User Pool Configuration:Name:tradai-usersPassword Policy:MinimumLength:12RequireLowercase:trueRequireUppercase:trueRequireNumbers:trueRequireSymbols:trueTemporaryPasswordValidityDays:7MFA Configuration:MFAConfiguration:"ON"# REQUIRED, not optionalEnabledMFAs:-SOFTWARE_TOKEN_MFA-SMS_MFAAccount Recovery:RecoveryMechanisms:-Priority:1Name:verified_email-Priority:2Name:verified_phone_numberUser Attributes:-Name:emailRequired:trueMutable:false-Name:custom:organizationMutable:true-Name:custom:roleMutable:trueAdvanced Security:AdvancedSecurityMode:ENFORCEDCompromisedCredentialsRisk:BLOCKAccountTakeoverRisk:Low:BLOCKMedium:BLOCKHigh:BLOCK
Secrets:-Name:tradai/mlflow/credentialsSecretString:username:adminpassword:<generated>RotationEnabled:false# Enable in Phase 2Tags:Application:tradaiEnvironment:production-Name:tradai/binance/apiSecretString:api_key:<from-env>api_secret:<from-env>Tags:Application:tradai-Name:tradai/db/credentialsSecretString:host:<rds-endpoint>port:5432database:mlflowusername:mlflow_userpassword:<generated>Tags:Application:tradai
Trail:Name:tradai-audit-trailS3BucketName:tradai-audit-logsS3KeyPrefix:cloudtrail/IncludeGlobalServiceEvents:trueIsMultiRegionTrail:false# Single region for nowEnableLogFileValidation:trueEventSelectors:-ReadWriteType:AllIncludeManagementEvents:trueDataResources:-Type:AWS::S3::ObjectValues:-arn:aws:s3:::tradai-configs/-arn:aws:s3:::tradai-results/-Type:AWS::DynamoDB::TableValues:-arn:aws:dynamodb:us-east-1:*:table/tradai-*InsightSelectors:-InsightType:ApiCallRateInsight-InsightType:ApiErrorRateInsightTags:Application:tradaiCompliance:audit
# services/api_gateway/api/schemas/backtest.pyfrompydanticimportBaseModel,Field,validatorimportreclassBacktestRequest(BaseModel):"""Backtest request with strict validation."""strategy_name:str=Field(...,min_length=3,max_length=50,regex=r'^[a-zA-Z][a-zA-Z0-9_]*$')strategy_version:str=Field(...,regex=r'^\d+\.\d+\.\d+$')experiment_name:str=Field(...,min_length=3,max_length=100)timeframe:str=Field(...,regex=r'^(1m|5m|15m|1h|4h|1d)$')symbols:list[str]=Field(...,min_items=1,max_items=10)@validator('symbols',each_item=True)defvalidate_symbol(cls,v):ifnotre.match(r'^[A-Z]+/[A-Z]+:[A-Z]+$',v):raiseValueError(f'Invalid symbol format: {v}')returnv@validator('strategy_name')defprevent_injection(cls,v):dangerous_patterns=['..','/','\\',';','|','&']forpatternindangerous_patterns:ifpatterninv:raiseValueError(f'Invalid characters in strategy_name')returnvclassConfig:extra='forbid'# Reject unknown fields
# services/mlflow/database.pyfromsqlalchemyimporttextfromsqlalchemy.ormimportSessiondefget_experiments_safe(session:Session,user_id:str)->list:"""Safe parameterized query."""# GOOD: Parameterized queryquery=text(""" SELECT * FROM experiments WHERE user_id = :user_id ORDER BY created_at DESC """)result=session.execute(query,{"user_id":user_id})returnresult.fetchall()# BAD: Never do this!# query = f"SELECT * FROM experiments WHERE user_id = '{user_id}'"
# services/api_gateway/api/middleware/security.pyfromfastapiimportFastAPIfromfastapi.middleware.corsimportCORSMiddlewarefromstarlette.middleware.baseimportBaseHTTPMiddlewareimporthtmlapp=FastAPI()# CORS configurationapp.add_middleware(CORSMiddleware,allow_origins=["https://tradai.smartml.me","https://app.tradai.smartml.me"],allow_credentials=True,allow_methods=["GET","POST","PUT","DELETE"],allow_headers=["Authorization","Content-Type"],)classSecurityHeadersMiddleware(BaseHTTPMiddleware):"""Add security headers to all responses."""asyncdefdispatch(self,request,call_next):response=awaitcall_next(request)response.headers["X-Content-Type-Options"]="nosniff"response.headers["X-Frame-Options"]="DENY"response.headers["X-XSS-Protection"]="1; mode=block"response.headers["Strict-Transport-Security"]=("max-age=31536000; includeSubDomains")response.headers["Content-Security-Policy"]=("default-src 'self'; script-src 'self'")returnresponseapp.add_middleware(SecurityHeadersMiddleware)