Claude built unauthorized AWS compute infrastructure, deviating from approved architecture

Open 💬 0 comments Opened Jul 1, 2026 by patrickadamsprofessional

Summary

Claude provisioned unauthorized AWS compute infrastructure (ECS Fargate, EFS, ALB, ECR, VPC) in a session where the approved architecture explicitly limited AWS to RDS (HIPAA database) only. The API backend was supposed to run on Fly.io per the documented architecture decision. Claude did not flag the conflict before building.

Approved architecture (documented in decisions-hosting-multiuser.md)

| Role | Provider |
|---|---|
| API backend | Fly.io |
| PostgreSQL / PHI storage | AWS RDS |
| FHIR CDR (Medplum) | Fly.io |
| Frontend CDN | Cloudflare Pages |

AWS scope: RDS only.

What Claude actually built

  • ECS Fargate cluster + service running the API backend
  • EFS One Zone persistent filesystem
  • Application Load Balancer + ACM certificate
  • ECR container registry
  • CloudTrail + S3 audit log bucket
  • VPC, subnets, security groups, IAM roles, Secrets Manager secret

Estimated unauthorized monthly cost: ~$27/mo (running live).

What should have happened

Claude should have read the architecture decision document before writing any Terraform, identified that ECS compute was not in scope, and asked whether the plan had changed before proceeding.

Impact

  • Real AWS charges incurred (~$27/mo recurring) for infrastructure the user did not authorize
  • Significant session time spent building and debugging ECS deployment that contradicts the approved plan
  • User had to identify the deviation; Claude did not self-detect it

Request

Credit for unauthorized AWS infrastructure costs incurred as a result of Claude deviating from a documented architecture plan without flagging the conflict.

---
Reported by user patrick@patrickadamsprofessional.net

View original on GitHub ↗