📊 Infrastructure Cost Analysis & Security Investment
🔗 Secure Development Policy · Classification Framework
📋 Document Owner: CEO | 📄 Version: 1.2 | 📅 Last Updated: 2026-04-20 (UTC)
🔄 Review Cycle: Annual | ⏰ Next Review: 2027-04-20
🆕 What changed since last review (v1.1 → v1.2, 2026-04-20):
- 📈 IMF added as a third primary economic-data source alongside SCB and World Bank per ADR 0001. Cost impact: $0 incremental spend — IMF public endpoints (
data.imf.org,api.imf.org,www.imf.org) require no API key, no subscription, and the existing ~10 req/5s rate limit is tolerated by the client's 3× back-off. No new managed services, no new container hosting (IMF is a pure-TypeScript client underscripts/imf-client.ts, not an MCP server — no additional Render/Fly/container cost). SBOM coverage is provided by the existing npm package-lock.json, so no additional SBOM tooling is needed. Egress minute usage on GitHub Actions runners is negligible (< 1 s per fetch).🆕 What changed since last review (v1.0 → v1.1, 2026-04-20):
- Refreshed dual-deployment cost model for the current architecture: AWS CloudFront + S3 dual-region (us-east-1 primary, eu-west-1 replica) for production; GitHub Pages (
hack23.github.io) as $0 DR tier; publicriksdagsmonitornpm package hosted on the npm registry at $0 to Hack23 (provenance attestations included).- Expected monthly infrastructure cost remains <$500/day financial impact and typically well under $50/month steady-state for the static-site footprint (CloudFront + S3 + Route53 + minimal Lambda@Edge if used).
- Security-investment analysis: $0 incremental cost — all tooling (GitHub Advanced Security, CodeQL, Dependabot, OpenSSF Scorecard, OpenSSF Best Practices #12069,
step-security/harden-runner, secret scanning) is included with public-repository GitHub, plus free tiers of SAST/SCA via Actions.- Confirmed OIDC-only AWS access (no long-lived access keys held by the org) — reduces credential-compromise insurance exposure and operational toil.
- Financial impact classification reconfirmed at Low (<$500/day) per CLASSIFICATION.
- Aligned with ISO 27001:2022 A.5.30 (ICT readiness), NIST CSF 2.0 GV.OV (oversight), CIS Controls v8.1 #1 (asset inventory & cost), EU CRA Annex I §(3)(c) (availability).
This document outlines the financial and security implementation plan for the Riksdagsmonitor platform — a static HTML5/CSS3 website providing Swedish Parliament transparency across 14 languages.
Riksdagsmonitor uses a dual-deployment architecture with AWS CloudFront + S3 as the primary delivery mechanism and GitHub Pages as the disaster recovery standby, as detailed in the Business Continuity Plan. For architectural context, see the Architecture Documentation and End-of-Life Strategy.
| Time Frame | Monthly (USD) | Annual (USD) |
|---|---|---|
| Primary Infrastructure (AWS) | $7.50 | $90.00 |
| DR Infrastructure (GitHub Pages) | $0.00 | $0.00 |
| Domain Registration | $1.00 | $12.00 |
| Security Tooling | $0.00 | $0.00 |
| Development CI/CD | $0.00 | $0.00 |
| Grand Total | $8.50 | $102.00 |
Note: Riksdagsmonitor leverages free-tier and open-source services extensively. The primary recurring costs are AWS S3/CloudFront hosting (including Route 53 DNS) and domain registration. All security tooling is free for open-source projects.
| Component | AWS Service | Monthly (USD) | Annual (USD) | Notes |
|---|---|---|---|---|
| Static Hosting | S3 Standard | $0.50 | $6.00 | ~5 GB storage, static HTML/CSS/JS/data |
| CDN | CloudFront | $5.00 | $60.00 | Global edge caching, ~50 GB/month transfer |
| SSL/TLS | ACM (Certificate Manager) | $0.00 | $0.00 | Free public certificates |
| DNS | Route 53 | $1.00 | $12.00 | Hosted zone + health checks |
| Monitoring | CloudWatch (basic) | $0.00 | $0.00 | Basic metrics included |
| Failover | Route 53 Health Checks | $1.00 | $12.00 | 2 health checks for failover |
| Subtotal (AWS) | $7.50 | $90.00 |
| Component | Service | Monthly (USD) | Annual (USD) | Notes |
|---|---|---|---|---|
| Hosting | GitHub Pages | $0.00 | $0.00 | Free for public repos |
| CDN | GitHub Pages CDN (Fastly) | $0.00 | $0.00 | Included with GitHub Pages |
| SSL/TLS | Let's Encrypt (via GitHub) | $0.00 | $0.00 | Automatic HTTPS |
| Subtotal (DR) | $0.00 | $0.00 |
| Component | Service | Monthly (USD) | Annual (USD) | Notes |
|---|---|---|---|---|
| Domain | riksdagsmonitor.com | $1.00 | $12.00 | Annual domain renewal |
| DNS | Route 53 Hosted Zone | $0.00 | $0.00 | Included in AWS section above (Route 53 line) |
| SSL Certificate | ACM | $0.00 | $0.00 | Free for AWS services |
| Subtotal (Domain) | $1.00 | $12.00 | Domain registration only; DNS cost in AWS section |
| Security Service | Provider | Annual Cost | ISMS Policy Alignment |
|---|---|---|---|
| SAST Scanning | CodeQL | $0.00 | Secure Development Policy |
| Dependency Scanning | Dependabot + npm audit | $0.00 | Vulnerability Management |
| Secret Scanning | GitHub Secret Scanning | $0.00 | Cryptography Policy |
| Supply Chain Security | SLSA Build Provenance + OpenSSF Scorecard | $0.00 | Secure Development Policy |
| SBOM Generation | GitHub SBOM (SPDX format) | $0.00 | Secure Development Policy |
| CI/CD Hardening | step-security/harden-runner | $0.00 | Secure Development Policy |
| HTML Validation | HTMLHint | $0.00 | Secure Development Policy |
| Dead Code Detection | knip | $0.00 | Secure Development Policy |
| SRI Hash Generation | vite-plugin-sri-gen | $0.00 | Secure Development Policy |
| Unit Testing | Vitest | $0.00 | Secure Development Policy |
| E2E Testing | Cypress (OSS) | $0.00 | Secure Development Policy |
| Performance Monitoring | Lighthouse CI | $0.00 | Quality gates |
| Total Security Tooling | $0.00 |
| Metric | Value | Source |
|---|---|---|
| Total Annual Security Investment | $0/year | Free OSS tooling |
| Total Annual Infrastructure | $102/year | AWS + domain costs |
| Security-to-Infrastructure Ratio | Included | Security is built-in, not bolt-on |
| Vulnerability Detection Rate | >95% | Automated scanning pipeline (CodeQL + Dependabot + npm audit) |
| Mean Time to Detect (MTTD) | <24 hours | Automated CI/CD scanning on every push |
| Mean Time to Remediate (MTTR) | <48 hours critical, <7 days high | Dependabot auto-merge + manual review |
| Supply Chain Score | OpenSSF Scorecard | Automated weekly assessment |
| Build Attestation | SLSA Level 3 | Provenance attached to every release |
| 🛡️ ISMS Policy | 💰 Annual Investment | 🔧 Services | 📊 Business Value |
|---|---|---|---|
| Incident Response Plan | $12.00 | Route 53 Health Checks | Automated failover detection DR activation capability |
| Vulnerability Management | $0.00 | Dependabot + CodeQL + npm audit | Continuous vulnerability scanning Automated patch PRs |
| Cryptography Policy | $0.00 | ACM + SRI + GitHub Secret Scanning | TLS 1.3 certificates Subresource integrity Secret leak prevention |
| Network Security Policy | $60.00 | CloudFront | DDoS protection (AWS Shield Standard) Edge caching reduces origin exposure |
| Information Security Policy | $0.00 | CloudWatch (basic) + GitHub Audit Log | Infrastructure monitoring Repository access auditing |
| Business Continuity Plan | $30.00 | S3 ($6) + Route 53 DNS ($12) + Domain ($12) | Dual-deployment resilience GitHub Pages DR at $0 additional |
| Secure Development Policy | $0.00 | SLSA + SBOM + harden-runner | Supply chain security Build provenance attestation |
| Total | $102.00 |
┌─────────────────────────────────────────────────────────────────┐
│ Annual Cost Distribution │
├─────────────────────────────────────────────────────────────────┤
│ │
│ CloudFront CDN █████████████████████████████████ $60 (59%)│
│ Route 53 DNS ██████ $12 (12%) │
│ Route 53 Health ██████ $12 (12%) │
│ Domain Registration ██████ $12 (12%) │
│ S3 Storage ███ $6 (6%) │
│ Security Tooling (included in free tier) $0 (0%) │
│ │
│ Total: $102/year ($8.50/month) │
└─────────────────────────────────────────────────────────────────┘
Key Insight: By leveraging open-source security tooling and GitHub's free tier for public repositories, Riksdagsmonitor achieves enterprise-grade security posture at near-zero security cost. The entire annual budget of $102 is spent on infrastructure availability, not security tooling.
- DDoS Protection: Automatic layer 3/4 DDoS mitigation
- Always-On Detection: Network flow monitoring for volumetric attacks
- No Additional Cost: Included with every CloudFront distribution
- CodeQL Analysis: Semantic code analysis for JavaScript/TypeScript vulnerabilities
- Dependabot Alerts: Real-time vulnerability notifications for all dependencies
- Secret Scanning: Detection of leaked credentials in commits
- Security Advisories: Coordinated vulnerability disclosure workflow
- SLSA Build Provenance: Cryptographic attestation of build process
- SBOM (SPDX): Software Bill of Materials for supply chain transparency
- SRI Hashes: Subresource Integrity for all CDN-loaded assets
- SHA-Pinned Actions: Supply chain protection for CI/CD pipeline
| Scenario | Trigger | Additional Monthly Cost | Additional Annual Cost |
|---|---|---|---|
| Traffic Growth (10x) | Viral content / election period | +$20.00 | +$240.00 |
| AWS WAF Addition | Targeted attack mitigation | +$10.00 | +$120.00 |
| CloudFront Functions | Edge-side language routing | +$2.00 | +$24.00 |
| AWS GuardDuty | Enhanced threat detection | +$15.00 | +$180.00 |
| Worst-Case Total | All scenarios combined | $59.00 | $708.00 |
| Opportunity | Potential Savings | Implementation |
|---|---|---|
| CloudFront Reserved Capacity | 10–20% on data transfer | Commit to 12-month pricing |
| S3 Intelligent Tiering | 5–10% on storage | Enable for data archives |
| Consolidated billing | Shared across Hack23 repos | AWS Organizations |
- 🏛️ Architecture — System architecture overview
- 🚀 Future Architecture — Long-term architectural vision
- 📅 End-of-Life Strategy — Technology lifecycle management
- 📋 README — Project overview and quick links
- 🛡️ Security Architecture — Security model details
- 🎯 Threat Model — Risk-driven justification for security services
- 📋 CRA Assessment — EU Cyber Resilience Act compliance
- 🔒 Security Policy — Vulnerability disclosure and management
- 📋 BCP Plan — Business continuity and disaster recovery
- 🚀 Release Process — Release procedures with attestations
- 🔄 CI/CD Workflows — Security-hardened CI/CD pipelines
- 🔮 Future Workflows — Enhanced CI/CD roadmap
- 🔐 Information Security Policy — Overall security governance
- 🔍 Vulnerability Management — Security testing and remediation
- 🚨 Incident Response Plan — Security incident management
- 🏷️ Classification Framework — Business impact and risk assessment
📋 Document Control:
✅ Approved by: James Pether Sörling, CEO
📤 Distribution: Public
🏷️ Classification: 
📅 Effective Date: 2026-03-12
⏰ Next Review: 2027-03-12
🎯 Framework Compliance: 
