Skip to content

Reduce Lambda secret and IAM access#18

Merged
ltyu merged 3 commits intomasterfrom
security/tighten-iam-and-secret-loading
Mar 21, 2026
Merged

Reduce Lambda secret and IAM access#18
ltyu merged 3 commits intomasterfrom
security/tighten-iam-and-secret-loading

Conversation

@ltyu
Copy link
Copy Markdown
Owner

@ltyu ltyu commented Mar 20, 2026

Summary

  • load only the specific SSM secrets each handler needs instead of always fetching the full app secret set
  • remove unused environment variables from the Lambda functions to cut down exposed configuration
  • replace broad DynamoDB, SSM, and KMS permissions with per-function least-privilege statements

Testing

  • pnpm test:run -- src/services/parameterStore.test.ts src/handlers/startGoogleOAuth.test.ts src/handlers/googleOAuthCallback.test.ts
  • pnpm exec tsc --noEmit
  • sam validate

Base automatically changed from security/require-user-token-scopes to master March 21, 2026 01:05
@ltyu
Merge pull request #19 from ltyu/security/redact-mailbox-logs
ad91e45 
Redact mailbox details from worker logs
@ltyu ltyu merged commit cbefceb into master Mar 21, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ltyu