Proposal for Security Enhancements in the Serverless Architecture

[cncoder]

To improve the security posture and reduce the attack surface of the serverless architecture, I propose implementing the following security enhancements:

1. Network Isolation and Access Control:

• Deploy the frontend web and API Gateway in private subnets within an Amazon VPC.
• Strictly control inbound traffic using Security Groups and Network ACLs, allowing access only for authorized users or devices via VPN or AWS Direct Connect.
• Consider using an Application Load Balancer in front of your Lambda functions, which would be the recommended approach for securely exposing Lambda functions without exposing them directly to the internet.

2. Lambda Function Security Hardening:

• Deploy Lambda functions in private VPC subnets, accessing services like SageMaker and Bedrock through VPC Endpoints, eliminating the need for public internet access.
• Follow the principle of least privilege, granting the Lambda execution role only the necessary permissions to access required AWS services.

3. CDK Deployment Script Permission Optimization:

• Adhere to the principle of least privilege, granting the IAM roles required for CDK deployment scripts only the minimal necessary permissions.
• The current documentation uses admin access, which poses a security risk, and permissions should be refined.