Introduction
Most ISO 27001 implementations fail at one critical point: they treat compliance as a static checklist, not a continuous process.
In reality:
- Systems drift
- Configurations change
- Controls break silently
This project demonstrates a real-world compliance lifecycle:
Build → Break → Detect → Investigate → Fix → Verify
Using:
- Terraform (baseline provisioning)
- AWS Config (continuous compliance)
- Security Hub (aggregation)
- CloudTrail (audit evidence)
- S3 (evidence storage)
Architecture Overview
The system was designed as a lightweight continuous compliance engine:
Terraform → AWS Config → Security Hub → CloudTrail → S3 Evidence
- Terraform establishes a compliant baseline
- AWS Config continuously evaluates resources
- Security Hub aggregates findings
- CloudTrail records audit evidence
Baseline Deployment (Terraform)
Infrastructure was deployed using Terraform, creating:
- AWS Config (recorder + rules)
- CloudTrail (logging enabled)
- S3 bucket (encrypted evidence storage)
- Security Hub (enabled)
This ensures a controlled, compliant starting point.
Initial Compliance State
After deployment:
- AWS Config begins evaluation
- Initial state may show
INSUFFICIENT_DATA - Eventually stabilizes into COMPLIANT / NON_COMPLIANT
This represents:
A baseline security posture before any drift
Simulating Real-World Misconfiguration
(ISO Control A.8.12 – Encryption of Data at Rest)
To simulate drift, an intentional violation was introduced:
- Created an S3 bucket
- Disabled default encryption
This represents a common real-world failure:
Data stored without encryption due to misconfiguration
Detection via AWS Config
AWS Config automatically evaluated the resource and flagged:
- Rule:
s3-bucket-server-side-encryption-enabled - Status: NON_COMPLIANT
Drilling into the resource:
- Specific bucket identified
- Evaluation result recorded
- Timeline shows compliance change
This demonstrates:
Continuous monitoring instead of periodic audits
Aggregation via Security Hub
The same issue is surfaced in Security Hub as a finding.
Key observations:
- Findings categorized by severity
- Centralized visibility across services
- Enables prioritization
This layer answers:
“Which issues matter most right now?”
Audit Evidence via CloudTrail
Detection alone is not sufficient — audit requires traceability.
CloudTrail provides that.
Relevant events:
CreateBucket- No encryption configuration applied
This proves:
The violation originated at resource creation, not later drift
Remediation Phase
The issue was fixed by:
- Enabling S3 default encryption (SSE-S3)
After remediation:
- AWS Config → COMPLIANT
- Timeline updated with state transition
This completes the full lifecycle:
NON_COMPLIANT → FIX APPLIED → COMPLIANT
What This Demonstrates
1. Compliance is Dynamic
Traditional audits capture a snapshot.
Real systems require continuous validation.
2. Terraform ≠ Compliance
Terraform establishes a baseline, but:
Drift happens outside Infrastructure as Code
3. Detection vs Evidence
- AWS Config → detects issues
- Security Hub → aggregates
- CloudTrail → proves what happened
Without CloudTrail:
You cannot defend your audit findings
4. Real Gap in Organizations
Most organizations:
- Don’t monitor continuously
- Don’t store evidence properly
- Don’t validate remediation
Key Takeaway
This project moves ISO 27001 from:
Documentation-driven compliance
To:
Operational, continuously validated security posture
Final Thought
Compliance is not about passing an audit.
It’s about being able to answer:
- What broke?
- When did it break?
- Who changed it?
- Was it fixed?
This lab proves that with the right tooling,
ISO 27001 controls can be measured, enforced, and verified in real-time.
What’s Next
This was just one control (S3 encryption).
You can extend this to:
- IAM MFA enforcement (A.5.23)
- Logging validation (A.8.16)
- Resource tagging (A.8.9)
- Least privilege enforcement
If you’re building in cloud:
Start thinking in terms of control → detection → evidence → remediation
That’s where real security engineering begins.
Top comments (0)