You know how this usually goes. Security gets its own phase on every modernization project. Phase 4, or Phase 6, or "before go-live." By then the architecture is locked and findings become a list of things too expensive to fix.
We've been on those projects. We designed differently. The security architect runs in Wave 3 — parallel with the solution architect. Security findings feed directly into the migration roadmap as P0 tasks from day one, not backlog items for "later."
What the agent keeps finding
Across our three sample applications, the same categories of findings kept appearing — though each app had its own flavor. The ColdFusion CMS had hardcoded AWS keys in a custom S3 client. The Java platform had Spring Security configured but with overly permissive role hierarchies. The .NET portal relied on NTLM/Windows Authentication that has no direct cloud equivalent — requiring a full identity migration to Cognito with Active Directory federation.
Hardcoded credentials. Database connection strings in config files. API keys in source code. AWS access keys in application configuration. The remediation: Secrets Manager with automatic rotation. For apps using custom S3 clients with access keys, eliminate keys entirely via IAM task roles.
Exposed admin interfaces. Admin panels served from the same origin as public content, protected only by application-level checks. The agent designs layered defense: WAF rules blocking admin paths from public IPs, VPN or Verified Access, Cognito with MFA, Lambda authorizer for role-based permissions. For framework-specific paths (ColdFusion's /CFIDE/, Java actuator endpoints), it adds targeted WAF rules.
Session management vulnerabilities. In-process sessions blocking horizontal scaling, auth state in session scope, CSRF tied to session stability. Remediation: externalize to ElastiCache Redis, migrate to JWT-based auth, replace session-based CSRF with token-based approaches.
SQL injection surface area. The agent counts every database query and flags the total as an audit scope. Immediate mitigation: WAF SQLi managed rules (specifically AWSManagedRulesSQLiRuleSet) deployed at the start of migration. Expect a 1-2 week tuning window in count mode to baseline legitimate traffic before switching to block mode — false positives on complex but legitimate queries are common. Systematic fix: parameterized queries in new services, prioritized audit of legacy queries starting with public-facing paths. During the transition period, legacy queries remain a risk surface that WAF mitigates but doesn't eliminate.
!Defense in Depth — nested security layers from WAF through VPC, security groups, IAM, to encryption
The identity migration
The most complex security workstream in any modernization. Legacy apps have custom auth — user tables, password hashing, role hierarchies, session management. Moving to Cognito/Auth0/Okta means mapping every concept:
| Legacy Concept | Cloud Target |
|---|---|
| User credentials table | Cognito User Pool (passwords may need reset — bcrypt/scrypt hashes often not importable) |
| Group membership | Cognito Groups |
| Role-based permissions | Custom attributes + Lambda authorizer |
| Object-level security | Application-level authorization in service code |
| Session-based auth | JWT tokens |
The agent designs a migration Lambda trigger for transparent first-login migration: authenticate against the legacy table, create the user in Cognito if successful. This is transparent for users who log in during the migration window — no password reset required. Inactive users who don't log in during the window will need a post-migration cleanup process (forced password reset or account re-verification).
This is one of the areas where the MCP integration pays off. The agent queries the Cognito documentation for the UserMigration_Authentication trigger specification — getting the exact implementation details for transparent migration with finalUserStatus=CONFIRMED. Training knowledge has the general pattern; MCP provides the current API specifics.
Defense in depth
The agent designs a standard security architecture for every modernization:
- 3-tier VPC — public (load balancers), private (compute), isolated (databases)
- Per-service security groups — not per-tier. Compromised media service can't reach the database if its security group doesn't allow it.
- VPC endpoints — S3, DynamoDB, ECR, CloudWatch, Secrets Manager, KMS, SQS, EventBridge. No internet traversal for internal calls.
- VPC Lattice for service-to-service communication with IAM-based auth. Deny-by-default.
- AWS Verified Access for admin interfaces. Zero-trust: verifies device posture + identity. No VPN client required.
- Encryption everywhere — KMS CMKs for all data stores, TLS 1.3 for new connections (TLS 1.2 minimum for backward compatibility)
- Detective controls — GuardDuty, CloudTrail, AWS Config, Security Hub, VPC Flow Logs. Deployed as part of the foundation phase.
Compliance framework mapping
For regulated industries, the security findings map to specific compliance controls. The agent flags compliance-relevant findings when it detects signals in the discovery report (HIPAA-related data types, payment processing, audit requirements):
| Framework | Key Controls Affected | Common Findings |
|---|---|---|
| PCI-DSS | Req 3 (data protection), Req 6 (secure development), Req 8 (access control) | Hardcoded credentials, SQL injection surface, missing encryption at rest |
| HIPAA | Access controls, audit logging, encryption, transmission security | Session management vulnerabilities, missing audit trails, unencrypted PHI |
| SOC2 | CC6 (logical access), CC7 (system operations), CC8 (change management) | No CI/CD pipeline, manual deployments, missing detective controls |
This isn't a full compliance audit — that requires specialized tooling and human assessors. But mapping security findings to framework controls gives compliance teams a head start and ensures remediation tasks are prioritized correctly.
This won't replace a compliance audit. But it gives your compliance team a running start instead of a cold start.
The priority matrix
| Priority | Actions | Effort |
|---|---|---|
| P0 | Secrets Manager migration, WAF deployment, block admin paths | Low — but "low effort" assumes the team has AWS account access and change management approval. In governance-heavy organizations, even simple WAF rule deployments may require change advisory board review. |
| P1 | Managed identity provider, detective controls, VPC deployment | Medium |
| P2 | Session externalization, SQL injection audit | Medium–High |
| P3 | KMS encryption, container scanning | Low |
P0 items are low-effort, high-impact. WAF rules and admin path blocking in a day. Secrets migration in two days. These happen before any other migration work. If you're wondering where to start, this is the answer: secure first, migrate second.
Running security parallel with architecture means findings influence the design, not just the backlog. If sessions need externalization, the architect's compute design already includes ElastiCache. That's the advantage of the agentic approach.
Cost signal: Several security services introduced here — Secrets Manager (~$0.40/secret/month + API calls), GuardDuty, Security Hub, AWS Config — carry ongoing costs. These are flagged for the cost analyzer in Part 6.
Next: Part 5 — Eyes on the System — where the observability architect designs monitoring, SLOs, CI/CD, chaos engineering, and DR for systems that typically have none. The security findings here — particularly audit logging requirements and the Strangler Fig coexistence period — directly inform the observability design.