Security & Guardrails

Receipts, not buzzwords.

This page is designed for cloud/infrastructure recruiters and senior engineers. It documents the threat model and the concrete guardrails for this portfolio system (AWS telemetry proxy + public dashboard), with direct links to IaC and evidence exports.

Threat model (abuse cases → mitigations)

  • API scraping / abuse: the AWS telemetry endpoint requires a shared token header; rate limiting is enforced at the edge.
  • Secrets exposure: GitHub token stays server-only; AWS shared token is server-only; the UI never receives secret material.
  • Untrusted artifact input: CI artifacts/ZIPs are treated as untrusted input; metrics are schema-validated.
  • Blast radius containment: public UI degrades to snapshot baseline rather than cascading failure.
Pattern: least privilege + untrusted input handling + safe degradation

WAF + rate limiting (edge controls)

The API is protected with a WAF/rate-limit story that’s actually reproducible: an attack simulation script and an evidence capture.

  • Edge WAF: CloudFront-scope Web ACL + rate-based rule
  • API throttling: API Gateway stage throttling defaults

IAM least privilege (policy receipts)

The telemetry proxy Lambda has narrowly-scoped permissions:

  • S3 read: only s3:GetObject for a single key.
  • Newsletter DynamoDB access: limited to required item/query operations.
  • Logging: AWS managed Lambda basic execution role.

Token + secrets strategy

  • AWS proxy token: required header x-metrics-token (server-side secret).
  • GitHub token: used only in server routes; never returned to the browser.
  • No long-lived AWS keys: CI publishes via GitHub OIDC (federation).

Rate limiting in-app (portfolio baseline)

For lightweight protection on public forms (contact/newsletter), the portfolio includes an in-memory limiter appropriate for a small footprint. In multi-instance production, this would be swapped to a shared store (DynamoDB/Redis).

Pattern: cheap baseline protections + clear upgrade path

Auditability

Security posture isn’t “trust me”. It’s visible: infrastructure is defined as code, monitoring is exported as evidence, and the production verifier proves the runtime path (cloud proxy vs snapshot fallback).