DEV Community

Cover image for πŸš€ Terraform Day 21: Policy & Governance Automation on AWS
Jeeva
Jeeva

Posted on

πŸš€ Terraform Day 21: Policy & Governance Automation on AWS

#security #automation #aws #terraform

🎯 What Day 21 Is About

Day 21 demonstrates how to:
Enforce preventive controls using IAM policies
Enable detective controls using AWS Config
Store audit logs securely in S3
Detect non-compliant resources automatically
Troubleshoot real-world permission behavior

This is not theory β€” it’s hands-on governance automation.

🧠 Policy vs Governance (Core Concept)

Understanding this distinction is mandatory in real projects:

πŸ” Policy (Preventive Control)
Implemented using IAM policies
Blocks actions before they happen

Example:
Deny delete without MFA
Deny uploads without encryption
Deny resource creation without required tags

πŸ“Š Governance (Detective Control)
Implemented using AWS Config
Detects violations after resources exist

Example:
Unencrypted buckets
Public access enabled
Missing mandatory tags

πŸ‘‰ Policy stops mistakes. Governance reports mistakes.
Both are required.

πŸ—‚οΈ Secure Audit Bucket with Terraform

A dedicated S3 bucket is created for governance logs.
Configured with:
βœ… Server-side encryption
βœ… Versioning enabled
βœ… Public access fully blocked
βœ… Bucket policy allowing AWS Config access
This bucket becomes the single source of truth for audit data.

Audit logs must be immutable, private, and durable β€” Terraform enforces this by design.

πŸ”’ IAM Policies for Enforcement
Multiple custom IAM policies are created using Terraform.
Examples covered:
MFA enforcement for destructive actions
Encryption-in-transit enforcement for S3 uploads
Mandatory EC2 tagging to enforce cost and ownership standards

These policies are:
Written as JSON
Managed via Terraform
Attached to users and roles programmatically

This ensures rules are consistent, repeatable, and reviewable.

πŸ“ˆ AWS Config for Continuous Compliance

AWS Config is enabled end-to-end using Terraform:

Components created:
Config Recorder
Delivery Channel pointing to the audit bucket
Managed compliance rules

Rules demonstrated:
S3 public access prohibited
Encryption enabled on buckets and EBS volumes
Required resource tags
Root account MFA enabled

AWS Config continuously evaluates infrastructure and reports compliance status automatically

βœ… Key Takeaways

βœ” Policy = prevention
βœ” Governance = detection
βœ” Terraform can automate both
βœ” Secure audit logging is non-negotiable
βœ” AWS Config complements IAM β€” it does not replace it
βœ” Testing policies is as important as writing them

This is how production AWS accounts are protected.

Top comments (0)