processing-s3-uploads-with-step-functions

Pass

Audited by Gen Agent Trust Hub on Jun 19, 2026

Risk Level: SAFE
Full Analysis
  • Principle of Least Privilege: The skill defines four distinct IAM roles with granular permissions tailored to their specific functions (Lambda, ECS execution, ECS task, and Step Functions). Trust policies are restricted using the aws:SourceAccount condition to prevent cross-account assume-role attempts.
  • Network Egress Filtering: The deployment instructions include explicit steps to revoke the default 'allow-all' egress rule for Fargate security groups, replacing it with scoped rules allowing only outbound HTTPS and DNS traffic.
  • Data and Log Encryption: Encryption at rest is enforced for both the primary S3 bucket and the CloudWatch Log Group using AWS KMS, ensuring that processed data and execution logs are protected.
  • Input Validation in Scripts: Both the Lambda and Fargate processing scripts include validation logic to check for path traversal patterns (e.g., checking for '/..' in S3 keys) and to ensure inputs match expected types and lengths.
  • Secure Credential Management: The architecture relies entirely on IAM roles for service-to-service communication, avoiding the use of hardcoded credentials or long-term access keys within the container or function code.
  • Automated Security Scanning: The skill recommends enabling ECR image scanning to detect vulnerabilities in the Fargate container image during the push process.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 19, 2026, 02:49 PM
Security Audit — agent-trust-hub — processing-s3-uploads-with-step-functions