{ "report_version": "1.1.0", "report_id": "49745bf4-e991-4205-8362-51f6b672fbff", "emitted_at": "2026-05-08T21:03:00.174538+00:00", "system_id": "urn:samaydlette:website-prod", "ksi_signal_ref": "/.well-known/ksi-signal.json", "poam_ref": "docs/poam.md", "class": "C", "summary": { "by_pain": { "N1": 0, "N2": 0, "N3": 0, "N4": 0, "N5": 0 }, "blocking": 0, "kev": 0, "risk_accepted": 15, "ledger_carried_forward": 0, "ledger_newly_detected": 0, "total_findings": 0 }, "findings": [], "risk_accepted": [ { "tracking_id": "CKV_AWS_144", "poam_ref": "POAM-003", "source": "checkov-suppression", "tool_id": "CKV_AWS_144", "title": "CKV_AWS_144 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-08T21:03:00.174538+00:00", "completed_evaluation": "2026-05-08T21:03:00.174538+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Single-region static site. Cross-region replication adds cost without commensurate availability benefit at the declared 21-day RTO." }, { "tracking_id": "CKV_AWS_23", "poam_ref": "POAM-004", "source": "checkov-suppression", "tool_id": "CKV_AWS_23", "title": "CKV_AWS_23 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-08T21:03:00.174538+00:00", "completed_evaluation": "2026-05-08T21:03:00.174538+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Lambda writes to S3 but does not subscribe to S3 events. No event-driven workflow in scope." }, { "tracking_id": "CKV_AWS_18", "poam_ref": "POAM-005", "source": "checkov-suppression", "tool_id": "CKV_AWS_18", "title": "CKV_AWS_18 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-08T21:03:00.174538+00:00", "completed_evaluation": "2026-05-08T21:03:00.174538+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "CloudTrail covers the audit need account-wide. CloudFront access logs were similarly excluded for cost." }, { "tracking_id": "CKV_AWS_300", "poam_ref": "POAM-006", "source": "checkov-suppression", "tool_id": "CKV_AWS_300", "title": "CKV_AWS_300 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-08T21:03:00.174538+00:00", "completed_evaluation": "2026-05-08T21:03:00.174538+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Static website assets have no expiration policy; lifecycle rules are not applicable." }, { "tracking_id": "CKV_AWS_68", "poam_ref": "POAM-007", "source": "checkov-suppression", "tool_id": "CKV_AWS_68", "title": "CKV_AWS_68 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-08T21:03:00.174538+00:00", "completed_evaluation": "2026-05-08T21:03:00.174538+00:00", "pain": "N2", "internet_reachable": true, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Cost trade-off (~$120/year). Static personal site has no forms, no auth endpoints; AWS Shield Standard is the baseline DDoS protection at zero marginal cost." }, { "tracking_id": "CKV_AWS_174", "poam_ref": "POAM-008", "source": "checkov-suppression", "tool_id": "CKV_AWS_174", "title": "CKV_AWS_174 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-08T21:03:00.174538+00:00", "completed_evaluation": "2026-05-08T21:03:00.174538+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "No Java runtime in scope (Lambda runs Node.js; site is static HTML/CSS/JS). Log4j-class vulnerabilities cannot exist in this stack." }, { "tracking_id": "CKV_AWS_86", "poam_ref": "POAM-009", "source": "checkov-suppression", "tool_id": "CKV_AWS_86", "title": "CKV_AWS_86 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-08T21:03:00.174538+00:00", "completed_evaluation": "2026-05-08T21:03:00.174538+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Single S3 origin. No secondary origin to fail over to; multi-origin would require multi-region storage." }, { "tracking_id": "CKV_AWS_117", "poam_ref": "POAM-010", "source": "checkov-suppression", "tool_id": "CKV_AWS_117", "title": "CKV_AWS_117 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-08T21:03:00.174538+00:00", "completed_evaluation": "2026-05-08T21:03:00.174538+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Lambda has no internet egress, no sensitive data, no private endpoint targets. NAT Gateway adds cost without commensurate isolation benefit." }, { "tracking_id": "CKV_AWS_173", "poam_ref": "POAM-011", "source": "checkov-suppression", "tool_id": "CKV_AWS_173", "title": "CKV_AWS_173 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-08T21:03:00.174538+00:00", "completed_evaluation": "2026-05-08T21:03:00.174538+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Lambda env vars hold bucket name, distribution ID, system ID \u2014 all non-sensitive and visible in the public runtime signal. AWS-default encryption suffices." }, { "tracking_id": "CKV_AWS_115", "poam_ref": "POAM-012", "source": "checkov-suppression", "tool_id": "CKV_AWS_115", "title": "CKV_AWS_115 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-08T21:03:00.174538+00:00", "completed_evaluation": "2026-05-08T21:03:00.174538+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Daily EventBridge invocation; no concurrent invocations realistic. Cost-control limit not required." }, { "tracking_id": "CKV_AWS_116", "poam_ref": "POAM-013", "source": "checkov-suppression", "tool_id": "CKV_AWS_116", "title": "CKV_AWS_116 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-08T21:03:00.174538+00:00", "completed_evaluation": "2026-05-08T21:03:00.174538+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Daily idempotent run; failures are recoverable on the next day's invocation. DLQ adds cost for marginal observability benefit." }, { "tracking_id": "CKV_AWS_50", "poam_ref": "POAM-014", "source": "checkov-suppression", "tool_id": "CKV_AWS_50", "title": "CKV_AWS_50 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-08T21:03:00.174538+00:00", "completed_evaluation": "2026-05-08T21:03:00.174538+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Observability concern, not a security control. Cost-driven exclusion; CloudWatch Logs covers the diagnostic need." }, { "tracking_id": "CKV_AWS_272", "poam_ref": "POAM-015", "source": "checkov-suppression", "tool_id": "CKV_AWS_272", "title": "CKV_AWS_272 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-08T21:03:00.174538+00:00", "completed_evaluation": "2026-05-08T21:03:00.174538+00:00", "pain": "N2", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "Source-level signing chain in place: deploy-time KSI signal is Sigstore-signed; Wasm policy bytes are verifiable via the canonical inventory's content hash. AWS Signer adds defense-in-depth at marginal cost; not currently justified." }, { "tracking_id": "CKV_AWS_338", "poam_ref": "POAM-017", "source": "checkov-suppression", "tool_id": "CKV_AWS_338", "title": "CKV_AWS_338 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-08T21:03:00.174538+00:00", "completed_evaluation": "2026-05-08T21:03:00.174538+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "7-day retention; operational debug logs only, no PII. Anything older than a week is not actionable for sole-operator IR." }, { "tracking_id": "CKV_AWS_158", "poam_ref": "POAM-018", "source": "checkov-suppression", "tool_id": "CKV_AWS_158", "title": "CKV_AWS_158 suppressed", "resource": ".checkov.yaml", "first_detected": "2026-05-08T21:03:00.174538+00:00", "completed_evaluation": "2026-05-08T21:03:00.174538+00:00", "pain": "N1", "internet_reachable": false, "likely_exploitable": false, "is_kev": false, "current_disposition": "risk-accepted", "explanation": "AWS-default encryption (server-side AES-256) is on. No PII in log content; customer-managed KMS adds cost without commensurate benefit." } ], "rules_reference": { "evaluation": "FedRAMP 20x VDR-EVA-* (PAIN, IRV, LEV)", "timeframes": "FedRAMP 20x VDR-TFR-PVR Class C", "reporting": "FedRAMP 20x VDR-RPT-VDT, VDR-RPT-AVI" } }