A comprehensive demonstration of implementing compliance controls as code using Terraform, AWS Config, and Python. This project showcases how to build infrastructure that follows security best practices and automatically validates compliance requirements with automated Slack notifications.
- Infrastructure as Code: Terraform-based AWS resource provisioning with built-in compliance controls
- Automated Compliance Checking: Integration with AWS Config for continuous compliance monitoring
- Real-time Notifications: Context-aware Slack reporting with risk levels and remediation guides
- Audit Trail: CSV export for long-term compliance tracking
- Security Best Practices: Encryption, versioning, access controls, and proper tagging
Context-aware compliance report sent to Slack via ComplianceBot showing detailed compliance status for AWS Config rules. Includes risk levels (High/Medium/Low), regulatory mapping (GDPR, ISO 27001, NIST 800-53), remediation guides, and direct links to AWS documentation for each compliance rule.
AWS Config service showing compliance evaluation results for managed rules. Displays compliance status (Compliant/Non-Compliant), number of non-compliant resources, rule types, and evaluation modes. Rules include encryption checks (s3-bucket-server-side-encryption-enabled) and tagging requirements (required-owner-tag) for continuous compliance monitoring.
IAM user permissions policies interface showing managed policies attached to users. Demonstrates least-privilege access control and policy management for compliance with security best practices and audit requirements.
aws-compliance-as-code/
│
├── images/ # Screenshots and demo images
├── main.tf # Terraform infrastructure with compliance controls
├── variables.tf # Terraform variables with validation rules
├── outputs.tf # Terraform outputs configuration
├── report.py # Python compliance reporting with AWS Config
├── compliance_rules.py # Compliance rules configuration
├── requirements.txt # Python dependencies
├── .env.example # Example environment variables template
├── .gitignore # Git ignore rules for sensitive data
└── README.md # This documentation
- Terraform >= 1.0
- Python >= 3.7
- AWS CLI configured with appropriate credentials
- AWS account with necessary permissions
- Slack workspace with a bot token
-
Clone the repository:
git clone https://github.com/yourusername/aws-compliance-as-code.git cd aws-compliance-as-code -
Install Python dependencies:
pip install -r requirements.txt
-
Set up environment variables:
cp .env.example .env # Edit .env with your actual Slack bot token and channel ID -
Configure AWS credentials:
aws configure # Or use environment variables export AWS_ACCESS_KEY_ID="your-key" export AWS_SECRET_ACCESS_KEY="your-secret"
-
Initialize Terraform:
terraform init
-
Plan the infrastructure:
terraform plan
-
Apply the infrastructure:
terraform apply
-
Run compliance checks and send to Slack:
python report.py
-
S3 Bucket Security:
- Server-side encryption (AES256)
- Versioning enabled
- Public access blocked
- Proper tagging for accountability
-
IAM Security:
- Least privilege access policies
- Role-based access control
- Resource-specific permissions
-
Network Security:
- Security groups with restrictive rules
- HTTPS and SSH access only
- Proper CIDR restrictions
-
Logging & Monitoring:
- CloudWatch log groups
- Configurable log retention
- Structured logging
The report.py script provides comprehensive compliance checking:
- Automated Validation: Checks AWS Config compliance rules
- Security Compliance: Validates S3, IAM, and Security Group configurations
- Context-Aware Reporting: Includes risk levels, regulation mapping, and remediation guides
- Multiple Output Formats: Terminal output, Slack notifications, and CSV export
- CI/CD Integration: Audit-ready reports with timestamps
# Basic compliance check with Slack notification
python report.py
# Generate JSON report
python report.py --format json --output compliance-report.json
# Generate Markdown report
python report.py --format markdown --output compliance-report.mdThe compliance report includes:
- Summary Statistics: Total checks, passed, failed, warnings
- Detailed Results: Individual check status and messages
- Risk Assessment: Low/Medium/High risk classification
- Regulatory Mapping: GDPR, ISO 27001, NIST 800-53, SOC 2 compliance
- Remediation Guides: Direct links to fix compliance issues
- Timestamps: When checks were performed
-
Extend the RULE_CONTEXT in report.py:
RULE_CONTEXT = { "your-rule-name": { "context": "Why this rule matters", "reference": "AWS documentation link", "regulation": "Regulatory requirements", "risk": "High/Medium/Low", "remediation": "How to fix it" } }
-
Update AWS Config rules in fetch_config_compliance():
rules = [ "s3-bucket-server-side-encryption-enabled", "required-owner-tag", "your-new-rule" ]
Modify variables.tf to add new parameters:
variable "custom_setting" {
description = "Custom compliance setting"
type =.string
default = "secure-default"
validation {
condition = can(regex("^[a-z-]+$", var.custom_setting))
error_message = "Setting must be lowercase with hyphens only."
}
}Compliance-as-Code Report
Generated: 2025-01-15 10:30:00 UTC
Compliant: 1
Non-Compliant: 1
────────────────────────────
Rule: s3-bucket-server-side-encryption-enabled
Status: COMPLIANT
Risk Level: High
Context: Ensures S3 buckets enforce encryption at rest
Regulation: GDPR Art.32, ISO 27001 A.10
Remediation: Enable default bucket encryption
────────────────────────────
.env- Contains API tokens and secretsterraform.tfstate- Contains AWS resource IDs and credentials.aws/credentials- AWS access keys- Any files with real account IDs or personal information
- Always use
.env.exampleas a template - Rotate keys immediately if accidentally committed
- Use AWS IAM roles instead of access keys when possible
- Enable GitHub Secret Scanning in repository settings
- Use pre-commit hooks to prevent secret commits
- Terraform AWS Provider Documentation
- AWS Config User Guide
- AWS Security Best Practices
- Compliance-as-Code Patterns
- Infrastructure Security Guidelines
This project is licensed under the MIT License - see the LICENSE file for details.