Implementing Compliance in AWS with Terraform: Practical Steps That Work

Abstract

Implementing compliance doesn’t have to be treated like voodoo magic (though some vendors want you to think it is). As the creator of the popular open-source Terraform AWS modules, which have been provisioned several billion times worldwide, and the newer compliance.tf project, I’ve spent years helping teams make their AWS infrastructure secure and compliant without burning out.

In this talk, I’ll walk through practical, hands-on ways to approach compliance in modern cloud environments using Terraform. I’ll show you how to evaluate your compliance readiness for frameworks like SOC 2, ISO 27001, GDPR, and HIPAA using a mix of cloud-native services and open-source tools, such as Prowler, SteamPipe, and Checkov. Then I’ll demonstrate how to write Terraform code to meet those required controls, implement compliance-as-code as part of your CI/CD pipelines, and prevent compliance drift over time, so your infrastructure stays secure as it evolves.

This talk is packed with real-world examples, so if you’re responsible for building or maintaining infrastructure and want to get compliance right from the start (or finally address what’s already there), this session is for you.