Security Posture · DuckControl

78 /100

FAIR

SES/SNS sandbox reduces score

Critical Findings

Requires immediate action

High Findings

Requires action this sprint

Medium / Low

Accepted risk or backlog

📧

SES in sandbox mode — production emails blocked Amazon SES is operating in sandbox mode. Only verified recipients can receive emails. Cert issuance and signup confirmation emails are restricted.

HIGH OPEN SES EMAIL

Remediation: Request production access via AWS SES Console → Sending Statistics → Request Production Access

📱

SNS in sandbox mode — SMS delivery restricted Amazon SNS SMS is in sandbox mode. Phone verification is limited to verified numbers only. Production SMS exit request is pending.

HIGH OPEN SNS SMS

Remediation: AWS SNS Console → SMS Sandbox → Request exit from sandbox

🔑

IAM access keys in use (long-lived credentials) S3 deployment and CloudFront invalidation use long-lived IAM access keys. Consider migrating to IAM roles or short-lived tokens via OIDC for CI/CD.

MEDIUM OPEN IAM CREDS

📊

CloudWatch retention set to 90 days — no archival Lambda and EventBridge logs expire after 90 days with no S3 archival configured. Long-term forensic analysis will be unavailable after retention window.

MEDIUM ACCEPTED LOGGING CLOUDWATCH

🛡️

No WAF configured on API Gateway API Gateway does not have AWS WAF associated. Rate limiting is implemented at the application layer only. Consider adding WAF for additional protection.

LOW ACCEPTED WAF APIGW

🔐

DynamoDB encryption uses AWS-owned keys (not CMK) DynamoDB tables are encrypted with AWS-owned keys. For higher compliance requirements, consider using Customer Managed Keys (CMK) via KMS.

LOW ACCEPTED DYNAMODB ENCRYPTION

🌍

No geo-restriction on CloudFront distribution CloudFront distribution allows requests from all countries. Consider restricting to expected user geographies if compliance requires it.

LOW ACCEPTED CLOUDFRONT GEO

Authentication & Access

Cognito user pool configured✅

JWT tokens with expiry✅

Turnstile CAPTCHA on signup✅

Phone verification on hatch✅

MFA enabled for operators⚠️

Beak key rotation policy✅

Data Protection

HTTPS enforced (CloudFront)✅

DynamoDB encryption at rest✅

Secrets in environment vars✅

Data deletion endpoint✅

Audit log retention 90d✅

Infrastructure Security

Lambda runs in VPC-less modeℹ️

IAM least-privilege roles✅

S3 bucket public access blocked✅

CloudTrail audit logging⚠️

Config drift alerting✅

Dependency scanning⚠️

Operational Security

Governance log maintained✅

Deploy checklist required✅

Incident postmortem process✅

Runbooks documented✅

Key compromise playbook✅

Penetration test scheduled⚠️

Auth & Access

90/100

MFA not enforced for ops

Data Protection

95/100

No CMK; accepted risk

Messaging

42/100

SES + SNS in sandbox

Infra Security

72/100

No WAF, no CloudTrail

Operational

88/100

Pentest not scheduled

Overall Score

78/100

FAIR — resolve SES/SNS to improve