SOC2 compliance evidence generator for Terraform AWS infrastructure
Project description
CloudCompliance — SOC2-Ready AWS IaC
Infrastructure as Code that provisions a SOC2-aligned AWS security baseline in one command. Zero manual security configuration required.
The Problem
Startups spend 6–12 months retrofitting SOC2 controls onto infrastructure that was never designed to be compliant. Security is an afterthought — CloudTrail gets enabled after an incident, encryption gets added before an audit, RBAC gets tightened only when required.
This IaC eliminates that retrofit entirely. Every SOC2 control is provisioned automatically at infrastructure creation time.
SOC2 Control Coverage
| Control | Title | Resources Enforced |
|---|---|---|
| CC6.1 | Network Isolation | VPC, private subnets, deny-all security group |
| CC6.2 | Authentication Controls | IAM password policy, MFA alert, least-privilege role |
| CC6.6 | Transmission Protection | HTTPS-only S3 bucket policy, TLS enforcement |
| CC6.7 | Encryption at Rest | KMS CMK, S3 server-side encryption, encrypted data bucket |
| CC7.1 | Threat Detection | CloudWatch alarms, AWS Config recorder, Config rules |
| CC7.2 | Audit Logging | Versioned audit bucket, delete protection, Config delivery |
| CC8.1 | Change Management | IaC-controlled infra, Config recorder status tracking |
Scope note: This IaC implements the technical infrastructure controls mapped to SOC2 Common Criteria CC6-CC8. Full SOC2 Type II certification additionally requires organizational policies, vendor management, employee training, and 6-12 months of evidence collection — which are outside the scope of infrastructure code.
What Gets Provisioned (29 resources)
Networking — CC6.1
- Private VPC (
10.0.0.0/16) with 2 private subnets - No public subnets — zero internet exposure by default
- Default-deny security group — all inbound/outbound blocked
Logging — CC7.2
- Dedicated audit S3 bucket with versioning enabled
- Delete protection policy — no object or bucket deletion allowed
- HTTPS-only access policy on audit bucket
Encryption — CC6.7
- KMS Customer Managed Key (CMK) with automatic key rotation
- S3 encrypted data bucket with KMS SSE
- HTTPS-only bucket policy — plaintext requests denied
IAM — CC6.2
- Account password policy: 14 chars, complexity, 90-day rotation, 24 history
- Least-privilege IAM role — S3 read + KMS decrypt only
- SNS topic for root account usage alerts
Monitoring — CC7.1
- CloudWatch alarm: root account login detection
- CloudWatch alarm: public S3 bucket detection
- Both wired to SNS alert topic
Config — CC7.1 + CC7.2
- AWS Config recorder — all resource types, all regions
- Config delivery channel → audit S3 bucket
- Config rules: S3 public read prohibited, S3 encryption required, root MFA
Quick Start
Requirements: Terraform ≥ 1.15, Docker
# 1. Start LocalStack (free local AWS)
docker run --rm -d -p 4566:4566 localstack/localstack:3.4.0
# 2. Deploy all SOC2 controls
make deploy
# 3. Generate compliance evidence report
make report
Use as a Terraform Module
module "soc2_baseline" {
source = "KADHIRAVANEG/cloudcompliance/aws"
version = "1.0.0"
project_name = "my-startup"
environment = "prod"
aws_region = "us-east-1"
}
terraform init
terraform apply
Install the CLI
pip install cloudcompliance
cloudcompliance
Docker Usage
# Pull the image
docker pull ghcr.io/kadhiravaneg/terraform-aws-cloudcompliance:latest
# Run against your terraform state
docker run -v /path/to/your/terraform:/app/terraform \
ghcr.io/kadhiravaneg/terraform-aws-cloudcompliance:latest
# Run against this repo's state
docker run -v ~/cloudcompliance/terraform:/app/terraform \
ghcr.io/kadhiravaneg/terraform-aws-cloudcompliance:latest
Expected output:
╭────────────────────────────────────────╮
│ CloudCompliance — SOC2 Evidence Report │
│ Total resources provisioned: 29 │
╰────────────────────────────────────────╯
SOC2 Compliance Score: 100% (7/7 controls passing)
Project Structure
cloudcompliance/
├── terraform/
│ ├── main.tf # Root — calls all modules
│ ├── variables.tf # Environment, region, endpoint
│ ├── backend.tf # Local (dev) / S3 (prod) backend
│ ├── local.tfvars # LocalStack config
│ ├── prod.tfvars # Real AWS config
│ └── modules/
│ ├── networking/ # CC6.1 — VPC, subnets, SGs
│ ├── logging/ # CC7.2 — Audit bucket
│ ├── encryption/ # CC6.7 — KMS, encrypted S3
│ ├── iam/ # CC6.2 — Password policy, roles
│ ├── monitoring/ # CC7.1 — CloudWatch alarms
│ └── config/ # CC7.1/7.2 — Config rules
├── compliance/
│ └── report.py # SOC2 evidence generator
├── .github/workflows/
│ └── compliance.yml # CI gate — blocks non-compliant PRs
└── Makefile # make deploy / report / destroy
Chart
flowchart TD
%% Styling Definitions
classDef infra fill:#2980b9,stroke:#fff,color:#fff;
classDef module fill:#34495e,stroke:#fff,color:#fff;
classDef glue fill:#f39c12,stroke:#000,color:#000;
classDef comp fill:#27ae60,stroke:#fff,color:#fff;
%% Orchestration Layer
MK[Makefile]:::glue
CI[.github/workflows/compliance.yml]:::glue
%% Terraform Root
TF_Root[terraform/]:::infra
TF_Root --> Main[main.tf]
TF_Root --> Vars[vars/backend.tf]
TF_Root --> TFVars[*.tfvars]
%% Module Layer
TF_Root --> Mod[modules/]:::module
Mod --> N[networking - CC6.1]:::module
Mod --> L[logging - CC7.2]:::module
Mod --> E[encryption - CC6.7]:::module
Mod --> I[iam - CC6.2]:::module
Mod --> M[monitoring - CC7.1]:::module
Mod --> C[config - CC7.1/7.2]:::module
%% Compliance Evidence Layer
Comp[compliance/report.py]:::comp
%% Connections
MK -->|deploy| TF_Root
MK -->|report| Comp
CI -->|gate| TF_Root
CI -->|audit| Comp
CI/CD Compliance Gate
Every pull request automatically:
- Validates Terraform formatting and syntax
- Deploys to LocalStack
- Runs the compliance report
- Blocks merge if any SOC2 control is missing
Deploying to Real AWS
# 1. Configure AWS credentials
aws configure
# 2. Deploy to real AWS
make deploy-prod
For production, uncomment the S3 backend in terraform/backend.tf
to enable remote state with DynamoDB locking.
LocalStack vs Real AWS
| Feature | LocalStack (free) | Real AWS |
|---|---|---|
| VPC / Subnets | ✅ | ✅ |
| S3 + Encryption | ✅ | ✅ |
| KMS | ✅ | ✅ |
| IAM | ✅ | ✅ |
| CloudWatch | ✅ | ✅ |
| AWS Config | ✅ | ✅ |
| SNS | ✅ | ✅ |
| CloudTrail | ⚠️ Pro only | ✅ |
| GuardDuty | ⚠️ Pro only | ✅ |
Standards Referenced
- AICPA SOC2 Trust Services Criteria 2017
- CIS AWS Foundations Benchmark v2.0
- NIST SP 800-53 Rev 5
- AWS Security Reference Architecture
Tech Stack
Terraform · Python · AWS · LocalStack · GitHub Actions · KMS · IAM · CloudWatch · SNS · AWS Config
Author
Kadhiravan E.G. — 3rd year Cybersecurity student
GitHub: @KADHIRAVANEG
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cloudcompliance-1.1.0.tar.gz.
File metadata
- Download URL: cloudcompliance-1.1.0.tar.gz
- Upload date:
- Size: 8.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
15b1ef3332095fae3fa440ae730fac2f77a070c78e9da3a9336b23d0656501c5
|
|
| MD5 |
be417a550b66477dcf01d5d000ac1c26
|
|
| BLAKE2b-256 |
23caebce2bd7535fb22c1a442325bc685f2ff9d9600cc56741ef52cea54b2ccb
|
File details
Details for the file cloudcompliance-1.1.0-py3-none-any.whl.
File metadata
- Download URL: cloudcompliance-1.1.0-py3-none-any.whl
- Upload date:
- Size: 8.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
591bc3e44d0eb2cbfa6b8f7bd178ead17f87d3299fce474a92759dbbb53d0b30
|
|
| MD5 |
3fbf8ad1dbea41e907da1ffad2fc65f8
|
|
| BLAKE2b-256 |
3d6ed3b8512232d676c43a8efe1883e4ee6a750fc13545db9c255c20a0cf518b
|