A fully serverless REST API built on AWS using Lambda, API Gateway, and DynamoDB.
- AWS Lambda (Python)
- Amazon API Gateway (REST)
- Amazon DynamoDB
- IAM (role-based access)
- CloudWatch (logging)
- Implemented least-privilege IAM policies restricting Lambda access to specific DynamoDB actions and resources
- Removed managed full-access policies to reduce attack surface
- Validated permissions through functional API testing
- Enabled AWS CloudTrail for account-wide API activity logging across all regions
- Streamed CloudTrail logs into CloudWatch Logs for centralized analysis
- Created CloudWatch metric filters to detect IAM privilege changes
- Configured CloudWatch alarms with SNS email notifications for real-time security alerts
- Validated alerts by simulating IAM privilege escalation events
- Built a Python-based AWS Lambda tool to analyze IAM roles and policies
- Identified overly permissive permissions such as wildcard actions and resources
- Generated structured security findings to highlight privilege escalation risks


