AWS Security Baseline: Terraform Deployment Kit

STEP 1

Deploy comprehensive AWS security baseline using Terraform with automated monitoring, threat detection, and compliance controls so startups meet enterprise security requirements faster.

How to use the AWS Security Baseline: Terraform Deployment Kit AI Prompt

Overview: This template generates a production-ready, comprehensive AWS Security Baseline implemented entirely via modular Terraform code. It automates the deployment of critical security services—including CloudTrail, GuardDuty, Security Hub, WAF, and Inspector—alongside essential monitoring (CloudWatch Alarms/Dashboards) and robust IAM roles, enabling startups to rapidly achieve enterprise-grade security posture.

Who is this for: Cloud Architects, DevOps Engineers, and Security Consultants who need to standardize secure infrastructure deployment across multiple client environments or internal projects.

How it works: The prompt mandates a structured, modular Terraform approach, separating the core security configuration into a reusable module. It meticulously lists ten critical security components (from multi-region logging to specific IAM roles and KMS encryption) and overlays essential documentation and operational requirements (tagging, state locking, demo scripts). The AI synthesizes these requirements into a complete, deployable IaC kit.

Pro-Tip: To maximize the utility of the generated documentation, specifically prompt the AI to elaborate on the SOC 2 mapping section, requesting it to explicitly link each deployed resource (e.g., GuardDuty) to the relevant control objectives (e.g., CC6.1 or ASR2.1).

# Infrastructure-as-Code
# Security & Compliance
# Beginner

Original Prompt Template

Create a comprehensive AWS security baseline using Terraform that includes: 1. Multi-region CloudTrail with encryption, log file validation, and CloudWatch integration 2. GuardDuty with S3 protection and malware scanning enabled 3. Security Hub with AWS Foundational Best Practices standard 4. AWS WAF with OWASP Top 10 rules and rate limiting (2000 req/5min) 5. AWS Inspector for EC2, ECR, and Lambda vulnerability scanning 6. CloudWatch Dashboard with 8 widgets showing security metrics 7. 4 CloudWatch Alarms: root account usage, unauthorized API calls (5+ in 5min), IAM policy changes, S3 bucket policy changes 8. 3 IAM roles with least-privilege access: - BreakGlassAdmin (requires ExternalId for emergency access) - SecurityAuditor (read-only security monitoring) - DeveloperTemplate (least-privilege development access) 9. KMS encryption with auto-rotation for CloudTrail and SNS 10. S3 state management with versioning and DynamoDB locking 11. SNS topic for security alerts with email subscription Requirements: - Use modular Terraform structure (root + security_baseline module) - Include comprehensive documentation: README, QUICKSTART, SECURITY-BASELINE with SOC 2 mapping - Provide migration script for S3 backend - Include .gitignore for sensitive files - Add terraform.tfvars.example template - Create demo scripts for 5-minute and 10-minute presentations - Ensure all resources are tagged with Project, Environment, ManagedBy - Configure proper IAM policies and trust relationships - Enable versioning and encryption on all S3 buckets - Set up metric filters for security event detection Output should be production-ready, well-documented, and deployable in under 10 minutes.