->> Day-21 AWS Policy and Governance Setup Using Terraform

#devops #aws #cloud #learning

Introduction

In this blog, I share my experience implementing AWS Policy and Governance using Terraform as part of my #30DaysOfAWSTerraform journey. The goal was to build a secure-by-default foundation that enforces policies and continuously monitors compliance.

This project combines IAM guardrails, AWS Config, and a secure S3 bucket for configuration history. It helped me learn how prevention (IAM policies) and detection (Config rules) work together in real-world cloud governance.

Project Objective

Implement IAM policies for security guardrails
Enable AWS Config for continuous monitoring
Store configuration history securely in S3
Enforce tagging standards
Track compliance and violations
Automate governance using Terraform

Architecture

IAM Policies to prevent risky actions (MFA delete, TLS-only S3 access, required tags).
AWS Config to record configuration changes and evaluate compliance rules.
S3 Bucket to store AWS Config snapshots securely with encryption and versioning.

The IAM policies enforce guardrails upfront, AWS Config continuously checks resource compliance, and S3 stores audit data.

Implementation Steps:

Step 1: IAM Policy Setup
I created policies for:

MFA Delete Policy to block S3 object deletion without MFA
S3 Encryption in Transit to enforce HTTPS/TLS
Required Tags Policy to ensure resources include Environment and Owner

These policies matter because they stop risky actions before they happen.

Step 2: AWS Config Setup
I configured:

Config Recorder to track resource changes
Delivery Channel to store snapshots in S3
Recorder Status to start compliance tracking

Step 3: Adding Config Rules
I added AWS managed rules to validate governance:

S3 Public Write Prohibited - Prevents public write access to S3 buckets
S3 Encryption Enabled - Ensures server-side encryption on S3 buckets
S3 Public Read Prohibited - Blocks public read access to S3 buckets
EBS Volumes Encrypted - Verifies all EBS volumes are encrypted
Required Tags - Checks for Environment and Owner tags
IAM Password Policy - Enforces strong password requirements
Root MFA Enabled - Ensures root account has MFA configured

Non-compliant means the resource violates a rule (for example, missing tags or encryption)

Step 5: Terraform Automation

Terraform let me define everything as code: IAM policies, the Config recorder, rules, and the S3 bucket. This made the setup repeatable and version controlled.

Benefits:

Faster deployments
Consistent governance
Easy auditing and updates

Step 6: Testing & Validation

I ran terraform plan and terraform apply, then verified compliance using AWS Config. The dashboard showed compliant and non-compliant resources clearly.

Monitoring Dashboard

AWS Config provides a central view of compliance status across rules and resources. It helps quickly identify violations and track fixes over time.

Cost Considerations

AWS Config is a paid service, so I kept the scope small and cleaned up resources when done using terraform destroy. This helps control costs while still learning the full workflow.

Conclusion

This project showed how governance can be automated with Terraform by combining IAM guardrails, AWS Config compliance checks, and secure S3 storage. It reinforced the value of policy‑as‑code, continuous monitoring, and defense‑in‑depth in real AWS environments. Most importantly, it mirrors how cloud teams enforce security at scale—making it a practical and recruiter‑relevant demonstration of cloud governance skills.