Skip to content

Security

This application employs Hybrid Public Key Encryption (HPKE) [RFC-9180] to encrypt data using DHKEM(P-384, HKDF-SHA384), HKDF-SHA384, AES-256-GCM.

HPKE Encryption

Best Practices

Data Perimeters

This solution implements the recommended practices for resource based policies and VPC endpoint policies to ensure only trusted identities can access the trusted resources from expected networks.

Permissions Boundaries

This solution deploys an IAM permissions boundary policy on all provisioned IAM roles to prevent priviledge escalation if an attacker were able to escalate privileges on the role.

Code Signing

All deployed Lambda functions have their code signed with AWS Signer to prevent modifications to the Lambda code after deployment.

DNS Firewall

An optional Route 53 Resolver DNS Firewall is configured by default to only allow DNS queries to *.amazonaws.com and the domain for the internal Network Load Balancer.

Identity Canaries

Two additional Lambda functions are deployed, one attached to the same VPC as the API Lambda function, and one not attached to any VPCs, that execute every minute attempting to calling kms:Decrypt against the first encrypted secret key found in DynamoDB. If the KMS key policy is inadvertantly modified to where the KMS Decrypt call succeeds, then a CloudWatch Alarm will be triggered.

Threat Model

To view the threat model, you can use threat-composer to load NitroVault_ThreatComposer.json