AntFleet

Disagreement · 4c349ef3-openai-1

Lambda granted read access to entire bucket (over-privileged)

mismatch
repo 703f69ec·PR #3·reviewed 5 days ago

Primary finding

Lambda granted read access to entire bucket (over-privileged)

mediumsecurityhigh
  • infra/stack.py:99-101
  • infra/stack.py:131-133
The function appears to only need to read geo-signals/feedback.csv and write to dashboard/*, yet it is granted read on the whole bucket (and likely ListBucket). Over-broad permissions increase blast radius if the function is compromised.

Recommendation

Replace bucket.grant_read(fn) with bucket.grant_read(fn, "geo-signals/feedback.csv") (or a tighter prefix) and, if ListBucket is required, scope it with a condition on s3:prefix to the used keys. Keep bucket.grant_put(fn, "dashboard/*") as-is.

Counterpart finding

Misleading comment: env var section claims secrets are absent but other sensitive risk-config is committed

lowdocs-gapmedium
  • infra/stack.py:26-35
  • infra/stack.py:95-100
The docstring promises a clear separation (secrets via console), but the comment near the environment dict reveals that `update-function-configuration` is run post-deploy with a local file — meaning each `cdk deploy` will overwrite production secrets with whatever CDK thinks the environment should be, since CDK considers env vars desired-state. This is an operational footgun that the docstring obscures.

Recommendation

Either source secrets from Secrets Manager / SSM Parameter Store directly in the stack, or document explicitly that every `cdk deploy` requires re-running the env-restore step. Better: stop drift by managing secrets in IaC.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗