Architecture Review

Description

The centralised logging pipeline ingests raw API request and response payloads without field-level filtering. This causes customer PAN, CVV, bank account numbers, and SSN values to be stored in plaintext in CloudWatch Logs, accessible to any principal with CloudWatch read permissions (currently 47 IAM users).

Recommendation

Implement field-level filtering in the logging pipeline to redact sensitive fields before ingestion. Apply data classification tagging to all data flows. Conduct a GDPR/PCI-DSS data flow mapping exercise.

Description

Internal microservice communication is unauthenticated — any service within the VPC can call any other service's internal API endpoints without presenting credentials. Compromise of any single microservice provides unrestricted access to all internal APIs.

Recommendation

Implement mutual TLS (mTLS) for all service-to-service communication. Use AWS IAM service accounts with instance profile roles. Consider a service mesh (AWS App Mesh) for certificate management and policy enforcement.

Description

Database passwords, third-party API keys, and JWT signing secrets are stored as Lambda function environment variables in plaintext. These are visible to any IAM principal with lambda:GetFunctionConfiguration permission and are logged in CloudTrail.

Recommendation

Migrate all secrets to AWS Secrets Manager or Parameter Store (SecureString). Rotate all currently exposed credentials. Restrict lambda:GetFunctionConfiguration to the deployment pipeline role only.

Description

All VPC subnets have unrestricted internet egress via a NAT gateway with no network-level filtering. A compromised Lambda function or container can exfiltrate data to any internet destination without detection or blocking.

Recommendation

Implement VPC endpoint policies to restrict AWS service access. Add an egress firewall (AWS Network Firewall) with domain allowlist filtering. Instrument all outbound connections with VPC Flow Logs and CloudWatch alarms.