Security Architecture

Authentication, authorization, encryption, and compliance for airline systems.

Scope

Identity & Access

  • Customer authentication
  • Employee authentication
  • API authentication
  • Service-to-service auth
  • Role-based access control

Data Protection

  • Encryption at rest
  • Encryption in transit
  • PII handling
  • Tokenization
  • Key management

Network Security

  • Perimeter defense
  • DDoS protection
  • WAF rules
  • VPC design

Compliance

  • PCI-DSS
  • GDPR
  • SOC 2
  • Aviation-specific requirements

Research Topics

  • OAuth 2.0 / OIDC implementation
  • API security best practices
  • PCI-DSS scope reduction
  • GDPR data subject rights
  • Secret management
  • Security monitoring (SIEM)
  • Penetration testing
  • Security incident response

Architecture Considerations

Authentication Architecture

                    ┌─────────────────┐
                    │   CloudFront    │
                    │      + WAF      │
                    └────────┬────────┘
                             │
              ┌──────────────┼──────────────┐
              │              │              │
         ┌────▼────┐   ┌─────▼─────┐  ┌────▼────┐
         │ Web App │   │ Mobile App│  │   API   │
         └────┬────┘   └─────┬─────┘  └────┬────┘
              │              │              │
              └──────────────┼──────────────┘
                             │
                    ┌────────▼────────┐
                    │     Cognito     │
                    │   User Pool     │
                    └────────┬────────┘
                             │
                    ┌────────▼────────┐
                    │   API Gateway   │
                    │   (JWT verify)  │
                    └────────┬────────┘
                             │
                    ┌────────▼────────┐
                    │  Lambda + IAM   │
                    └─────────────────┘

Authorization Model

RBAC Structure:
├── Customer
│   ├── View own bookings
│   ├── Modify own bookings
│   └── Manage profile
├── Agent
│   ├── View all bookings
│   ├── Modify bookings
│   ├── Issue tickets
│   └── Process refunds (limited)
├── Supervisor
│   ├── All agent permissions
│   ├── Approve waivers
│   └── Access reports
└── Admin
    ├── System configuration
    ├── User management
    └── Audit access

Cognito Configuration

// User Pool settings
const userPool = new cognito.UserPool(this, 'AuraUserPool', {
  selfSignUpEnabled: true,
  signInAliases: { email: true },
  mfa: cognito.Mfa.OPTIONAL,
  mfaSecondFactor: {
    sms: true,
    otp: true
  },
  passwordPolicy: {
    minLength: 12,
    requireUppercase: true,
    requireDigits: true,
    requireSymbols: true
  },
  accountRecovery: cognito.AccountRecovery.EMAIL_ONLY
});

Data Protection

Encryption Standards

Data TypeAt RestIn Transit
PIIAES-256 (KMS)TLS 1.3
PaymentAES-256 (PCI)TLS 1.3
PasswordsArgon2idTLS 1.3
API KeysKMSTLS 1.3

PII Handling

PII Data Categories:
├── High sensitivity
│   ├── Passport number
│   ├── Payment card
│   └── Date of birth
├── Medium sensitivity
│   ├── Full name
│   ├── Email
│   └── Phone
└── Low sensitivity
    ├── Booking reference
    └── Flight preferences

Tokenization

// Card tokenization flow
Customer → Payment Form (hosted) → Gateway → Token
                                              ↓
Token stored in booking (not card data)
                                              ↓
                          Token used for charges

Network Security

WAF Rules

RulePurpose
Rate limitingPrevent brute force
SQL injectionBlock SQLi attempts
XSSBlock script injection
Geo-blockingBlock high-risk regions
Bot detectionBlock scrapers

API Security

Security Headers:
├── Content-Security-Policy
├── X-Content-Type-Options: nosniff
├── X-Frame-Options: DENY
├── Strict-Transport-Security
└── X-XSS-Protection

Compliance

PCI-DSS Scope Reduction

Out of Scope:
├── Use hosted payment pages
├── Tokenization (no card storage)
├── P2PE terminals
└── SAQ A eligible

In Scope:
├── Redirect handling
├── Token processing
└── Refund triggers

GDPR Requirements

RightImplementation
AccessData export API
RectificationProfile edit
ErasureAccount deletion flow
PortabilityStandard format export
ObjectionPreference center

Secret Management

AWS Secrets Manager

// Retrieve database credentials
const secret = await secretsManager.getSecretValue({
  SecretId: 'aura/database/credentials'
});

// Rotate automatically
// Secret rotation Lambda configured

Secret Types

SecretStorageRotation
DB credentialsSecrets Manager30 days
API keysSecrets Manager90 days
Encryption keysKMSYearly
JWT signing keysSecrets Manager90 days

Security Monitoring

CloudWatch Alerts

EventAction
Failed logins >10/minAlert + block
Unusual API patternsAlert
Data exfiltration signsAlert + investigate
WAF blocks spikeAlert

Audit Logging

Log Sources:
├── CloudTrail (API calls)
├── ALB access logs
├── Lambda logs
├── VPC Flow logs
└── Application audit logs

Retention:
├── Hot: 30 days (CloudWatch)
├── Warm: 1 year (S3)
└── Cold: 7 years (Glacier)