Skip to main content

SOC2 compliance evidence generator for Terraform AWS infrastructure

Project description

Terraform Registry SOC2 Compliance Terraform LocalStack Python License

CloudCompliance — SOC2-Ready AWS IaC

Infrastructure as Code that provisions a SOC2 Type II-aligned AWS environment in one command. Zero manual security configuration required.

The Problem

Startups spend 6–12 months retrofitting SOC2 controls onto infrastructure that was never designed to be compliant. Security is an afterthought — CloudTrail gets enabled after an incident, encryption gets added before an audit, RBAC gets tightened only when required.

This IaC eliminates that retrofit entirely. Every SOC2 control is provisioned automatically at infrastructure creation time.


SOC2 Control Coverage

Control Title Resources Enforced
CC6.1 Network Isolation VPC, private subnets, deny-all security group
CC6.2 Authentication Controls IAM password policy, MFA alert, least-privilege role
CC6.6 Transmission Protection HTTPS-only S3 bucket policy, TLS enforcement
CC6.7 Encryption at Rest KMS CMK, S3 server-side encryption, encrypted data bucket
CC7.1 Threat Detection CloudWatch alarms, AWS Config recorder, Config rules
CC7.2 Audit Logging Versioned audit bucket, delete protection, Config delivery
CC8.1 Change Management IaC-controlled infra, Config recorder status tracking

Scope note: This IaC implements the technical infrastructure controls mapped to SOC2 Common Criteria CC6-CC8. Full SOC2 Type II certification additionally requires organizational policies, vendor management, employee training, and 6-12 months of evidence collection — which are outside the scope of infrastructure code.


What Gets Provisioned (29 resources)

Networking — CC6.1

  • Private VPC (10.0.0.0/16) with 2 private subnets
  • No public subnets — zero internet exposure by default
  • Default-deny security group — all inbound/outbound blocked

Logging — CC7.2

  • Dedicated audit S3 bucket with versioning enabled
  • Delete protection policy — no object or bucket deletion allowed
  • HTTPS-only access policy on audit bucket

Encryption — CC6.7

  • KMS Customer Managed Key (CMK) with automatic key rotation
  • S3 encrypted data bucket with KMS SSE
  • HTTPS-only bucket policy — plaintext requests denied

IAM — CC6.2

  • Account password policy: 14 chars, complexity, 90-day rotation, 24 history
  • Least-privilege IAM role — S3 read + KMS decrypt only
  • SNS topic for root account usage alerts

Monitoring — CC7.1

  • CloudWatch alarm: root account login detection
  • CloudWatch alarm: public S3 bucket detection
  • Both wired to SNS alert topic

Config — CC7.1 + CC7.2

  • AWS Config recorder — all resource types, all regions
  • Config delivery channel → audit S3 bucket
  • Config rules: S3 public read prohibited, S3 encryption required, root MFA

Quick Start

Requirements: Terraform ≥ 1.15, Docker

# 1. Start LocalStack (free local AWS)
docker run --rm -d -p 4566:4566 localstack/localstack:3.4.0

# 2. Deploy all SOC2 controls
make deploy

# 3. Generate compliance evidence report
make report

Use as a Terraform Module

module "soc2_baseline" {
  source  = "KADHIRAVANEG/cloudcompliance/aws"
  version = "1.0.0"

  project_name = "my-startup"
  environment  = "prod"
  aws_region   = "us-east-1"
}
terraform init
terraform apply

Expected output:

╭────────────────────────────────────────╮
│ CloudCompliance — SOC2 Evidence Report │
│ Total resources provisioned: 29        │
╰────────────────────────────────────────╯
SOC2 Compliance Score: 100% (7/7 controls passing)

Project Structure

cloudcompliance/
├── terraform/
│   ├── main.tf                  # Root — calls all modules
│   ├── variables.tf             # Environment, region, endpoint
│   ├── backend.tf               # Local (dev) / S3 (prod) backend
│   ├── local.tfvars             # LocalStack config
│   ├── prod.tfvars              # Real AWS config
│   └── modules/
│       ├── networking/          # CC6.1 — VPC, subnets, SGs
│       ├── logging/             # CC7.2 — Audit bucket
│       ├── encryption/          # CC6.7 — KMS, encrypted S3
│       ├── iam/                 # CC6.2 — Password policy, roles
│       ├── monitoring/          # CC7.1 — CloudWatch alarms
│       └── config/              # CC7.1/7.2 — Config rules
├── compliance/
│   └── report.py                # SOC2 evidence generator
├── .github/workflows/
│   └── compliance.yml           # CI gate — blocks non-compliant PRs
└── Makefile                     # make deploy / report / destroy

CI/CD Compliance Gate

Every pull request automatically:

  1. Validates Terraform formatting and syntax
  2. Deploys to LocalStack
  3. Runs the compliance report
  4. Blocks merge if any SOC2 control is missing

Deploying to Real AWS

# 1. Configure AWS credentials
aws configure

# 2. Deploy to real AWS
make deploy-prod

For production, uncomment the S3 backend in terraform/backend.tf to enable remote state with DynamoDB locking.


LocalStack vs Real AWS

Feature LocalStack (free) Real AWS
VPC / Subnets
S3 + Encryption
KMS
IAM
CloudWatch
AWS Config
SNS
CloudTrail ⚠️ Pro only
GuardDuty ⚠️ Pro only

Standards Referenced


Tech Stack

Terraform · Python · AWS · LocalStack · GitHub Actions · KMS · IAM · CloudWatch · SNS · AWS Config


Author

Kadhiravan E.G. — 3rd year Cybersecurity student
GitHub: @KADHIRAVANEG

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cloudcompliance-1.0.0.tar.gz (7.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cloudcompliance-1.0.0-py3-none-any.whl (8.1 kB view details)

Uploaded Python 3

File details

Details for the file cloudcompliance-1.0.0.tar.gz.

File metadata

  • Download URL: cloudcompliance-1.0.0.tar.gz
  • Upload date:
  • Size: 7.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.6

File hashes

Hashes for cloudcompliance-1.0.0.tar.gz
Algorithm Hash digest
SHA256 5a6312ef18298a44c670ab56be98e5705db57cbaf52919e54861baa2b048c3e2
MD5 739a4d7ab3c0dcd061b9fdb1500b59c4
BLAKE2b-256 bfa7da64a8a59a7b79d8b558a3358e4903c5d6b7d0ee555d6cd116b434f3af41

See more details on using hashes here.

File details

Details for the file cloudcompliance-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for cloudcompliance-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 0849b42ace283e3419143dac4db5a1934a6854b43dec8f3c6ae880b773caffeb
MD5 3905d9a513aa9055f0eb47fd5b6b9d0d
BLAKE2b-256 abcc7fc169ec4c9dc761558a541755c9f9d9b4be2690fa8b9eca861d118f939e

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page