⌘K
v2026.1 Open Portal ↗
On this page

Security & Encryption

Encryption Architecture

StackFlow implements defense-in-depth encryption: all data is encrypted in transit (TLS 1.3 minimum) and at rest (AWS KMS CMK). Field-level encryption provides an additional layer of protection for PII and sensitive data fields — these fields are encrypted with derived data keys before writing to Aurora, meaning even someone with direct database access cannot read sensitive fields without the KMS key.

⚙️ Minimum Requirements
  • KMS CMK: mrk-bd842691514c4d74a02992b8dc11fe16 (multi-region) enabled with automatic annual rotation
  • Secrets Manager: All secrets in stackflow/ prefix with CMK encryption; rotation Lambdas attached where applicable
  • WAF: stackflow-cloudfront-waf WebACL attached to all three CloudFront distributions
  • CloudTrail: Organization trail enabled logging to stackflow-cloudtrail-373544523367 S3 bucket
  • GuardDuty: Enabled in account 373544523367 with SNS finding notifications to stackflow-security-findings

The primary multi-region KMS key is mrk-bd842691514c4d74a02992b8dc11fe16. This key protects Aurora, Neptune, ElastiCache, S3, SQS, and SNS encryption at rest. The MRK (multi-region key) design allows replication to additional regions for disaster recovery without re-encrypting all data.

KMS Key Hierarchy

KeyTypeProtects
mrk-bd842691514c4d74a02992b8dc11fe16Symmetric MRK (CMK)All StackFlow data stores (Aurora, Neptune, Redis, S3, SQS)
Field Encryption Keys (FEK)Derived (AES-256-GCM)PII fields (email, phone, notes with PII)
Secrets Manager KeySymmetric (CMK)All Secrets Manager secrets
 
aws kms describe-key   --key-id mrk-bd842691514c4d74a02992b8dc11fe16   --region us-east-1

# Check key rotation status
aws kms get-key-rotation-status   --key-id mrk-bd842691514c4d74a02992b8dc11fe16   --region us-east-1
CRITICAL: Never disable or schedule deletion of the CMK without a complete data migration plan. Disabling the CMK will immediately make all Aurora, Neptune, and S3 data inaccessible to the StackFlowAPI Lambda. There is no recovery from accidental CMK deletion.

Field-Level Encryption

Fields marked as PII in the CMDB schema receive field-level encryption. The StackFlowFieldKeyRotator Lambda manages field key rotation on a 90-day schedule. Rotation re-encrypts all affected fields with a new derived key without downtime, processing data in batches to avoid Aurora connection saturation.

// Field encryption is handled automatically by the StackFlow ORM layer
// No application code changes needed to encrypt/decrypt PII fields
const user = await db.query('SELECT email, phone FROM users WHERE id = $1', [userId]);
// email and phone are automatically decrypted by the ORM before returning
// Writing also auto-encrypts:
await db.query('INSERT INTO users (email) VALUES ($1)', ['user@example.com']);
// The email is encrypted before being stored in Aurora

Secrets Management

All secrets in StackFlow are stored in AWS Secrets Manager with automatic rotation. Secret ARNs follow the naming convention stackflow/{component}/{purpose}. The StackFlowAPI Lambda retrieves secrets at startup and caches them in memory for the Lambda instance lifetime (typically 15-20 minutes). After rotation, Lambda instances retrieve the new secret value on the next cache miss.

Security Monitoring

Security events are published to the stackflow-security-findings SNS topic and include: failed authentication attempts (3+ failures), privilege escalation (admin role assignment), KMS key usage from unexpected IAM principals, Secrets Manager access outside Lambda service role, and unusual API usage patterns detected by AWS GuardDuty.

← Previous
API Reference
REST endpoints and authentication
Deployment & CI/CD
Build, deploy, and GitHub sync