This document provides a quick reference for intentional security decisions made in this project that may appear as findings in security scanners.
Security scanners like Trivy and TFLint may flag certain configurations as potential security issues. This project includes Architectural Decision Records (ADRs) that document why certain "findings" are intentional design decisions rather than vulnerabilities.
| Finding | Rule ID | Status | ADR | Summary |
|---|---|---|---|---|
| Unrestricted egress (ALB) | AVD-AWS-0104 | ✅ Accepted | ADR-001 | Required for AWS service access |
| Unrestricted egress (ECS Cluster) | AVD-AWS-0104 | ✅ Accepted | ADR-001 | Required for ECR pulls and CloudWatch |
| Unrestricted egress (ECS Tasks) | AVD-AWS-0104 | ✅ Accepted | ADR-001 | Required for external APIs |
| Internet-facing ALB | AVD-AWS-0053 | ✅ Accepted | ADR-002 | Public web application |
| AWS-managed S3 encryption | AVD-AWS-0132 | ✅ Accepted | ADR-003 | Cost-effective, sufficient security |
The following findings were addressed with code changes:
| Finding | Rule ID | Status | Implementation |
|---|---|---|---|
| Container runs as root | AVD-DS-0002 | ✅ Fixed | Non-root user added to Dockerfile |
| ALB invalid headers | AVD-AWS-0052 | ✅ Fixed | drop_invalid_header_fields = true |
| ECR image scanning | AVD-AWS-0030 | ✅ Fixed | scan_on_push = true |
| ECR mutable tags | AVD-AWS-0031 | ✅ Fixed | image_tag_mutability = "IMMUTABLE" |
| IMDS v2 not enforced | AVD-AWS-0130 | ✅ Fixed | http_tokens = required |
Accepted findings are suppressed in .trivyignore to prevent false positives in future scans. Each suppression includes:
- Rule ID
- Affected file paths (in comments)
- Rationale statement (in comments)
- Reference to ADR (in comments)
If you're reviewing this project for compliance purposes:
- Read the ADRs - Each decision is documented with alternatives considered and rationale
- Review mitigation strategies - Each ADR describes how risk is mitigated through other controls
- Check compliance mapping - ADR-003 includes compliance standard mapping
- Understand the context - These are intentional decisions, not oversights
The ADRs document scenarios where different decisions may be required:
- PCI-DSS Level 1 compliance may require customer-managed KMS keys (see ADR-003)
- Highly regulated industries (healthcare, finance) may require restricted egress (see ADR-001)
- Internal applications should not use internet-facing ALBs (see ADR-002)
- Air-gapped environments require different architecture (see ADR-001)
These decisions should be reviewed:
| Trigger | Frequency | Action |
|---|---|---|
| Annual Review | Yearly | Re-evaluate all ADRs for relevance |
| Compliance Change | As needed | Check if new requirements invalidate decisions |
| Architecture Change | As needed | Ensure ADRs still apply to new design |
| Security Incident | Immediate | Review if incident relates to accepted risk |
| AWS Service Update | As needed | Check if new services provide better alternatives |
Last Review: 2025-11-28 Next Review: 2026-11-28
While we accept certain scanner findings, our security posture is based on:
Multiple security layers compensate for accepted risks:
- Network segmentation (public/private subnets)
- IAM least privilege
- Encryption at rest and in transit
- Container security (non-root user, image scanning)
- Monitoring and logging
Decisions balance:
- Security: Adequate protection for data sensitivity
- Cost: Avoid unnecessary expenses
- Complexity: Maintainable solutions
- Compliance: Meet applicable standards
Security is not static:
- Regular reviews of decisions
- Update when better alternatives emerge
- Learn from security research
- Adapt to changing requirements
trivy config --severity HIGH,CRITICAL --ignorefile .trivyignore .tflint --recursive --filter=infra-ecs/pre-commit run --all-filesWhen updating an ADR:
- Update the ADR markdown file
- Update
.trivyignoreif needed - Update this summary document
- Commit all changes together
- ADR Directory - Full list of architectural decisions
- AWS Security Best Practices
- Trivy Documentation
- TFLint Documentation
If you have questions about these security decisions:
- Read the relevant ADR for full context
- Check if your scenario matches "When to Reconsider" sections
- Review compliance mapping in ADR-003
- Consider if requirements have changed since last review
Remember: These are intentional, documented decisions, not security oversights.