mharb/tf-aws-lambda-imageprocessing
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dev
tf-aws-lambda-imageprocessing/README.md
mharb b8745e093b Project Genesis 
Signed-off-by: mharb <mharb@noreply.localhost>
2026-02-22 05:37:03 +00:00

199 lines
5.4 KiB
Markdown
Raw Permalink Blame History

# AWS Image Processing Infrastructure
**Production-ready, security-hardened serverless image processing using AWS always-free tier.**
---
## Security Posture
| Control | Implementation |
|---------|----------------|
| Encryption | KMS (CMK) for S3, SNS, Lambda env vars |
| Access Control | Least-privilege IAM, no public access |
| Audit Logging | CloudTrail, S3 access logs (365 days) |
| Threat Detection | GuardDuty, Security Hub enabled |
| Compliance | AWS Config rules, CIS benchmarks |
| Incident Response | SNS alerts, runbook documented |
**See [SECURITY.md](SECURITY.md) for full security policy.**
---
## Architecture
```
S3 (KMS) → Lambda (hardened) → DynamoDB (encrypted) → SNS (KMS)
CloudWatch + GuardDuty + Security Hub
```
### Free Tier Services
| Service | Limit | Safeguard |
|---------|-------|-----------|
| Lambda | 1M invocations/mo | Concurrency limit |
| S3 | 5GB storage | 30-day lifecycle |
| DynamoDB | 25GB storage | 90-day TTL |
| SNS | 1M notifications/mo | Topic policy |
| CloudWatch | 10 alarms | Using 6 alarms |
---
## Quick Start
### Prerequisites
```bash
# AWS CLI configured with appropriate permissions
aws sts get-caller-identity
# Terraform installed
terraform version
```
### Deploy
```bash
# Security scan + deploy
./scripts/deploy.sh
# Upload image
aws s3 cp image.png s3://$(terraform output -raw s3_bucket_name)/uploads/
```
### Destroy
```bash
./scripts/destroy.sh
```
---
## Image Processing
| Filename Pattern | Processing |
|-----------------|------------|
| `image.png` | Resize to 1024x1024 |
| `image_thumb.png` | Resize to 200x200 |
| `image_grayscale.png` | Convert to grayscale |
**Security:** Files >10MB or >4096x4096 rejected. Only JPEG/PNG/WEBP allowed.
---
## Security Features
### Encryption
- S3: SSE-KMS with customer-managed key
- DynamoDB: Encryption at rest
- SNS: KMS-encrypted messages
- Lambda: Encrypted environment variables
### Access Control
- S3: Block all public access (4 controls)
- IAM: Scoped to specific resources/prefixes
- KMS: Key policy restricts usage
### Monitoring
- Lambda errors → SNS alert
- Lambda throttles → Security alert (possible DoS)
- S3 storage >4GB → Cost alert
- KMS key state → Security alert
### Compliance
- GuardDuty: Threat detection (S3, API)
- Security Hub: CIS benchmark compliance
- AWS Config: Resource compliance tracking
- CloudTrail: API audit logging
---
## Files
```
.
├── terraform/ # Infrastructure as Code (371 lines)
│ ├── providers.tf # AWS provider, backend config
│ ├── variables.tf # Input variables
│ ├── locals.tf # Local values
│ ├── kms.tf # KMS key for encryption
│ ├── s3.tf # S3 buckets (images + logs)
│ ├── dynamodb.tf # DynamoDB table
│ ├── sns.tf # SNS topics
│ ├── iam.tf # IAM roles and policies
│ ├── lambda.tf # Lambda function + triggers
│ ├── cloudwatch.tf # CloudWatch logs + alarms
│ ├── security.tf # GuardDuty, Security Hub, Config
│ └── outputs.tf # Output values
├── lambda/ # Image processor (207 lines)
│ ├── config.py # Configuration constants
│ ├── image_processor.py # Image processing logic
│ ├── storage.py # S3 + DynamoDB operations
│ ├── notifications.py # SNS notifications
│ ├── lambda_function.py # Main handler (orchestrator)
│ └── requirements.txt # Pillow dependency
├── scripts/
│ ├── build_lambda.sh # Build deployment package
│ ├── deploy.sh # Security scan + deploy
│ ├── destroy.sh # Destroy infrastructure
│ └── security_scan.sh # pip-audit + bandit + validate
├── SECURITY.md # Security policy (CISO document)
├── INCIDENT_RESPONSE.md # Incident response runbook
└── README.md # This file
```
---
## Cost Management
| Control | Implementation |
|---------|----------------|
| S3 | Delete objects after 30 days |
| DynamoDB | TTL expires records after 90 days |
| Lambda | 128MB memory, 30s timeout |
| Logs | 30-day retention (CloudWatch) |
| Alerts | 80% of free tier limits |
**Estimated monthly cost: $0** (within always-free tier)
---
## Compliance
This infrastructure meets requirements for:
- **SOC 2**: Encryption, access control, audit logging
- **GDPR**: Data minimization (30-day retention), encryption
- **HIPAA**: BAA-covered services, encryption at rest/transit
- **PCI DSS**: Network segmentation, access control, logging
**Note:** Full compliance requires organizational controls beyond infrastructure.
---
## Incident Response
**See [INCIDENT_RESPONSE.md](INCIDENT_RESPONSE.md) for detailed runbook.**
Quick reference:
- **Security alerts**: SNS topic (output: `security_alerts_topic`)
- **GuardDuty findings**: Security Hub dashboard
- **Logs**: CloudWatch `/aws/lambda/image-processor-prod`
---
## Development
```bash
# Run security scan only
./scripts/security_scan.sh
# Build Lambda package only
./scripts/build_lambda.sh
# Terraform operations
cd terraform
terraform init
terraform plan
terraform apply
```
Reference in New Issue View Git Blame Copy Permalink