Security Guidelines

This is an educational project demonstrating cloud-native security patterns.

---

Educational Standards

This project implements the following security standards for learning purposes:

Authentication

• OAuth 2.0 with Authorization Code + PKCE flow
• Okta as Identity Provider (IdP)
• JWT tokens with RS256 signature

Token Validation

• JWT signature verification using Okta JWKS
• Token expiration validation
• Audience and issuer verification
• JWKS caching (1 hour TTL)

API Security

• CORS restricted to specific origins
• Security headers (HSTS, X-Frame-Options, X-Content-Type-Options)
• Bearer token authentication on all protected endpoints

Data Protection

• No secrets in source code
• Environment variables for configuration
• Mock database (no real user data)

USER_FEDERATION Pattern

• User JWT forwarded through AgentCore
• Same access controls for agent and direct API calls
• User identity preserved in audit logs

---

AWS Security Resources

• AWS Security Best Practices
• AWS Well-Architected Framework - Security Pillar
• IAM Best Practices
• AWS Lambda Security
• API Gateway Security

---

Additional Resources

• OWASP Top 10
• Okta Security Best Practices
• Flask Security