docs(readme): expand database, security, and enhancement sections#3
docs(readme): expand database, security, and enhancement sections#3
Conversation
- Split database section into Database Choice and Data Model with trade-off analysis for GSI hot partition and access patterns - Add Deploy & Test section using environment variables for URLs - Add Logging & CloudWatch Cost Controls section documenting the error-only event logging pattern - Add Function URL Exposure section with production hardening notes - Add Known Security Concerns: CWE-306 auth, crash risks, input gaps - Add Future Enhancements: DLQ for retries, OpenSearch/Kibana visualization, additional hardening items
![amazon-q-developer[bot]](https://avatars.githubusercontent.com/in/1220912?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary
This PR significantly expands the README documentation with comprehensive deployment instructions, architecture details, and security considerations. The documentation quality is excellent and provides valuable context for users.
Critical Issues (2):
- External link to unapproved domain (alexwlchan.net) must be removed
- Missing CWE reference link for authentication vulnerability
Overall Assessment:
The documentation improvements are valuable and well-structured. Once the external link policy violations are addressed, this will be ready to merge.
You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.
|
|
||
| ## Logging & CloudWatch Cost Controls | ||
|
|
||
| Both Lambda functions use Python's `logging` module and follow an **error-only event logging** pattern inspired by [alexwlchan's blog post](https://alexwlchan.net/2018/error-logging-in-lambdas/): |
There was a problem hiding this comment.
🛑 Security Documentation: Remove the external link to alexwlchan.net. Only links to approved domains (https://cwe.mitre.org) are permitted. Reference the blog post by name without including the URL.
| Both Lambda functions use Python's `logging` module and follow an **error-only event logging** pattern inspired by [alexwlchan's blog post](https://alexwlchan.net/2018/error-logging-in-lambdas/): | |
| Both Lambda functions use Python's `logging` module and follow an **error-only event logging** pattern inspired by alexwlchan's blog post on error logging in Lambdas: |
| **Authentication (CWE-306):** | ||
| - Lambda Function URLs use `auth_type=NONE`, exposing both ingest and read endpoints publicly without authentication |
There was a problem hiding this comment.
🛑 Security Reference: Add CWE reference link for the authentication vulnerability. This helps readers understand the specific security weakness being documented.
| **Authentication (CWE-306):** | |
| - Lambda Function URLs use `auth_type=NONE`, exposing both ingest and read endpoints publicly without authentication | |
| **Authentication (CWE-306):[^1]** | |
| - Lambda Function URLs use `auth_type=NONE`, exposing both ingest and read endpoints publicly without authentication |
2 participants
Expands the README with:
$INGEST_URL/$READ_URLenv vars