mharb/tf-aws-lambda-imageprocessing
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dev
tf-aws-lambda-imageprocessing/SECURITY.md
mharb b8745e093b Project Genesis 
Signed-off-by: mharb <mharb@noreply.localhost>
2026-02-22 05:37:03 +00:00

267 lines
7.6 KiB
Markdown
Raw Permalink Blame History

# Security Policy - AWS Image Processing Infrastructure
**Version:** 1.0
**Classification:** Internal
**Last Updated:** 2026-02-22
---
## 1. Executive Summary
This document outlines the security controls and compliance posture of the AWS Image Processing Infrastructure. The system processes user-uploaded images using AWS serverless services within the always-free tier.
### 1.1 Security Posture Summary
| Control Category | Status |
|-----------------|--------|
| Encryption at Rest | ✓ KMS-managed |
| Encryption in Transit | ✓ TLS 1.2+ |
| Access Control | ✓ Least privilege IAM |
| Audit Logging | ✓ CloudTrail + S3 logs |
| Threat Detection | ✓ GuardDuty + Security Hub |
| Compliance Monitoring | ✓ AWS Config |
| Incident Response | ✓ SNS alerts |
---
## 2. Architecture Overview
```
┌─────────────┐ ┌──────────────┐ ┌─────────────┐ ┌─────────────┐
│ S3 Upload │────▶│ Lambda │────▶│ DynamoDB │────▶│ SNS │
│ (Encrypted)│ │ (Hardened) │ │ (Encrypted) │ │ (Encrypted) │
└─────────────┘ └──────────────┘ └─────────────┘ └─────────────┘
┌─────────────┐
│ CloudWatch │
│ Alarms │
└─────────────┘
```
### 2.1 Data Flow Security
1. **Upload**: S3 with SSE-KMS encryption
2. **Processing**: Lambda with VPC isolation (optional)
3. **Storage**: DynamoDB with encryption + PITR
4. **Notification**: SNS with KMS encryption
5. **Logging**: CloudWatch with 30-365 day retention
---
## 3. Security Controls
### 3.1 Encryption
| Component | Encryption | Key Management |
|-----------|------------|----------------|
| S3 Objects | AES-256 | AWS KMS (CMK) |
| DynamoDB | AES-256 | AWS managed |
| SNS Messages | AES-256 | AWS KMS (CMK) |
| Lambda Env Vars | AES-256 | AWS KMS (CMK) |
| Terraform State | AES-256 | S3 SSE |
**Key Rotation:** Enabled annually (automatic via KMS)
### 3.2 Access Control
**IAM Least Privilege:**
- Lambda role scoped to specific S3 prefixes (`uploads/*`, `processed/*`)
- No wildcard (`*`) resource permissions
- Separate security alerts topic with restricted publish
**S3 Bucket Policy:**
- Block all public access (4 controls enabled)
- Logging bucket restricted to S3 log delivery principal
### 3.3 Network Security
| Control | Implementation |
|---------|----------------|
| Public Access | Blocked at bucket level |
| VPC Isolation | Available (not enabled - free tier) |
| TLS | Enforced by AWS services |
### 3.4 Logging & Monitoring
| Log Source | Retention | Purpose |
|------------|-----------|---------|
| CloudWatch Lambda | 30 days | Debugging |
| CloudWatch Audit | 365 days | Compliance |
| S3 Access Logs | 365 days | Forensics |
| GuardDuty | Indefinite | Threat detection |
**Security Alarms:**
- Lambda errors > 5 (5 min)
- Lambda throttles > 0 (possible DoS)
- S3 storage > 4GB (cost control)
- KMS key state changes
### 3.5 Threat Detection
| Service | Status | Coverage |
|---------|--------|----------|
| GuardDuty | ✓ Enabled | S3 logs, API calls |
| Security Hub | ✓ Enabled | CIS benchmarks |
| AWS Config | ✓ Enabled | Resource compliance |
---
## 4. Compliance Mapping
### 4.1 AWS Free Tier Compliance
| Service | Free Tier Limit | Safeguard |
|---------|-----------------|-----------|
| Lambda | 1M invocations | Concurrency limit = 1 |
| S3 | 5GB storage | Lifecycle: 30-day delete |
| DynamoDB | 25GB storage | TTL: 90-day expiration |
| CloudWatch | 10 alarms | Using 6 alarms |
### 4.2 Data Protection Standards
| Requirement | Implementation |
|-------------|----------------|
| Data Classification | Internal use only |
| PII Handling | Not processed (images only) |
| Data Residency | us-east-1 (configurable) |
| Retention | 30 days (S3), 90 days (DynamoDB) |
---
## 5. Vulnerability Management
### 5.1 Dependency Scanning
```bash
# Pre-deployment security scan
pip-audit -r lambda/requirements.txt
bandit -r lambda/lambda_function.py
```
### 5.2 Known Vulnerabilities
| Component | Version | Last Scan | Status |
|-----------|---------|-----------|--------|
| Pillow | 10.2.0 | 2026-02-22 | ✓ Clean |
| boto3 | Latest | 2026-02-22 | ✓ Clean |
| Python | 3.11 | AWS Managed | ✓ Supported |
---
## 6. Incident Response
### 6.1 Alert Classification
| Severity | Trigger | Response Time |
|----------|---------|---------------|
| Critical | KMS key disabled | Immediate |
| High | Lambda errors > threshold | 1 hour |
| Medium | S3 storage > 80% | 24 hours |
| Low | Throttling detected | 48 hours |
### 6.2 Response Runbook
See `SECURITY.md` for detailed incident response procedures.
### 6.3 Escalation Path
1. SNS alert → Security team email
2. GuardDuty finding → Security Hub
3. Critical → AWS Security + internal escalation
---
## 7. Change Management
### 7.1 Infrastructure Changes
| Change Type | Approval | Process |
|-------------|----------|---------|
| Terraform | Security review | PR + `terraform plan` |
| Lambda code | Code review | PR + security scan |
| IAM policies | Security sign-off | Manual review |
### 7.2 Deployment Verification
```bash
# Pre-deployment checklist
./scripts/security_scan.sh # Dependency + code scan
terraform validate # IaC validation
terraform plan # Change review
```
---
## 8. Security Testing
### 8.1 Automated Tests
| Test | Frequency | Coverage |
|------|-----------|----------|
| Unit tests | Every commit | Image processing logic |
| Security scan | Every commit | Dependencies, code |
| Terraform validate | Every commit | IaC syntax |
### 8.2 Manual Testing
| Test | Frequency | Owner |
|------|-----------|-------|
| Penetration test | Annual | Third-party |
| Access review | Quarterly | Security team |
| Disaster recovery | Annual | Operations |
---
## 9. Third-Party Services
| Service | Purpose | Data Shared |
|---------|---------|-------------|
| AWS KMS | Encryption | Key IDs only |
| AWS GuardDuty | Threat detection | API logs |
| AWS Security Hub | Compliance | Security findings |
**No data leaves AWS infrastructure.**
---
## 10. Contact
| Role | Contact |
|------|---------|
| Security Team | security@company.com |
| On-Call | oncall@company.com |
| AWS Account | AWS Organization root |
---
## Appendix A: Terraform Security Resources
```
aws_kms_key.main # Customer-managed encryption key
aws_kms_alias.main # Key alias for application use
aws_guardduty_detector.main # Threat detection
aws_securityhub_account.main # Security compliance dashboard
aws_config_configuration_recorder # Resource compliance
aws_cloudwatch_log_group.audit # Audit log retention (365 days)
```
## Appendix B: Security Headers (S3)
All S3 objects include:
- `x-amz-server-side-encryption: aws:kms`
- `x-amz-server-side-encryption-aws-kms-key-id: <key-id>`
## Appendix C: IAM Permission Boundaries
Lambda execution role maximum permissions:
- S3: GetObject, PutObject (specific prefixes only)
- DynamoDB: PutItem (specific table only)
- SNS: Publish (specific topic only)
- KMS: Decrypt, GenerateDataKey (specific key only)
- CloudWatch Logs: CreateLogGroup, CreateLogStream, PutLogEvents
---
**Document Control:** This security policy must be reviewed quarterly and updated after any security incident or significant architecture change.
Reference in New Issue View Git Blame Copy Permalink