Based on the architecture diagram, and the steps you have taken so far to upload data and access the application web service, identify at least 2 obvious poor practices as it relates to security. Include justification.
The security group exposes broad attack surface by allowing traffic to the web service from anywhere and too many ports open.
One way is to reduce the attack surface is to modify security group of the web service to allow traffic only from port 5000 and the security group of the load balancer.
All S3 buckets are accessible via the used IAM Role, which violates the principle of minimal privilege. Access should be confined to a list of resources, in this case the free recipes bucket.
IAM role has overlay permissive access to the buckets although all what needed is read access, only GetObject suffices.
Web service EC2 resides on public subnet, however only the LB can stay there and EC2 to moved in private subnet, and getting access through NAT gateway.
No server side encryption is enabled in S3 buckets, notably in the secret recipe one, recipe needed to be encrypted even an actor gets access to it. It will be no good for them.