Please tell me how is going to be “hacked”?

A) The IAM role of the Lambda runtime it’s running in is least privileged and only has access read and write access to the required S3 bucket and other required AWS services and even those are tightly scoped.

B) For authentication I used Amazon Cognito and ran a curl shell script against each endpoint for authentication vs non authenticated end points

C) The database user has least privilege access

So how pray tell could insecure code overcome that?

▲

mattmanser 20 hours ago | parent [-]

So you've made a read only wrapper around a database? That one person needs to access? There's no tentantization? You can't access more than one person's data? So there's zero chance one user can access someone else's data?

If you answered NO to any question, refer to my previous post.

If you answered YES, you could have just hooked your DB up to power BI or tableaux or whatever. Not exactly something to start boasting about that you're doing web dev.

	▲	raw_anon_1111 18 hours ago \| parent [-]
		I see you didn’t say anything about the possible security issues if I was using AWS Cognito for auth, tightly scoped IAM privileges for the runtime environment and a tightly scoped database user. BTW, with AWS you can also enforce DynamoDB, Postgres and Redshift (?) to only allows rows to be accessed based on the user (IAM or Cognito) so no matter what Claude did, as long as you validate your security boundary at the AWS and database level, there wouldn’t be an issue. Why would I trust developers (or Claude) to write secure multi tenant code when I can enforce it on the database/AWS layer? https://aws.amazon.com/blogs/database/multi-tenant-data-isol... https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_p... 1. I did say it’s an internal admin site and I mentioned AWS and S3. I didn’t say it was a reporting site only dealing with the database. 2. It’s B2B, every company pays 5-6 figures annually and they each have their own AWS account. No company can access any other company’s data because they each have their AWS account, user pool and database. 3. How am I “boasting” about doing “web dev” (poorly paid commodity work) when I specifically said I hadn’t done web development “since 2002” and talked about the UI was something from 2002? 4. I said it was an “Admin site”. I didn’tg say it was a reporting dashboard.