mharb/tf-aws-lambda-imageprocessing
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dev
tf-aws-lambda-imageprocessing/SECURITY_SCAN.md
mharb b8745e093b Project Genesis 
Signed-off-by: mharb <mharb@noreply.localhost>
2026-02-22 05:37:03 +00:00

160 lines
4.8 KiB
Markdown
Raw Permalink Blame History

# Security Scan Report
**Date:** 2026-02-22
**Scanner:** Manual + bandit + pip-audit
**Scope:** All source files (terraform/, lambda/, scripts/)
---
## Executive Summary
| Category | Status | Findings |
|----------|--------|----------|
| Secrets/Tokens | ✓ Pass | 0 issues |
| SAST (Python) | ✓ Pass | 0 issues |
| SAST (Terraform) | ✓ Pass | 0 issues |
| Dependencies | ⚠ Warning | 1 known vulnerability (version constrained) |
| IAM Policies | ✓ Pass | No wildcards |
| Input Validation | ✓ Pass | Implemented |
---
## 1. Secrets and Tokens Scan
**Tool:** grep patterns
**Result:** ✓ PASS
| Check | Pattern | Result |
|-------|---------|--------|
| AWS Access Keys | `AKIA[0-9A-Z]{16}` | Not found |
| Hardcoded passwords | `password = "..."` | Not found |
| API keys | `api_key = "..."` | Not found |
| Private keys | `BEGIN RSA PRIVATE` | Not found |
| Base64 secrets | `b64decode(...)` | Not found |
---
## 2. SAST: Python (bandit)
**Tool:** bandit
**Result:** ✓ PASS
```
Total lines of code: 159
Total issues (by severity):
Undefined: 0
Low: 0
Medium: 0
High: 0
```
Files scanned:
- `lambda/config.py`
- `lambda/image_processor.py`
- `lambda/storage.py`
- `lambda/notifications.py`
- `lambda/lambda_function.py`
---
## 3. SAST: Terraform
**Tool:** Manual review
**Result:** ✓ PASS
| Control | Status | Evidence |
|---------|--------|----------|
| S3 public access blocked | ✓ | `block_public_acls = true` (4 controls) |
| KMS encryption | ✓ | `aws_kms_key.main` with rotation |
| DynamoDB encryption | ✓ | `server_side_encryption { enabled = true }` |
| DynamoDB PITR | ✓ | `point_in_time_recovery { enabled = true }` |
| Least-privilege IAM | ✓ | Scoped to specific ARNs, no wildcards |
| GuardDuty enabled | ✓ | `aws_guardduty_detector.main` |
| Security Hub enabled | ✓ | `aws_securityhub_account.main` |
| S3 access logging | ✓ | Separate logs bucket configured |
### IAM Policy Review
All IAM policies use scoped resources:
```hcl
Resource = "${aws_s3_bucket.images.arn}/uploads/*" # S3 prefix (safe)
Resource = "${aws_s3_bucket.images.arn}/processed/*" # S3 prefix (safe)
Resource = "${aws_cloudwatch_log_group.lambda.arn}:*" # Log streams (safe)
```
No dangerous wildcards (`Action = "*"`, `Resource = "*"`) found.
---
## 4. Dependency Scan (pip-audit)
**Tool:** pip-audit
**Result:** ⚠ WARNING (Accepted Risk)
| Package | Version | Vulnerability | Fix Version | Status |
|---------|---------|---------------|-------------|--------|
| Pillow | 10.4.0 | GHSA-cfh3-3jmp-rvhc (DoS) | 12.1.1 | **Cannot upgrade** |
**Risk Acceptance:**
Pillow 12.1.1 requires Python 3.9+. Current Lambda runtime is Python 3.11, but the build environment is Python 3.8. The vulnerability is a potential DoS via malformed image files, which is mitigated by:
1. **Input validation** - `MAX_FILE_SIZE = 10MB` limit
2. **Dimension validation** - `MAX_DIMENSION = 4096` limit
3. **Format validation** - Only JPEG/PNG/WEBP allowed
4. **Timeout protection** - Lambda 30s timeout
**Recommendation:** Upgrade build environment to Python 3.9+ when feasible.
---
## 5. Input Validation
**Result:** ✓ PASS
| Validation | Implementation | Location |
|------------|----------------|----------|
| File size | `MAX_FILE_SIZE = 10MB` | `config.py:5` |
| Image dimensions | `MAX_DIMENSION = 4096` | `config.py:4` |
| Allowed formats | `{'JPEG', 'JPG', 'PNG', 'WEBP'}` | `config.py:3` |
| Decompression bomb | `width * height <= MAX_DIMENSION^2` | `image_processor.py:22` |
---
## 6. Security Controls Summary
| Control | Implemented | Location |
|---------|-------------|----------|
| Encryption at rest | ✓ KMS | `kms.tf`, `s3.tf`, `dynamodb.tf` |
| Encryption in transit | ✓ TLS (AWS enforced) | N/A |
| Access control | ✓ Least privilege IAM | `iam.tf` |
| Audit logging | ✓ CloudTrail + S3 logs | `s3.tf`, `lambda.tf` |
| Threat detection | ✓ GuardDuty + Security Hub | `security.tf` |
| Compliance monitoring | ✓ AWS Config | `security.tf` |
| Security alarms | ✓ 4 CloudWatch alarms | `cloudwatch.tf` |
| Input validation | ✓ Size, format, dimension | `config.py`, `image_processor.py` |
---
## 7. Recommendations
1. **Short-term:**
- [ ] Upgrade build environment to Python 3.9+ for Pillow security updates
- [ ] Enable VPC for Lambda (optional, free tier compatible)
2. **Long-term:**
- [ ] Add S3 Object Lock for compliance
- [ ] Implement request signing for S3 uploads
- [ ] Add CloudWatch Synthetics canary for monitoring
---
## 8. Conclusion
The codebase passes all security scans with no critical or high-severity findings. The single dependency vulnerability (Pillow DoS) is mitigated by input validation controls and is an accepted risk due to Python version constraints.
**Overall Security Posture:** ✓ PRODUCTION READY
---
**Next Scan:** Schedule quarterly or after significant changes.
Reference in New Issue View Git Blame Copy Permalink