Skip to main content

SOC2 compliance evidence generator for Terraform AWS infrastructure

Project description

Docker PyPI version PyPI downloads Terraform Registry SOC2 Compliance Terraform LocalStack Python License

CloudCompliance — SOC2-Ready AWS IaC

Infrastructure as Code that provisions a SOC2-aligned AWS security baseline in one command. Zero manual security configuration required.

The Problem

Startups spend 6–12 months retrofitting SOC2 controls onto infrastructure that was never designed to be compliant. Security is an afterthought — CloudTrail gets enabled after an incident, encryption gets added before an audit, RBAC gets tightened only when required.

This IaC eliminates that retrofit entirely. Every SOC2 control is provisioned automatically at infrastructure creation time.


SOC2 Control Coverage

Control Title Resources Enforced
CC6.1 Network Isolation VPC, private subnets, deny-all security group
CC6.2 Authentication Controls IAM password policy, MFA alert, least-privilege role
CC6.6 Transmission Protection HTTPS-only S3 bucket policy, TLS enforcement
CC6.7 Encryption at Rest KMS CMK, S3 server-side encryption, encrypted data bucket
CC7.1 Threat Detection CloudWatch alarms, AWS Config recorder, Config rules
CC7.2 Audit Logging Versioned audit bucket, delete protection, Config delivery
CC8.1 Change Management IaC-controlled infra, Config recorder status tracking

Scope note: This IaC implements the technical infrastructure controls mapped to SOC2 Common Criteria CC6-CC8. Full SOC2 Type II certification additionally requires organizational policies, vendor management, employee training, and 6-12 months of evidence collection — which are outside the scope of infrastructure code.


What Gets Provisioned (29 resources)

Networking — CC6.1

  • Private VPC (10.0.0.0/16) with 2 private subnets
  • No public subnets — zero internet exposure by default
  • Default-deny security group — all inbound/outbound blocked

Logging — CC7.2

  • Dedicated audit S3 bucket with versioning enabled
  • Delete protection policy — no object or bucket deletion allowed
  • HTTPS-only access policy on audit bucket

Encryption — CC6.7

  • KMS Customer Managed Key (CMK) with automatic key rotation
  • S3 encrypted data bucket with KMS SSE
  • HTTPS-only bucket policy — plaintext requests denied

IAM — CC6.2

  • Account password policy: 14 chars, complexity, 90-day rotation, 24 history
  • Least-privilege IAM role — S3 read + KMS decrypt only
  • SNS topic for root account usage alerts

Monitoring — CC7.1

  • CloudWatch alarm: root account login detection
  • CloudWatch alarm: public S3 bucket detection
  • Both wired to SNS alert topic

Config — CC7.1 + CC7.2

  • AWS Config recorder — all resource types, all regions
  • Config delivery channel → audit S3 bucket
  • Config rules: S3 public read prohibited, S3 encryption required, root MFA

Quick Start

Requirements: Terraform ≥ 1.15, Docker

# 1. Start LocalStack (free local AWS)
docker run --rm -d -p 4566:4566 localstack/localstack:3.4.0

# 2. Deploy all SOC2 controls
make deploy

# 3. Generate compliance evidence report
make report

Use as a Terraform Module

module "soc2_baseline" {
  source  = "KADHIRAVANEG/cloudcompliance/aws"
  version = "1.0.0"

  project_name = "my-startup"
  environment  = "prod"
  aws_region   = "us-east-1"
}
terraform init
terraform apply

Install the CLI

pip install cloudcompliance
cloudcompliance

Docker Usage

# Pull the image
docker pull ghcr.io/kadhiravaneg/terraform-aws-cloudcompliance:latest

# Run against your terraform state
docker run -v /path/to/your/terraform:/app/terraform \
  ghcr.io/kadhiravaneg/terraform-aws-cloudcompliance:latest

# Run against this repo's state
docker run -v ~/cloudcompliance/terraform:/app/terraform \
  ghcr.io/kadhiravaneg/terraform-aws-cloudcompliance:latest

Expected output:

╭────────────────────────────────────────╮
│ CloudCompliance — SOC2 Evidence Report │
│ Total resources provisioned: 29        │
╰────────────────────────────────────────╯
SOC2 Compliance Score: 100% (7/7 controls passing)

Project Structure

cloudcompliance/
├── terraform/
│   ├── main.tf                  # Root — calls all modules
│   ├── variables.tf             # Environment, region, endpoint
│   ├── backend.tf               # Local (dev) / S3 (prod) backend
│   ├── local.tfvars             # LocalStack config
│   ├── prod.tfvars              # Real AWS config
│   └── modules/
│       ├── networking/          # CC6.1 — VPC, subnets, SGs
│       ├── logging/             # CC7.2 — Audit bucket
│       ├── encryption/          # CC6.7 — KMS, encrypted S3
│       ├── iam/                 # CC6.2 — Password policy, roles
│       ├── monitoring/          # CC7.1 — CloudWatch alarms
│       └── config/              # CC7.1/7.2 — Config rules
├── compliance/
│   └── report.py                # SOC2 evidence generator
├── .github/workflows/
│   └── compliance.yml           # CI gate — blocks non-compliant PRs
└── Makefile                     # make deploy / report / destroy

Chart

flowchart TD
    %% Styling Definitions
    classDef infra fill:#2980b9,stroke:#fff,color:#fff;
    classDef module fill:#34495e,stroke:#fff,color:#fff;
    classDef glue fill:#f39c12,stroke:#000,color:#000;
    classDef comp fill:#27ae60,stroke:#fff,color:#fff;

    %% Orchestration Layer
    MK[Makefile]:::glue
    CI[.github/workflows/compliance.yml]:::glue

    %% Terraform Root
    TF_Root[terraform/]:::infra
    TF_Root --> Main[main.tf]
    TF_Root --> Vars[vars/backend.tf]
    TF_Root --> TFVars[*.tfvars]

    %% Module Layer
    TF_Root --> Mod[modules/]:::module
    Mod --> N[networking - CC6.1]:::module
    Mod --> L[logging - CC7.2]:::module
    Mod --> E[encryption - CC6.7]:::module
    Mod --> I[iam - CC6.2]:::module
    Mod --> M[monitoring - CC7.1]:::module
    Mod --> C[config - CC7.1/7.2]:::module

    %% Compliance Evidence Layer
    Comp[compliance/report.py]:::comp

    %% Connections
    MK -->|deploy| TF_Root
    MK -->|report| Comp
    CI -->|gate| TF_Root
    CI -->|audit| Comp

CI/CD Compliance Gate

Every pull request automatically:

  1. Validates Terraform formatting and syntax
  2. Deploys to LocalStack
  3. Runs the compliance report
  4. Blocks merge if any SOC2 control is missing

Deploying to Real AWS

# 1. Configure AWS credentials
aws configure

# 2. Deploy to real AWS
make deploy-prod

For production, uncomment the S3 backend in terraform/backend.tf to enable remote state with DynamoDB locking.


LocalStack vs Real AWS

Feature LocalStack (free) Real AWS
VPC / Subnets
S3 + Encryption
KMS
IAM
CloudWatch
AWS Config
SNS
CloudTrail ⚠️ Pro only
GuardDuty ⚠️ Pro only

Standards Referenced


Tech Stack

Terraform · Python · AWS · LocalStack · GitHub Actions · KMS · IAM · CloudWatch · SNS · AWS Config


Author

Kadhiravan E.G. — 3rd year Cybersecurity student
GitHub: @KADHIRAVANEG

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cloudcompliance-1.1.0.tar.gz (8.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cloudcompliance-1.1.0-py3-none-any.whl (8.7 kB view details)

Uploaded Python 3

File details

Details for the file cloudcompliance-1.1.0.tar.gz.

File metadata

  • Download URL: cloudcompliance-1.1.0.tar.gz
  • Upload date:
  • Size: 8.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.6

File hashes

Hashes for cloudcompliance-1.1.0.tar.gz
Algorithm Hash digest
SHA256 15b1ef3332095fae3fa440ae730fac2f77a070c78e9da3a9336b23d0656501c5
MD5 be417a550b66477dcf01d5d000ac1c26
BLAKE2b-256 23caebce2bd7535fb22c1a442325bc685f2ff9d9600cc56741ef52cea54b2ccb

See more details on using hashes here.

File details

Details for the file cloudcompliance-1.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for cloudcompliance-1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 591bc3e44d0eb2cbfa6b8f7bd178ead17f87d3299fce474a92759dbbb53d0b30
MD5 3fbf8ad1dbea41e907da1ffad2fc65f8
BLAKE2b-256 3d6ed3b8512232d676c43a8efe1883e4ee6a750fc13545db9c255c20a0cf518b

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page