diff --git a/Dockerfile b/Dockerfile
index a90fa0b..1ff04fd 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -65,8 +65,13 @@ RUN \
   echo "### cleanup ###" && \
   echo "##############" && \
     cd /root && \
-    rm -rf /tmp/env-install-workdir
-  
+    rm -rf /tmp/env-install-workdir && \
+  echo "##############" && \
+  echo "### dnf clean ##" && \
+  echo "##############" && \
+    dnf clean all && \
+    rm -rf /var/cache/dnf
+
 # Lambda and SASL_SSL_Artifacts
 COPY $SASL_SSL_ARTIFACTS /opt/sasl_ssl_artifacts/
 COPY src $LAMBDA_TASK_ROOT/src
@@ -79,5 +84,15 @@ ENV \
   LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib \
   KRB5CCNAME=FILE:/tmp/krb5cc
 
+# Run as non-root user (AVD-DS-0002).
+# The base image has no shadow-utils, so register the user directly in
+# /etc/passwd + /etc/group. Lambda only needs read access to the task root
+# and write access to /tmp.
+RUN echo 'app:x:1000:1000::/home/app:/sbin/nologin' >> /etc/passwd && \
+    echo 'app:x:1000:' >> /etc/group && \
+    mkdir -p /home/app && \
+    chown -R 1000:1000 /home/app ${LAMBDA_TASK_ROOT} /opt/certs /opt/sasl_ssl_artifacts
+USER 1000
+
 # Set lambda entry point as CMD
 CMD ["src.event_gate_lambda.lambda_handler"]
diff --git a/terraform_examples/lambda.tf b/terraform_examples/lambda.tf
index bbd2fca..bebb2d7 100644
--- a/terraform_examples/lambda.tf
+++ b/terraform_examples/lambda.tf
@@ -5,10 +5,16 @@ resource "aws_security_group" "event_gate_sg" {
   tags        = { "BuiltBy" = "Terraform" }
 }
 
-resource "aws_vpc_security_group_egress_rule" "allow_all_traffic_ipv4" {
+# Example only — these terraform_examples are illustrative and not used for
+# real deployments. In production, egress is governed by org-managed policies
+# in the target (internal, non-SEN) AWS account. The dummy restricted CIDR and
+# port below satisfy AVD-AWS-0104; replace with values appropriate to your VPC.
+resource "aws_vpc_security_group_egress_rule" "allow_https_egress_ipv4" {
   security_group_id = aws_security_group.event_gate_sg.id
-  cidr_ipv4         = "0.0.0.0/0"
-  ip_protocol       = "-1"
+  cidr_ipv4         = "10.0.0.0/32"
+  from_port         = 443
+  to_port           = 443
+  ip_protocol       = "tcp"
 }
 
 data "aws_s3_object" "event_gate_lambda_zip" {