{ "report_version": "1.1.0", "report_id": "4dac26c0-c538-458d-9b6d-8c8f4f985c00", "emitted_at": "2026-05-19T21:09:01.088686+00:00", "system_id": "urn:samaydlette:website-prod", "ksi_signal_ref": "/.well-known/ksi-signal.json", "poam_ref": "docs/poam.md", "class": "C", "summary": { "by_pain": { "N1": 0, "N2": 2, "N3": 16, "N4": 0, "N5": 0 }, "blocking": 0, "kev": 0, "risk_accepted": 15, "ledger_carried_forward": 0, "ledger_newly_detected": 18, "total_findings": 18 }, "findings": [ { "tracking_id": "checkov-CKV_AWS_28-infrastructure/bootstrap/main.tf", "source": "checkov", "tool_id": "CKV_AWS_28", "title": "CKV_AWS_28", "description": "Ensure DynamoDB point in time recovery (backup) is enabled", "resource": "infrastructure/bootstrap/main.tf", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N3", "internet_reachable": false, "likely_exploitable": true, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 32, "remediation_due_at": "2026-06-20T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null }, { "tracking_id": "checkov-CKV_AWS_119-infrastructure/bootstrap/main.tf", "source": "checkov", "tool_id": "CKV_AWS_119", "title": "CKV_AWS_119", "description": "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK", "resource": "infrastructure/bootstrap/main.tf", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N3", "internet_reachable": false, "likely_exploitable": true, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 32, "remediation_due_at": "2026-06-20T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null }, { "tracking_id": "checkov-CKV_AWS_374-infrastructure/main.tf", "source": "checkov", "tool_id": "CKV_AWS_374", "title": "CKV_AWS_374", "description": "Ensure AWS CloudFront web distribution has geo restriction enabled", "resource": "infrastructure/main.tf", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N3", "internet_reachable": true, "likely_exploitable": true, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 16, "remediation_due_at": "2026-06-04T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null }, { "tracking_id": "checkov-CKV_AWS_310-infrastructure/main.tf", "source": "checkov", "tool_id": "CKV_AWS_310", "title": "CKV_AWS_310", "description": "Ensure CloudFront distributions should have origin failover configured", "resource": "infrastructure/main.tf", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N3", "internet_reachable": true, "likely_exploitable": true, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 16, "remediation_due_at": "2026-06-04T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null }, { "tracking_id": "checkov-CKV2_AWS_47-infrastructure/main.tf", "source": "checkov", "tool_id": "CKV2_AWS_47", "title": "CKV2_AWS_47", "description": "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability", "resource": "infrastructure/main.tf", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N3", "internet_reachable": true, "likely_exploitable": true, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 16, "remediation_due_at": "2026-06-04T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null }, { "tracking_id": "checkov-CKV2_AWS_62-infrastructure/bootstrap/main.tf", "source": "checkov", "tool_id": "CKV2_AWS_62", "title": "CKV2_AWS_62", "description": "Ensure S3 buckets should have event notifications enabled", "resource": "infrastructure/bootstrap/main.tf", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N3", "internet_reachable": false, "likely_exploitable": true, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 32, "remediation_due_at": "2026-06-20T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null }, { "tracking_id": "checkov-CKV2_AWS_62-infrastructure/main.tf", "source": "checkov", "tool_id": "CKV2_AWS_62", "title": "CKV2_AWS_62", "description": "Ensure S3 buckets should have event notifications enabled", "resource": "infrastructure/main.tf", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N3", "internet_reachable": false, "likely_exploitable": true, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 32, "remediation_due_at": "2026-06-20T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null }, { "tracking_id": "checkov-CKV2_AWS_42-infrastructure/main.tf", "source": "checkov", "tool_id": "CKV2_AWS_42", "title": "CKV2_AWS_42", "description": "Ensure AWS CloudFront distribution uses custom SSL certificate", "resource": "infrastructure/main.tf", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N3", "internet_reachable": true, "likely_exploitable": true, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 16, "remediation_due_at": "2026-06-04T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null }, { "tracking_id": "checkov-CKV2_AWS_39-infrastructure/domain.tf", "source": "checkov", "tool_id": "CKV2_AWS_39", "title": "CKV2_AWS_39", "description": "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones", "resource": "infrastructure/domain.tf", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N3", "internet_reachable": false, "likely_exploitable": true, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 32, "remediation_due_at": "2026-06-20T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null }, { "tracking_id": "checkov-CKV2_AWS_61-infrastructure/bootstrap/main.tf", "source": "checkov", "tool_id": "CKV2_AWS_61", "title": "CKV2_AWS_61", "description": "Ensure that an S3 bucket has a lifecycle configuration", "resource": "infrastructure/bootstrap/main.tf", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N3", "internet_reachable": false, "likely_exploitable": true, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 32, "remediation_due_at": "2026-06-20T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null }, { "tracking_id": "checkov-CKV2_AWS_61-infrastructure/main.tf", "source": "checkov", "tool_id": "CKV2_AWS_61", "title": "CKV2_AWS_61", "description": "Ensure that an S3 bucket has a lifecycle configuration", "resource": "infrastructure/main.tf", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N3", "internet_reachable": false, "likely_exploitable": true, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 32, "remediation_due_at": "2026-06-20T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null }, { "tracking_id": "checkov-CKV2_AWS_38-infrastructure/domain.tf", "source": "checkov", "tool_id": "CKV2_AWS_38", "title": "CKV2_AWS_38", "description": "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones", "resource": "infrastructure/domain.tf", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N3", "internet_reachable": false, "likely_exploitable": true, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 32, "remediation_due_at": "2026-06-20T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null }, { "tracking_id": "checkov-CKV_AWS_145-infrastructure/bootstrap/main.tf", "source": "checkov", "tool_id": "CKV_AWS_145", "title": "CKV_AWS_145", "description": "Ensure that S3 buckets are encrypted with KMS by default", "resource": "infrastructure/bootstrap/main.tf", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N3", "internet_reachable": false, "likely_exploitable": true, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 32, "remediation_due_at": "2026-06-20T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null }, { "tracking_id": "checkov-CKV_AWS_145-infrastructure/main.tf", "source": "checkov", "tool_id": "CKV_AWS_145", "title": "CKV_AWS_145", "description": "Ensure that S3 buckets are encrypted with KMS by default", "resource": "infrastructure/main.tf", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N3", "internet_reachable": false, "likely_exploitable": true, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 32, "remediation_due_at": "2026-06-20T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null }, { "tracking_id": "tfsec-AVD-AWS-0010-/github/workspace/infrastructure/main.tf-110", "source": "tfsec", "tool_id": "AVD-AWS-0010", "title": "Distribution does not have logging enabled.", "description": "Enable logging for CloudFront distributions", "resource": "aws_cloudfront_distribution.website", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N2", "internet_reachable": true, "likely_exploitable": false, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 192, "remediation_due_at": "2026-11-27T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null }, { "tracking_id": "tfsec-AVD-AWS-0011-/github/workspace/infrastructure/main.tf-110", "source": "tfsec", "tool_id": "AVD-AWS-0011", "title": "Distribution does not utilise a WAF.", "description": "Enable WAF for the CloudFront distribution", "resource": "aws_cloudfront_distribution.website", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N3", "internet_reachable": true, "likely_exploitable": true, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 16, "remediation_due_at": "2026-06-04T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null }, { "tracking_id": "tfsec-AVD-AWS-0089-/github/workspace/infrastructure/main.tf-82", "source": "tfsec", "tool_id": "AVD-AWS-0089", "title": "Bucket does not have logging enabled", "description": "Add a logging block to the resource to enable access logging", "resource": "aws_s3_bucket.website", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N2", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 192, "remediation_due_at": "2026-11-27T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null }, { "tracking_id": "tfsec-AVD-AWS-0132-/github/workspace/infrastructure/main.tf-209", "source": "tfsec", "tool_id": "AVD-AWS-0132", "title": "Bucket does not encrypt data with a customer managed key.", "description": "Enable encryption using customer managed keys", "resource": "aws_s3_bucket_server_side_encryption_configuration.website", "cve": null, "first_detected": "2026-05-19T21:09:01.088686+00:00", "days_since_first_detected": 0, "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N3", "internet_reachable": false, "likely_exploitable": true, "is_kev": false, "current_disposition": "open", "remediation_sla_days": 32, "remediation_due_at": "2026-06-20T21:09:01.088686+00:00", "is_blocking": false, "block_reason": null } ], "risk_accepted": [ { "tracking_id": "CKV_AWS_144", "poam_ref": "POAM-003", "source": "checkov-suppression", "tool_id": "CKV_AWS_144", "title": "CKV_AWS_144 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-19T21:09:01.088686+00:00", "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Single-region static site. Cross-region replication adds cost without commensurate availability benefit at the declared 21-day RTO." }, { "tracking_id": "CKV_AWS_23", "poam_ref": "POAM-004", "source": "checkov-suppression", "tool_id": "CKV_AWS_23", "title": "CKV_AWS_23 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-19T21:09:01.088686+00:00", "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Lambda writes to S3 but does not subscribe to S3 events. No event-driven workflow in scope." }, { "tracking_id": "CKV_AWS_18", "poam_ref": "POAM-005", "source": "checkov-suppression", "tool_id": "CKV_AWS_18", "title": "CKV_AWS_18 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-19T21:09:01.088686+00:00", "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "CloudTrail covers the audit need account-wide. CloudFront access logs were similarly excluded for cost." }, { "tracking_id": "CKV_AWS_300", "poam_ref": "POAM-006", "source": "checkov-suppression", "tool_id": "CKV_AWS_300", "title": "CKV_AWS_300 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-19T21:09:01.088686+00:00", "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Static website assets have no expiration policy; lifecycle rules are not applicable." }, { "tracking_id": "CKV_AWS_68", "poam_ref": "POAM-007", "source": "checkov-suppression", "tool_id": "CKV_AWS_68", "title": "CKV_AWS_68 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-19T21:09:01.088686+00:00", "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N2", "internet_reachable": true, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Cost trade-off (~$120/year). Static personal site has no forms, no auth endpoints; AWS Shield Standard is the baseline DDoS protection at zero marginal cost." }, { "tracking_id": "CKV_AWS_174", "poam_ref": "POAM-008", "source": "checkov-suppression", "tool_id": "CKV_AWS_174", "title": "CKV_AWS_174 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-19T21:09:01.088686+00:00", "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "No Java runtime in scope (Lambda runs Node.js; site is static HTML/CSS/JS). Log4j-class vulnerabilities cannot exist in this stack." }, { "tracking_id": "CKV_AWS_86", "poam_ref": "POAM-009", "source": "checkov-suppression", "tool_id": "CKV_AWS_86", "title": "CKV_AWS_86 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-19T21:09:01.088686+00:00", "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Single S3 origin. No secondary origin to fail over to; multi-origin would require multi-region storage." }, { "tracking_id": "CKV_AWS_117", "poam_ref": "POAM-010", "source": "checkov-suppression", "tool_id": "CKV_AWS_117", "title": "CKV_AWS_117 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-19T21:09:01.088686+00:00", "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Lambda has no internet egress, no sensitive data, no private endpoint targets. NAT Gateway adds cost without commensurate isolation benefit." }, { "tracking_id": "CKV_AWS_173", "poam_ref": "POAM-011", "source": "checkov-suppression", "tool_id": "CKV_AWS_173", "title": "CKV_AWS_173 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-19T21:09:01.088686+00:00", "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Lambda env vars hold bucket name, distribution ID, system ID \u2014 all non-sensitive and visible in the public runtime signal. AWS-default encryption suffices." }, { "tracking_id": "CKV_AWS_115", "poam_ref": "POAM-012", "source": "checkov-suppression", "tool_id": "CKV_AWS_115", "title": "CKV_AWS_115 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-19T21:09:01.088686+00:00", "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Daily EventBridge invocation; no concurrent invocations realistic. Cost-control limit not required." }, { "tracking_id": "CKV_AWS_116", "poam_ref": "POAM-013", "source": "checkov-suppression", "tool_id": "CKV_AWS_116", "title": "CKV_AWS_116 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-19T21:09:01.088686+00:00", "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Daily idempotent run; failures are recoverable on the next day's invocation. DLQ adds cost for marginal observability benefit." }, { "tracking_id": "CKV_AWS_50", "poam_ref": "POAM-014", "source": "checkov-suppression", "tool_id": "CKV_AWS_50", "title": "CKV_AWS_50 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-19T21:09:01.088686+00:00", "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Observability concern, not a security control. Cost-driven exclusion; CloudWatch Logs covers the diagnostic need." }, { "tracking_id": "CKV_AWS_272", "poam_ref": "POAM-015", "source": "checkov-suppression", "tool_id": "CKV_AWS_272", "title": "CKV_AWS_272 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-19T21:09:01.088686+00:00", "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N2", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Source-level signing chain in place: deploy-time KSI signal is Sigstore-signed; Wasm policy bytes are verifiable via the canonical inventory's content hash. AWS Signer adds defense-in-depth at marginal cost; not currently justified." }, { "tracking_id": "CKV_AWS_338", "poam_ref": "POAM-017", "source": "checkov-suppression", "tool_id": "CKV_AWS_338", "title": "CKV_AWS_338 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-19T21:09:01.088686+00:00", "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "7-day retention; operational debug logs only, no PII. Anything older than a week is not actionable for sole-operator IR." }, { "tracking_id": "CKV_AWS_158", "poam_ref": "POAM-018", "source": "checkov-suppression", "tool_id": "CKV_AWS_158", "title": "CKV_AWS_158 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-19T21:09:01.088686+00:00", "completed_evaluation": "2026-05-19T21:09:01.088686+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "AWS-default encryption (server-side AES-256) is on. No PII in log content; customer-managed KMS adds cost without commensurate benefit." } ], "rules_reference": { "evaluation": "FedRAMP 20x VDR-EVA-* (PAIN, IRV, LEV)", "timeframes": "FedRAMP 20x VDR-TFR-PVR Class C", "reporting": "FedRAMP 20x VDR-RPT-VDT, VDR-RPT-AVI" } }