processing-s3-uploads-with-step-functions
Pass
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: SAFE
Full Analysis
- Principle of Least Privilege: The skill defines four distinct IAM roles with granular permissions tailored to their specific functions (Lambda, ECS execution, ECS task, and Step Functions). Trust policies are restricted using the
aws:SourceAccountcondition to prevent cross-account assume-role attempts. - Network Egress Filtering: The deployment instructions include explicit steps to revoke the default 'allow-all' egress rule for Fargate security groups, replacing it with scoped rules allowing only outbound HTTPS and DNS traffic.
- Data and Log Encryption: Encryption at rest is enforced for both the primary S3 bucket and the CloudWatch Log Group using AWS KMS, ensuring that processed data and execution logs are protected.
- Input Validation in Scripts: Both the Lambda and Fargate processing scripts include validation logic to check for path traversal patterns (e.g., checking for '/..' in S3 keys) and to ensure inputs match expected types and lengths.
- Secure Credential Management: The architecture relies entirely on IAM roles for service-to-service communication, avoiding the use of hardcoded credentials or long-term access keys within the container or function code.
- Automated Security Scanning: The skill recommends enabling ECR image scanning to detect vulnerabilities in the Fargate container image during the push process.
Audit Metadata