# Security Requirements

Phase: implementation
Enforcement: informational

## SEC-001: No IAM Resources in Service Repos

Service repositories MUST NOT contain IAM policies, roles, or identity resources. IAM is centrally managed by the security team through the infrastructure repo.

**Rule:** No Terraform/CloudFormation IAM resource definitions (`aws_iam_role`, `aws_iam_policy`, `google_project_iam_member`, etc.) in service-level repositories. If your service needs a new permission, request it through the IAM change process.

**Test:** Scan IaC files for IAM resource type declarations.

## SEC-002: No Embedded Credentials or Auth Bypass

Services MUST NOT implement their own authentication mechanisms. All auth flows go through the centralized auth service.

**Rule:** No custom JWT validation, no local user tables, no auth middleware that bypasses the platform auth layer. Services consume auth tokens validated by the platform.

**Test:** Scan for JWT libraries imported outside the auth module, custom `login`/`authenticate` endpoints, local user/password tables in migrations.

## SEC-003: No Direct External Network Calls Without Proxy

Services MUST NOT make direct outbound HTTP calls to external (non-Reltio) endpoints. All external traffic routes through the API gateway/proxy layer.

**Rule:** Outbound calls to third-party APIs must go through the approved proxy/gateway. No hardcoded external URLs in service code.

**Test:** Scan for HTTP client instantiation with non-internal hostnames.