CS 79D Security Portal

CS 79D Final Project

Final Project: AWS Architecture

Production-style AWS application stack mapped directly to the final assessment requirements: compute, storage, scaling, security, monitoring, and AI integration.

Final Answer

6 / 6 requirements covered

Evidence is gathered from the deployed app, CloudFormation, production API checks, and AWS service integrations.

Frontend

Next.js

Backend

NestJS API

AI Mode

Bedrock

Architecture Stack

The project is a cohesive frontend, backend, compute, storage, security, monitoring, and AI stack rather than isolated AWS demos.

Application Layer

Next.jsNestJSNginxPM2Health Endpoint

Compute and Processing

EC2LambdaAPI GatewayAuto ScalingLow-Capacity ASG

Persistent Storage

S3S3 UploadsDynamoDBActivity LogsDynamoDB On-Demand

Network and Delivery

VPCSubnetsALBTarget GroupsHTTPS / TLSACM Certificate

Security Controls

IAMIAM RoleLeast PrivilegeSecurity GroupsSSH CIDRCSP HeadersHSTSJWTbcryptTurnstileUpload ValidationRate Limiting

Monitoring and Cost

CloudWatchCloudWatch LogsCloudWatch AlarmDashboard2 MB Upload CapCost Notes

AI and Automation

Amazon BedrockNova MicroCloudFormation

Project Requirements Coverage

Each requirement is answered with the implementation, AWS services used, and current evidence status.

Requirement 01

Compute

Complete

Answer

EC2 runs the Next.js frontend and NestJS backend, while Lambda handles event logging.

Verification

Production health and Lambda invocation checks returned successful responses.

Evidence

  • EC2 + PM2 application host
  • Lambda cs79d-log-action
  • API Gateway invoke path
Requirement 02

Persistent Storage

Complete

Answer

The stack uses two persistent AWS storage services: S3 for uploads and DynamoDB for activity records.

Verification

A test file persisted in S3 and corresponding file-upload records appeared in DynamoDB.

Evidence

  • S3 bucket cs79d-uploads
  • DynamoDB table cs79d-activity-logs
  • Upload and log APIs
Requirement 03

Auto Scaling and Load Balancing

Deployed

Answer

CloudFormation deploys an Application Load Balancer, frontend/backend target groups, and an Auto Scaling Group.

Verification

The production architecture uses ALB traffic distribution and ASG capacity management; final screenshots document healthy targets and desired capacity.

Evidence

  • ALB cs79d-alb
  • Target groups for ports 3000 and 3001
  • ASG cs79d-app-asg
Requirement 04

Security

Strong

Answer

Security is covered across IAM, security groups, HTTPS, headers, auth, upload validation, throttling, and bot checks.

Verification

Production checks confirmed security headers, JWT protection, Turnstile enforcement, and unsafe upload rejection.

Evidence

  • IAM roles and scoped policies
  • HTTPS + HSTS + CSP
  • JWT, MFA support, Turnstile, bcrypt
Requirement 05

Monitoring and Cost Control

Implemented

Answer

CloudWatch logs, health checks, CPU alarms, dashboard widgets, and cleanup/cost notes support operations and cost control.

Verification

The health endpoint and Lambda log group are live; dashboard and alarm screenshots complete the operational evidence.

Evidence

  • CloudWatch Lambda log group
  • GET /health endpoint
  • CPU alarm and dashboard in IaC
Requirement 06

AI Integration

Complete

Answer

Amazon Bedrock powers a live AI Security Advisor that generates rubric-focused architecture recommendations.

Verification

Advisor refreshes produce dynamic recommendations from Amazon Nova Micro, a low-cost Bedrock text model.

Evidence

  • Bedrock Runtime InvokeModel
  • amazon.nova-micro-v1:0
  • Mode: Bedrock in production

Submission Evidence

The final submission package includes the AWS screenshots and external validation results used to verify the architecture, security posture, monitoring, scaling design, and AI integration.

Cost Position

The architecture is designed for a grading/demo workload: small EC2 instances, low-capacity ASG settings, DynamoDB on-demand, capped S3 uploads, Lambda for short event work, and Amazon Nova Micro as a low-cost Bedrock text model.

Bedrock model

Low-cost, not free

Uploads

2 MB max

DynamoDB

On-demand

ASG grading mode

Low capacity

AWS AI Integration

AI Security Advisor

This AWS security architecture review identifies key areas for improvement to enhance security and compliance for the CS 79D final project.

Mode

bedrock

Model

amazon.nova-micro-v1:0

Generated

6/17/2026, 3:00:13 AM

highNetwork Security

Restrict SSH Access to Specific CIDR Blocks

Ensure SSH access is restricted to a specific list of CIDR blocks to minimize the risk of unauthorized access.

Update security group rules to allow SSH traffic only from predefined CIDR blocks.

mediumMonitoring

Implement Logging and Monitoring for Observatory Evidence

Establish logging and monitoring for observatory evidence to ensure compliance and detect any anomalies.

Configure CloudWatch Logs and alarms to monitor observatory evidence and set up alerts for any suspicious activity.

highData Security

Use AWS Key Management Service (KMS) for Persistent User Storage Encryption

Encrypt persistent user storage using AWS KMS to protect sensitive data at rest.

Enable KMS encryption for DynamoDB tables and S3 buckets used for persistent user storage.

mediumDocumentation

Document Restricted SSH CIDR Blocks

Document the restricted SSH CIDR blocks to ensure all team members are aware of the allowed IP ranges.

Create and maintain an up-to-date documentation file listing the CIDR blocks allowed for SSH access.

Evidence

AI endpoint: GET /ai/security-advisorAWS AI service target: Amazon Bedrock Runtime InvokeModelFrontend evidence path: /final-assessment-cp-practice-examProject stack: EC2, Lambda, API Gateway, S3, DynamoDB, CloudWatch, ALB, Auto Scaling, IAM