mharb/tf-aws-lambda-imageprocessing
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dev
tf-aws-lambda-imageprocessing/SECURITY.md
mharb b8745e093b Project Genesis 
Signed-off-by: mharb <mharb@noreply.localhost>
2026-02-22 05:37:03 +00:00

7.6 KiB
Raw Permalink Blame History

Security Policy - AWS Image Processing Infrastructure

Version: 1.0
Classification: Internal
Last Updated: 2026-02-22

1. Executive Summary

This document outlines the security controls and compliance posture of the AWS Image Processing Infrastructure. The system processes user-uploaded images using AWS serverless services within the always-free tier.

1.1 Security Posture Summary

Control Category Status
Encryption at Rest ✓ KMS-managed
Encryption in Transit ✓ TLS 1.2+
Access Control ✓ Least privilege IAM
Audit Logging ✓ CloudTrail + S3 logs
Threat Detection ✓ GuardDuty + Security Hub
Compliance Monitoring ✓ AWS Config
Incident Response ✓ SNS alerts

2. Architecture Overview

┌─────────────┐     ┌──────────────┐     ┌─────────────┐     ┌─────────────┐
│   S3 Upload │────▶│    Lambda    │────▶│  DynamoDB   │────▶│     SNS     │
│  (Encrypted)│     │  (Hardened)  │     │ (Encrypted) │     │ (Encrypted) │
└─────────────┘     └──────────────┘     └─────────────┘     └─────────────┘
                           │
                           ▼
                    ┌─────────────┐
                    │ CloudWatch  │
                    │  Alarms     │
                    └─────────────┘

2.1 Data Flow Security

  1. Upload: S3 with SSE-KMS encryption
  2. Processing: Lambda with VPC isolation (optional)
  3. Storage: DynamoDB with encryption + PITR
  4. Notification: SNS with KMS encryption
  5. Logging: CloudWatch with 30-365 day retention

3. Security Controls

3.1 Encryption

Component Encryption Key Management
S3 Objects AES-256 AWS KMS (CMK)
DynamoDB AES-256 AWS managed
SNS Messages AES-256 AWS KMS (CMK)
Lambda Env Vars AES-256 AWS KMS (CMK)
Terraform State AES-256 S3 SSE

Key Rotation: Enabled annually (automatic via KMS)

3.2 Access Control

IAM Least Privilege:

  • Lambda role scoped to specific S3 prefixes (uploads/*, processed/*)
  • No wildcard (*) resource permissions
  • Separate security alerts topic with restricted publish

S3 Bucket Policy:

  • Block all public access (4 controls enabled)
  • Logging bucket restricted to S3 log delivery principal

3.3 Network Security

Control Implementation
Public Access Blocked at bucket level
VPC Isolation Available (not enabled - free tier)
TLS Enforced by AWS services

3.4 Logging & Monitoring

Log Source Retention Purpose
CloudWatch Lambda 30 days Debugging
CloudWatch Audit 365 days Compliance
S3 Access Logs 365 days Forensics
GuardDuty Indefinite Threat detection

Security Alarms:

  • Lambda errors > 5 (5 min)
  • Lambda throttles > 0 (possible DoS)
  • S3 storage > 4GB (cost control)
  • KMS key state changes

3.5 Threat Detection

Service Status Coverage
GuardDuty ✓ Enabled S3 logs, API calls
Security Hub ✓ Enabled CIS benchmarks
AWS Config ✓ Enabled Resource compliance

4. Compliance Mapping

4.1 AWS Free Tier Compliance

Service Free Tier Limit Safeguard
Lambda 1M invocations Concurrency limit = 1
S3 5GB storage Lifecycle: 30-day delete
DynamoDB 25GB storage TTL: 90-day expiration
CloudWatch 10 alarms Using 6 alarms

4.2 Data Protection Standards

Requirement Implementation
Data Classification Internal use only
PII Handling Not processed (images only)
Data Residency us-east-1 (configurable)
Retention 30 days (S3), 90 days (DynamoDB)

5. Vulnerability Management

5.1 Dependency Scanning

# Pre-deployment security scan
pip-audit -r lambda/requirements.txt
bandit -r lambda/lambda_function.py

5.2 Known Vulnerabilities

Component Version Last Scan Status
Pillow 10.2.0 2026-02-22 ✓ Clean
boto3 Latest 2026-02-22 ✓ Clean
Python 3.11 AWS Managed ✓ Supported

6. Incident Response

6.1 Alert Classification

Severity Trigger Response Time
Critical KMS key disabled Immediate
High Lambda errors > threshold 1 hour
Medium S3 storage > 80% 24 hours
Low Throttling detected 48 hours

6.2 Response Runbook

See SECURITY.md for detailed incident response procedures.

6.3 Escalation Path

  1. SNS alert → Security team email
  2. GuardDuty finding → Security Hub
  3. Critical → AWS Security + internal escalation

7. Change Management

7.1 Infrastructure Changes

Change Type Approval Process
Terraform Security review PR + terraform plan
Lambda code Code review PR + security scan
IAM policies Security sign-off Manual review

7.2 Deployment Verification

# Pre-deployment checklist
./scripts/security_scan.sh    # Dependency + code scan
terraform validate              # IaC validation
terraform plan                  # Change review

8. Security Testing

8.1 Automated Tests

Test Frequency Coverage
Unit tests Every commit Image processing logic
Security scan Every commit Dependencies, code
Terraform validate Every commit IaC syntax

8.2 Manual Testing

Test Frequency Owner
Penetration test Annual Third-party
Access review Quarterly Security team
Disaster recovery Annual Operations

9. Third-Party Services

Service Purpose Data Shared
AWS KMS Encryption Key IDs only
AWS GuardDuty Threat detection API logs
AWS Security Hub Compliance Security findings

No data leaves AWS infrastructure.

10. Contact

Role Contact
Security Team security@company.com
On-Call oncall@company.com
AWS Account AWS Organization root

Appendix A: Terraform Security Resources

aws_kms_key.main              # Customer-managed encryption key
aws_kms_alias.main            # Key alias for application use
aws_guardduty_detector.main   # Threat detection
aws_securityhub_account.main  # Security compliance dashboard
aws_config_configuration_recorder  # Resource compliance
aws_cloudwatch_log_group.audit     # Audit log retention (365 days)

Appendix B: Security Headers (S3)

All S3 objects include:

  • x-amz-server-side-encryption: aws:kms
  • x-amz-server-side-encryption-aws-kms-key-id: <key-id>

Appendix C: IAM Permission Boundaries

Lambda execution role maximum permissions:

  • S3: GetObject, PutObject (specific prefixes only)
  • DynamoDB: PutItem (specific table only)
  • SNS: Publish (specific topic only)
  • KMS: Decrypt, GenerateDataKey (specific key only)
  • CloudWatch Logs: CreateLogGroup, CreateLogStream, PutLogEvents

Document Control: This security policy must be reviewed quarterly and updated after any security incident or significant architecture change.

Reference in New Issue View Git Blame Copy Permalink