๐ Security Posture
Display-only overview of IAM roles, S3 bucket policies, CloudFront headers, and Cognito pool policies. Overly-permissive entries are flagged. No changes are made by this page.
IAM Roles
3
2 scoped ยท 1 flagged
S3 Policies
2
1 overly permissive
CF Headers
5
All present
Cognito Pools
1
Standard config
Need the operator review version?
Open the dedicated IAM Permissions Audit for wildcard findings, least-privilege recommendations, and the pre-deploy checklist.
IAM Roles โ Lambda Execution
Roles assigned to the mission-control-api Lambda function
| Role Name | Policy / Action | Resource | Effect | Risk |
|---|---|---|---|---|
| mission-control-api-role Lambda execution role |
dynamodb:* | arn:aws:dynamodb:us-east-1:*:table/* | ALLOW | โ Overly Permissive |
| mission-control-api-role | ses:SendEmail ses:SendRawEmail |
arn:aws:ses:us-east-1:121546003735:identity/* | ALLOW | Scoped |
| mission-control-api-role | cognito-idp:AdminGetUser cognito-idp:AdminCreateUser cognito-idp:AdminSetUserPassword cognito-idp:AdminInitiateAuth |
arn:aws:cognito-idp:us-east-1:121546003735:userpool/us-east-1_OwEtInqCp | ALLOW | Scoped |
| mission-control-api-role | logs:CreateLogGroup logs:CreateLogStream logs:PutLogEvents |
arn:aws:logs:*:*:* | ALLOW | Standard |
| mission-control-api-role | lambda:InvokeFunction | arn:aws:lambda:us-east-1:121546003735:function:mission-control-api | ALLOW | Scoped |
Recommendation: Replace
dynamodb:* on wildcard tables with explicit actions
(dynamodb:PutItem, dynamodb:GetItem, dynamodb:Query, dynamodb:UpdateItem, dynamodb:DeleteItem)
scoped to each table ARN explicitly (spaceduck-main, spaceduck-birth-certs, spaceduck-audit-log, spaceduck-peck-sessions, spaceduck-agent-registry).
Requires T-JOSH approval before any IAM changes.
S3 Bucket Policies
Bucket:
mission-control-frontend-121546003735| Bucket | Action | Principal | Condition | Risk |
|---|---|---|---|---|
| mission-control-frontend-121546003735 | s3:GetObject | * (Public) | Via CloudFront OAC only | Scoped via OAC |
| mission-control-frontend-121546003735 | s3:PutObject s3:DeleteObject s3:ListBucket |
arn:aws:iam::121546003735:root | Account root only | โ Root Access |
The S3 bucket allows
s3:PutObject, s3:DeleteObject, and s3:ListBucket for the account root IAM entity.
Recommend creating a dedicated deploy IAM user/role with scoped S3 permissions rather than using root credentials for CI/CD deploys.
No public write access is exposed โ the risk is limited to credential compromise scenarios.
CloudFront Security Headers
Distribution: E3HQHA5N284LTS ยท
d1rsfp2c29g6x.cloudfront.net| Header | Value | Status | Risk |
|---|---|---|---|
| Strict-Transport-Security | max-age=63072000; includeSubDomains | โ Present | Good |
| X-Content-Type-Options | nosniff | โ Present | Good |
| X-Frame-Options | DENY | โ Present | Good |
| X-XSS-Protection | 1; mode=block | โ Present | Good |
| Referrer-Policy | strict-origin-when-cross-origin | โ Present | Good |
| Content-Security-Policy | Not configured | โ Missing | Add CSP |
Content-Security-Policy (CSP) is not currently configured on this distribution.
Adding a CSP header with
default-src 'self'; script-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src fonts.gstatic.com
would significantly reduce XSS attack surface. Recommended for Galaxy 1.2.
Cognito User Pool Policies
Pool:
us-east-1_OwEtInqCp ยท Region: us-east-1| Setting | Current Value | Recommended | Risk |
|---|---|---|---|
| Password minimum length | 8 characters | 12 characters | โ Weak |
| MFA enforcement | Optional | Required for operators | โ Optional only |
| Token expiry (access) | 1 hour | 1 hour | Good |
| Token expiry (refresh) | 30 days | 7 days | โ Long-lived |
| Device remembering | Not enabled | Optional | Acceptable |
| Advanced security features | Not enabled | Enable in production | โ Missing |
| Email verification required | Yes | Yes | Good |
| Self-registration | Enabled | Gated via hatch flow | Controlled |
MFA is optional for all users including operators. Recommend enforcing MFA for the operator tier (T-JOSH) via a Cognito group policy or app client MFA requirement.
Refresh token lifetime of 30 days is longer than best practice (7 days). Both are low-severity in current scale.
Additional Security Observations
Non-critical findings for operator awareness
๐ Beak Key Rotation
Beak keys are long-lived bearer tokens. No automated rotation policy is currently in place. Recommend 90-day rotation schedule via Galaxy 1.2 governance tooling.
Beak keys are long-lived bearer tokens. No automated rotation policy is currently in place. Recommend 90-day rotation schedule via Galaxy 1.2 governance tooling.
๐ Audit Log Retention
CloudWatch log group
CloudWatch log group
/spaceduck/events has 90-day retention. DynamoDB audit_log table has no TTL configured. Consider adding TTL for compliance with data minimization requirements.
๐ API Gateway
API Gateway
API Gateway
czt9d57q83 has no WAF attached. Cloudflare Turnstile is used for hatch endpoint protection. Lambda concurrency limit provides a natural rate cap. Recommend adding AWS WAF for production-grade protection in Galaxy 1.2.
โ ๏ธ SES + SNS in Sandbox
Both SES and SNS remain in AWS sandbox mode. This is a data-exposure risk boundary โ email delivery is limited to verified addresses only, reducing phishing/spam surface. Exit to production only after full suppression list and bounce-rate review is complete.
Both SES and SNS remain in AWS sandbox mode. This is a data-exposure risk boundary โ email delivery is limited to verified addresses only, reducing phishing/spam surface. Exit to production only after full suppression list and bounce-rate review is complete.
Display-only notice: This page presents a static security snapshot compiled from known platform configuration. No live AWS API calls are made. No changes are applied by viewing this page. All remediation actions require T-JOSH approval and must be recorded in GOVERNANCE-LOG.md.