Security Overview

✅ Security Features Implemented

1. **Lambda Concurrency Limits**

• **Reserved Concurrent Executions**: 5 (configurable)
• **Purpose**: Prevents runaway costs from excessive invocations
• **Impact**: Maximum 5 simultaneous Lambda executions

2. **DynamoDB Protection**

• **Billing Mode**: Provisioned Capacity (changed from PAY_PER_REQUEST)
• **Read Capacity**: 5 units
• **Write Capacity**: 2 units
• **Point-in-Time Recovery**: Enabled
• **Impact**: Predictable costs, prevents unlimited read/write operations

3. **Lambda Timeout Reduction**

• **Timeout**: 5 seconds (reduced from 10)
• **Purpose**: Prevents slow attack patterns and reduces costs

4. **CloudWatch Alarms** (Monitoring & Alerting)

• ✅ **HighInvocationAlarm**: Triggers when >500 invocations/minute
• ✅ **LambdaThrottleAlarm**: Alerts on Lambda throttling (>10/minute)
• ✅ **DynamoDBReadThrottleAlarm**: Alerts on DynamoDB read throttling (>5/minute)
• ✅ **ApiGateway4XXAlarm**: Triggers on high client errors (>50 in 5 minutes)

5. **Access Logging**

• **CloudWatch Log Group**: `/aws/apigateway/lootlens-access-logs`
• **Retention**: 7 days
• **Logged Data**: Request ID, IP, Time, Method, Status, Response Length

6. **RapidAPI Integration (Optional)**

• **Header Validation**: `x-rapidapi-proxy-secret`
• **Environment Variable**: `RAPIDAPI_SECRET`
• **Purpose**: Validates requests originate from RapidAPI

---

🔒 RapidAPI Configuration

Step 1: Set RapidAPI Secret (Optional but Recommended)

To enable RapidAPI request validation:

# Update Lambda environment variable
aws lambda update-function-configuration \
  --function-name loot-lens-api-stack-LootLensFunction-XXXXX \
  --environment "Variables={CACHE_TABLE_NAME=LootLensCache,RAPIDAPI_SECRET=your_secret_here}" \
  --region ap-southeast-2

Get your Lambda function name:

aws lambda list-functions --region ap-southeast-2 --query "Functions[?contains(FunctionName, 'LootLens')].FunctionName"

Step 2: Configure RapidAPI Backend URL

In your RapidAPI dashboard:

• **Backend URL**: `https://e6bxn9dw6b.execute-api.ap-southeast-2.amazonaws.com/default/LootLens`
• **Method**: GET
• **Query Parameters**: `game`, `item`

---

📊 Current Protection Limits

---

🚨 Cost Protection Estimates

Worst-case scenario (sustained abuse):

• Lambda: 5 concurrent × 60 sec/min × 60 min × $0.0000166667 = ~$0.03/hour
• DynamoDB: 5 reads + 2 writes = Fixed provisioned cost (~$3-5/month)
• API Gateway: First 1M requests free, then $1.00/million

Monthly estimate with protection: $5-10 even under sustained attack

Without protection (previous setup): Potentially $100s-1000s

---

🛡️ Additional Recommendations

For Production RapidAPI Deployment:

1. Enable RapidAPI Secret Validation

• Set `RAPIDAPI_SECRET` environment variable
• Prevents direct API access bypassing RapidAPI

2. Monitor CloudWatch Alarms

• Set up SNS notifications for alarms
• Get email/SMS alerts on abuse patterns

3. Adjust Limits Based on Usage

```bash

# Deploy with custom limits

sam deploy --parameter-overrides \

RateLimitPerSecond=20 \

BurstLimit=50 \

LambdaConcurrency=10

```

4. Consider Adding WAF (Optional)

• AWS WAF can add IP-based rate limiting
• Blocks malicious IPs automatically
• ~$5-10/month additional cost

5. Set Up Budget Alerts

```bash

# Create AWS Budget for this stack

aws budgets create-budget \

--account-id YOUR_ACCOUNT_ID \

--budget file://budget.json

```

---

📈 Monitoring

CloudWatch Dashboard: [View Logs](https://console.aws.amazon.com/cloudwatch/home?region=ap-southeast-2#logsV2:log-groups/log-group/$252Faws$252Fapigateway$252Flootlens-access-logs)

Check Alarm Status:

aws cloudwatch describe-alarms \
  --alarm-names LootLens-HighInvocations LootLens-LambdaThrottles \
  --region ap-southeast-2

View Recent API Calls:

aws logs tail /aws/apigateway/lootlens-access-logs --follow

---

🔧 Adjusting Security Parameters

Edit template.yaml parameters section:

Parameters:
  RateLimitPerSecond:
    Type: Number
    Default: 10  # Change this
  BurstLimit:
    Type: Number
    Default: 20  # Change this
  LambdaConcurrency:
    Type: Number
    Default: 5   # Change this

Then redeploy:

sam build && sam deploy

---

⚠️ Important Notes

1. RapidAPI handles rate limiting on their side, but these AWS protections are your last line of defense

2. Cache is critical: 30-minute cache duration means repeated requests for same item cost nothing

3. Monitor regularly: Check CloudWatch alarms weekly, especially after RapidAPI launch

4. DynamoDB provisioned capacity can be adjusted if you see throttling

---

🆘 Emergency Response

If you see unexpected costs:

1. Immediately reduce concurrency:

```bash

aws lambda put-function-concurrency \

--function-name YOUR_FUNCTION_NAME \

--reserved-concurrent-executions 1 \

--region ap-southeast-2

```

2. Disable API temporarily:

```bash

aws apigatewayv2 delete-stage \

--api-id e6bxn9dw6b \

--stage-name $default \

--region ap-southeast-2

```

3. Check alarm history:

```bash

aws cloudwatch describe-alarm-history \

--alarm-name LootLens-HighInvocations \

--region ap-southeast-2

```

---

Last Updated: 2025-12-26

Stack Name: loot-lens-api-stack

Region: ap-southeast-2