Cloud Security Baseline
Security configurations for AWS/Azure/GCP: IAM policies, encryption, network security, compliance controls.
📄 Product Preview
Try the interactive reader and demo tools below, or get the full product with all content unlocked.
📖 Interactive Reader (Free Preview) ⚙ Try Demo Tools 📦 Download Free Sample📁 File Structure 22 files
📖 Documentation Preview README excerpt
Cloud Security Baseline
Production-ready security foundations for AWS: IAM hardening, encryption-at-rest enforcement, network segmentation, centralized logging, and CIS benchmark compliance -- all codified in Terraform and CloudFormation.
Stop building on a shaky security foundation. This baseline gives you a hardened, auditable, compliance-ready AWS account posture from day one. Every control maps to CIS AWS Foundations Benchmark v3.0, every resource is tagged for audit trails, and every decision is documented with the why -- not just the what.
Built for cloud security engineers, platform teams, and architects who need to pass SOC 2, ISO 27001, or PCI audits without scrambling.
What's Included
| Category | Files | Description |
|---|---|---|
| Terraform | iam_baseline.tf, encryption_baseline.tf, network_security.tf, logging_monitoring.tf, variables.tf | Complete IaC for IAM, encryption, networking, and observability |
| CloudFormation | security-hub-baseline.yaml, guardduty-org-setup.yaml | SecurityHub conformance packs + GuardDuty organization rollout |
| Scripts | compliance_checker.py, iam_audit.py, security_score_calculator.py | Automated compliance checking, IAM auditing, and posture scoring |
| Docs | architecture.md, cis_benchmark_guide.md, incident_response_runbook.md | Security architecture diagrams, CIS mapping, and IR procedures |
| Examples | security_policies.json, compliance_config.yaml | Ready-to-use IAM policy documents and compliance checker config |
CIS Benchmark Coverage
This baseline implements 42 of the 58 CIS AWS Foundations Benchmark v3.0 controls out of the box:
Section 1 - Identity and Access Management: 14/16 controls ████████████████████░░ 87%
Section 2 - Storage: 6/6 controls ██████████████████████ 100%
Section 3 - Logging: 8/8 controls ██████████████████████ 100%
Section 4 - Monitoring: 8/12 controls ██████████████████░░░░ 67%
Section 5 - Networking: 6/6 controls ██████████████████████ 100%
─────
42/48 automated (87% coverage)
The remaining controls require manual/organizational processes (MFA hardware tokens, root account procedures, etc.) and are documented in docs/cis_benchmark_guide.md.
Prerequisites
- AWS Account (or AWS Organizations for multi-account setup)
- Terraform >= 1.5.0
- Python >= 3.10 (stdlib only -- no pip packages needed)
- AWS CLI v2 configured with admin credentials
- Permissions: IAM, KMS, VPC, CloudTrail, Config, GuardDuty, SecurityHub admin access
Quick Start
1. Deploy the Security Baseline (Terraform)
# Clone/unzip this product into your infrastructure repo
cp -r terraform/ /path/to/your/infra/security-baseline/
# Review and customize variables
cd /path/to/your/infra/security-baseline/
cp ../examples/compliance_config.yaml ./config.yaml # optional: review config
# Initialize and plan
terraform init
terraform plan -var="environment=production" \
-var="organization_name=acme-corp" \
*... continues with setup instructions, usage examples, and more.*