4.8 KiB
Security Scan Report
Date: 2026-02-22
Scanner: Manual + bandit + pip-audit
Scope: All source files (terraform/, lambda/, scripts/)
Executive Summary
| Category | Status | Findings |
|---|---|---|
| Secrets/Tokens | ✓ Pass | 0 issues |
| SAST (Python) | ✓ Pass | 0 issues |
| SAST (Terraform) | ✓ Pass | 0 issues |
| Dependencies | ⚠ Warning | 1 known vulnerability (version constrained) |
| IAM Policies | ✓ Pass | No wildcards |
| Input Validation | ✓ Pass | Implemented |
1. Secrets and Tokens Scan
Tool: grep patterns
Result: ✓ PASS
| Check | Pattern | Result |
|---|---|---|
| AWS Access Keys | AKIA[0-9A-Z]{16} |
Not found |
| Hardcoded passwords | password = "..." |
Not found |
| API keys | api_key = "..." |
Not found |
| Private keys | BEGIN RSA PRIVATE |
Not found |
| Base64 secrets | b64decode(...) |
Not found |
2. SAST: Python (bandit)
Tool: bandit
Result: ✓ PASS
Total lines of code: 159
Total issues (by severity):
Undefined: 0
Low: 0
Medium: 0
High: 0
Files scanned:
lambda/config.pylambda/image_processor.pylambda/storage.pylambda/notifications.pylambda/lambda_function.py
3. SAST: Terraform
Tool: Manual review
Result: ✓ PASS
| Control | Status | Evidence |
|---|---|---|
| S3 public access blocked | ✓ | block_public_acls = true (4 controls) |
| KMS encryption | ✓ | aws_kms_key.main with rotation |
| DynamoDB encryption | ✓ | server_side_encryption { enabled = true } |
| DynamoDB PITR | ✓ | point_in_time_recovery { enabled = true } |
| Least-privilege IAM | ✓ | Scoped to specific ARNs, no wildcards |
| GuardDuty enabled | ✓ | aws_guardduty_detector.main |
| Security Hub enabled | ✓ | aws_securityhub_account.main |
| S3 access logging | ✓ | Separate logs bucket configured |
IAM Policy Review
All IAM policies use scoped resources:
Resource = "${aws_s3_bucket.images.arn}/uploads/*" # S3 prefix (safe)
Resource = "${aws_s3_bucket.images.arn}/processed/*" # S3 prefix (safe)
Resource = "${aws_cloudwatch_log_group.lambda.arn}:*" # Log streams (safe)
No dangerous wildcards (Action = "*", Resource = "*") found.
4. Dependency Scan (pip-audit)
Tool: pip-audit
Result: ⚠ WARNING (Accepted Risk)
| Package | Version | Vulnerability | Fix Version | Status |
|---|---|---|---|---|
| Pillow | 10.4.0 | GHSA-cfh3-3jmp-rvhc (DoS) | 12.1.1 | Cannot upgrade |
Risk Acceptance:
Pillow 12.1.1 requires Python 3.9+. Current Lambda runtime is Python 3.11, but the build environment is Python 3.8. The vulnerability is a potential DoS via malformed image files, which is mitigated by:
- Input validation -
MAX_FILE_SIZE = 10MBlimit - Dimension validation -
MAX_DIMENSION = 4096limit - Format validation - Only JPEG/PNG/WEBP allowed
- Timeout protection - Lambda 30s timeout
Recommendation: Upgrade build environment to Python 3.9+ when feasible.
5. Input Validation
Result: ✓ PASS
| Validation | Implementation | Location |
|---|---|---|
| File size | MAX_FILE_SIZE = 10MB |
config.py:5 |
| Image dimensions | MAX_DIMENSION = 4096 |
config.py:4 |
| Allowed formats | {'JPEG', 'JPG', 'PNG', 'WEBP'} |
config.py:3 |
| Decompression bomb | width * height <= MAX_DIMENSION^2 |
image_processor.py:22 |
6. Security Controls Summary
| Control | Implemented | Location |
|---|---|---|
| Encryption at rest | ✓ KMS | kms.tf, s3.tf, dynamodb.tf |
| Encryption in transit | ✓ TLS (AWS enforced) | N/A |
| Access control | ✓ Least privilege IAM | iam.tf |
| Audit logging | ✓ CloudTrail + S3 logs | s3.tf, lambda.tf |
| Threat detection | ✓ GuardDuty + Security Hub | security.tf |
| Compliance monitoring | ✓ AWS Config | security.tf |
| Security alarms | ✓ 4 CloudWatch alarms | cloudwatch.tf |
| Input validation | ✓ Size, format, dimension | config.py, image_processor.py |
7. Recommendations
-
Short-term:
- Upgrade build environment to Python 3.9+ for Pillow security updates
- Enable VPC for Lambda (optional, free tier compatible)
-
Long-term:
- Add S3 Object Lock for compliance
- Implement request signing for S3 uploads
- Add CloudWatch Synthetics canary for monitoring
8. Conclusion
The codebase passes all security scans with no critical or high-severity findings. The single dependency vulnerability (Pillow DoS) is mitigated by input validation controls and is an accepted risk due to Python version constraints.
Overall Security Posture: ✓ PRODUCTION READY
Next Scan: Schedule quarterly or after significant changes.