This project implements a Serverless Event-Driven Architecture to process files uploaded to S3. It includes a SecOps layer to validate files before processing and persists metadata in DynamoDB for auditing purposes.
The workflow follows a reactive pattern:
User Upload (S3) ➔ Trigger (Notification) ➔ Lambda (Python) ➔ Validation (SecOps) ➔ Persistence (DynamoDB)
- S3 Bucket: Acts as the ingestion layer for incoming files (invoices, documents).
- AWS Lambda (Python 3.9): The compute layer that processes the event. It uses
boto3to interact with AWS services. - DynamoDB: NoSQL database used to store an immutable audit log of all uploads (Approved or Blocked).
- Terraform: Manages all infrastructure as code, including IAM Roles and Permissions (Least Privilege).
This service implements Input Validation to mitigate common attack vectors:
- File Type Validation: Only allows specific extensions (
.pdf,.txt,.csv,.json). Blocks executables (.exe) or scripts. - DoS Protection: Rejects files larger than 5MB to prevent Lambda timeouts and cost spikes.
- Audit Trail: Every action is logged. Blocked files are recorded in DynamoDB with a
block_reasonattribute.
The infrastructure is fully managed by Terraform.
# 1. Initialize Terraform
terraform init
# 2. Review and Apply
terraform apply