This project follows defense-in-depth principles:

• Ansible: Idempotent, least-privilege, check mode support
• Terraform: Encrypted root volumes, IMDSv2 enforced, no hardcoded secrets
• Kubernetes: Non-root containers, read-only root FS, NetworkPolicies, PodSecurityStandards restricted
• Docker: Distroless/minimal images, no root, health checks, resource limits
• Scripts: set -euo pipefail, quoted variables, no eval

Never commit secrets. Use:

• Ansible Vault for playbook variables
• AWS Secrets Manager / Parameter Store for Terraform
• Kubernetes Sealed Secrets / External Secrets Operator for K8s

If you discover a security issue:

1. Do NOT open a public issue
2. Email security@mounik.dev (replace with real contact)
3. Include repro steps and potential impact
4. Expect initial response within 48h
5. Coordinated disclosure timeline: 90 days

Playbooks reference CIS Benchmarks but are not CIS-certified. Always audit in your environment.