diff --git a/terraform/layer1-aws/aws-cloudtrail.tf b/terraform/layer1-aws/aws-cloudtrail.tf
index 4997caec..dbaa317d 100644
--- a/terraform/layer1-aws/aws-cloudtrail.tf
+++ b/terraform/layer1-aws/aws-cloudtrail.tf
@@ -1,4 +1,4 @@
-#tfsec:ignore:aws-cloudtrail-enable-at-rest-encryption
+#tfsec:ignore:aws-cloudtrail-enable-at-rest-encryption tfsec:ignore:aws-cloudtrail-ensure-cloudwatch-integration
 resource "aws_cloudtrail" "main" {
   name                          = local.name
   s3_bucket_name                = aws_s3_bucket.cloudtrail.id
@@ -10,7 +10,7 @@ resource "aws_cloudtrail" "main" {
   tags = local.tags
 }
 
-#tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning
+#tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-cloudtrail-require-bucket-access-logging
 resource "aws_s3_bucket" "cloudtrail" {
   bucket = "${local.name}-aws-cloudtrail-logs"
 
diff --git a/terraform/layer1-aws/aws-vpc.tf b/terraform/layer1-aws/aws-vpc.tf
index 077ad44a..2b41fa1f 100644
--- a/terraform/layer1-aws/aws-vpc.tf
+++ b/terraform/layer1-aws/aws-vpc.tf
@@ -13,6 +13,7 @@ data "aws_security_group" "default" {
   vpc_id = module.vpc.vpc_id
 }
 
+#tfsec:ignore:aws-ec2-no-public-ip-subnet
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "3.12.0"
diff --git a/terraform/layer2-k8s/eks-gitlab-runner.tf b/terraform/layer2-k8s/eks-gitlab-runner.tf
index 3a171a0f..1aee181a 100644
--- a/terraform/layer2-k8s/eks-gitlab-runner.tf
+++ b/terraform/layer2-k8s/eks-gitlab-runner.tf
@@ -144,6 +144,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_runner_enc
 }
 
 resource "aws_s3_bucket_lifecycle_configuration" "gitlab_runner_lifecycle" {
+  count = local.gitlab_runner.enabled ? 1 : 0
+
   bucket = aws_s3_bucket.gitlab_runner_cache[0].id
 
   rule {