Compliance Automation

What Is Compliance Automation?

Compliance automation uses tools and scripts to continuously verify that infrastructure meets security standards — PCI DSS, GDPR, SOC 2, CIS benchmarks.

Why Automate?

| Manual | Automated | |--------|-----------| | Runs once or twice a year | Runs continuously (daily, weekly) | | Error-prone, misses issues | Consistent, catches drift | | Depends on team memory | Documented, repeatable | | Reactive (after audit) | Proactive (before audit) |

Prowler — AWS Security Assessment

# Install
pip install prowler

# Run PCI DSS checks
prowler aws --compliance pci_dss_4.0

# Run CIS Benchmark
prowler aws --compliance cis_1.4_aws

# Run GDPR checks
prowler aws --compliance gdpr

# Generate HTML report
prowler aws --compliance cis_1.4_aws -M html -o reports/

Prowler Output Example

┌────────────────────────────────────────────────────────┐
│ Prowler AWS Assessment Report                          │
├────────────────────────────────────────────────────────┤
│ Status:  ┃ 42 passed (75%) ┃ 14 failed (25%)          │
├────────────────────────────────────────────────────────┤
│ CRITICAL: CloudTrail not enabled in ap-southeast-1     │
│ HIGH:     S3 bucket my-data-bucket has public access   │
│ MEDIUM:   Root user has active access keys             │
│ LOW:      No tags on EC2 instance i-12345678           │
└────────────────────────────────────────────────────────┘

Compliance Dashboard

#!/usr/bin/env python3
"""Compliance dashboard — aggregate scan results."""
import json
import datetime

SCAN_RESULTS = {
    "pci_dss": {"passed": 85, "failed": 3, "total": 88},
    "cis_benchmark": {"passed": 120, "failed": 8, "total": 128},
    "gdpr": {"passed": 40, "failed": 0, "total": 40},
    "soc2": {"passed": 62, "failed": 5, "total": 67},
}

def generate_report():
    report = {
        "date": str(datetime.date.today()),
        "overall_compliance": 0,
        "frameworks": {}
    }
    
    total_passed = 0
    total_checks = 0
    
    for framework, results in SCAN_RESULTS.items():
        rate = (results["passed"] / results["total"]) * 100
        report["frameworks"][framework] = {
            "compliance_rate": round(rate, 1),
            "passed": results["passed"],
            "failed": results["failed"],
            "total": results["total"]
        }
        total_passed += results["passed"]
        total_checks += results["total"]
    
    report["overall_compliance"] = round((total_passed / total_checks) * 100, 1)
    
    return report

report = generate_report()
print(f"Compliance Rate: {report['overall_compliance']}/{total_checks} ({report['overall_compliance']}%)")
print(f"Date: {report['date']}")
for framework, data in report["frameworks"].items():
    status = "✅" if data["compliance_rate"] >= 90 else "⚠️" if data["compliance_rate"] >= 70 else "❌"
    print(f"  {status} {framework.upper()}: {data['compliance_rate']}%")

Automated Audit Tools

| Tool | Purpose | Frameworks Supported | |------|---------|---------------------| | Prowler | Cloud security assessment | PCI, GDPR, SOC 2, CIS | | Checkov | IaC scanning (Terraform) | PCI, GDPR, HIPAA | | Terrascan | IaC scanning | PCI, GDPR, SOC 2 | | OpenSCAP | System-level compliance | CIS, STIG | | ScoutSuite | Multi-cloud audit | CIS, GDPR | | Lynis | Linux security auditing | CIS, generic |

Summary

Compliance automation tools like Prowler, Checkov, and OpenSCAP continuously verify infrastructure against standards. Automated scanning catches drift before audits.

Key takeaways: | Prowler: AWS security assessment for PCI, GDPR, CIS, SOC 2 | | Checkov: Terraform scanning for PCI, GDPR, HIPAA | | OpenSCAP: system-level CIS benchmark compliance | | Compliance dashboard: aggregate scan results, track pass/fail rates | | Automated scanning catches configuration drift proactively | | Generate HTML reports for audit evidence |

You've completed this course! You now understand compliance frameworks and automation.

CI/CD Integration

GitHub Actions Compliance Pipeline

name: Compliance Scan
on:
  schedule:
    - cron: '0 6 * * 1'  # Every Monday
  push:
    branches: [main]

jobs:
  compliance:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }}
          aws-region: us-east-1

      - name: Run Prowler PCI DSS Scan
        run: |
          pip install prowler
          prowler aws --compliance pci_dss_4.0 -M json -o reports/

      - name: Run Checkov IaC Scan
        run: |
          pip install checkov
          checkov -d terraform/ --framework pci -o json > reports/checkov.json

      - name: Upload Reports
        uses: actions/upload-artifact@v4
        with:
          name: compliance-reports
          path: reports/

      - name: Notify on Failure
        if: failure()
        run: |
          curl -X POST -H 'Content-Type: application/json' \
            -d '{"text": "⛔ Compliance scan FAILED — check artifacts for details"}' \
            ${{ secrets.SLACK_WEBHOOK }}

Compliance as Code Strategy

# Terratest example: test infrastructure compliance
# test/compliance_test.go
package test

import (
    "testing"
    "github.com/gruntwork-io/terratest/modules/aws"
)

func TestS3Encryption(t *testing.T) {
    // Check that all S3 buckets have encryption enabled
    buckets := aws.GetAllS3Buckets(t, "us-east-1")
    
    for _, bucket := range buckets {
        status := aws.GetS3BucketEncryptionStatus(t, *bucket.Name)
        if status != "enabled" {
            t.Errorf("Bucket %s does NOT have encryption enabled", *bucket.Name)
        }
    }
}

func TestSecurityGroups(t *testing.T) {
    // Check that no security groups allow SSH from 0.0.0.0/0
    sgs := aws.GetAllSecurityGroups(t, "us-east-1")
    
    for _, sg := range sgs {
        for _, rule := range sg.IpPermissions {
            if *rule.FromPort == 22 {
                for _, ip := range rule.IpRanges {
                    if *ip.CidrIp == "0.0.0.0/0" {
                        t.Errorf("SG %s allows SSH from anywhere", *sg.GroupId)
                    }
                }
            }
        }
    }
}

Summary

Compliance automation with CI/CD pipelines, Prowler, Checkov, and Terratest ensures continuous verification. Catch configuration drift proactively, not reactively.

Key takeaways: | CI/CD pipeline: weekly automated compliance scan with Prowler and Checkov | | Compliance as Code: Terratest tests infrastructure compliance in Go | | Automated detection catches drift between manual audits | | Reports uploaded as artifacts for auditor evidence | | Slack notification on scan failure for immediate response | | Test S3 encryption, SG rules, IAM policies, CloudTrail, and more |

You've completed this course! You now know compliance from GDPR to automation.

Unlock Full Tutorial

This chapter is paid content. Join the project to unlock over 5000 words of deep analysis, including 10+ god-tier Prompts and real Source Code examples!