Compliance Automation
What Is Compliance Automation?
Compliance automation uses tools and scripts to continuously verify that infrastructure meets security standards — PCI DSS, GDPR, SOC 2, CIS benchmarks.
Why Automate?
| Manual | Automated | |--------|-----------| | Runs once or twice a year | Runs continuously (daily, weekly) | | Error-prone, misses issues | Consistent, catches drift | | Depends on team memory | Documented, repeatable | | Reactive (after audit) | Proactive (before audit) |
Prowler — AWS Security Assessment
# Install
pip install prowler
# Run PCI DSS checks
prowler aws --compliance pci_dss_4.0
# Run CIS Benchmark
prowler aws --compliance cis_1.4_aws
# Run GDPR checks
prowler aws --compliance gdpr
# Generate HTML report
prowler aws --compliance cis_1.4_aws -M html -o reports/
Prowler Output Example
┌────────────────────────────────────────────────────────┐
│ Prowler AWS Assessment Report │
├────────────────────────────────────────────────────────┤
│ Status: ┃ 42 passed (75%) ┃ 14 failed (25%) │
├────────────────────────────────────────────────────────┤
│ CRITICAL: CloudTrail not enabled in ap-southeast-1 │
│ HIGH: S3 bucket my-data-bucket has public access │
│ MEDIUM: Root user has active access keys │
│ LOW: No tags on EC2 instance i-12345678 │
└────────────────────────────────────────────────────────┘
Compliance Dashboard
#!/usr/bin/env python3
"""Compliance dashboard — aggregate scan results."""
import json
import datetime
SCAN_RESULTS = {
"pci_dss": {"passed": 85, "failed": 3, "total": 88},
"cis_benchmark": {"passed": 120, "failed": 8, "total": 128},
"gdpr": {"passed": 40, "failed": 0, "total": 40},
"soc2": {"passed": 62, "failed": 5, "total": 67},
}
def generate_report():
report = {
"date": str(datetime.date.today()),
"overall_compliance": 0,
"frameworks": {}
}
total_passed = 0
total_checks = 0
for framework, results in SCAN_RESULTS.items():
rate = (results["passed"] / results["total"]) * 100
report["frameworks"][framework] = {
"compliance_rate": round(rate, 1),
"passed": results["passed"],
"failed": results["failed"],
"total": results["total"]
}
total_passed += results["passed"]
total_checks += results["total"]
report["overall_compliance"] = round((total_passed / total_checks) * 100, 1)
return report
report = generate_report()
print(f"Compliance Rate: {report['overall_compliance']}/{total_checks} ({report['overall_compliance']}%)")
print(f"Date: {report['date']}")
for framework, data in report["frameworks"].items():
status = "✅" if data["compliance_rate"] >= 90 else "⚠️" if data["compliance_rate"] >= 70 else "❌"
print(f" {status} {framework.upper()}: {data['compliance_rate']}%")
Automated Audit Tools
| Tool | Purpose | Frameworks Supported | |------|---------|---------------------| | Prowler | Cloud security assessment | PCI, GDPR, SOC 2, CIS | | Checkov | IaC scanning (Terraform) | PCI, GDPR, HIPAA | | Terrascan | IaC scanning | PCI, GDPR, SOC 2 | | OpenSCAP | System-level compliance | CIS, STIG | | ScoutSuite | Multi-cloud audit | CIS, GDPR | | Lynis | Linux security auditing | CIS, generic |
Summary
Compliance automation tools like Prowler, Checkov, and OpenSCAP continuously verify infrastructure against standards. Automated scanning catches drift before audits.
Key takeaways: | Prowler: AWS security assessment for PCI, GDPR, CIS, SOC 2 | | Checkov: Terraform scanning for PCI, GDPR, HIPAA | | OpenSCAP: system-level CIS benchmark compliance | | Compliance dashboard: aggregate scan results, track pass/fail rates | | Automated scanning catches configuration drift proactively | | Generate HTML reports for audit evidence |
You've completed this course! You now understand compliance frameworks and automation.
CI/CD Integration
GitHub Actions Compliance Pipeline
name: Compliance Scan
on:
schedule:
- cron: '0 6 * * 1' # Every Monday
push:
branches: [main]
jobs:
compliance:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }}
aws-region: us-east-1
- name: Run Prowler PCI DSS Scan
run: |
pip install prowler
prowler aws --compliance pci_dss_4.0 -M json -o reports/
- name: Run Checkov IaC Scan
run: |
pip install checkov
checkov -d terraform/ --framework pci -o json > reports/checkov.json
- name: Upload Reports
uses: actions/upload-artifact@v4
with:
name: compliance-reports
path: reports/
- name: Notify on Failure
if: failure()
run: |
curl -X POST -H 'Content-Type: application/json' \
-d '{"text": "⛔ Compliance scan FAILED — check artifacts for details"}' \
${{ secrets.SLACK_WEBHOOK }}
Compliance as Code Strategy
# Terratest example: test infrastructure compliance
# test/compliance_test.go
package test
import (
"testing"
"github.com/gruntwork-io/terratest/modules/aws"
)
func TestS3Encryption(t *testing.T) {
// Check that all S3 buckets have encryption enabled
buckets := aws.GetAllS3Buckets(t, "us-east-1")
for _, bucket := range buckets {
status := aws.GetS3BucketEncryptionStatus(t, *bucket.Name)
if status != "enabled" {
t.Errorf("Bucket %s does NOT have encryption enabled", *bucket.Name)
}
}
}
func TestSecurityGroups(t *testing.T) {
// Check that no security groups allow SSH from 0.0.0.0/0
sgs := aws.GetAllSecurityGroups(t, "us-east-1")
for _, sg := range sgs {
for _, rule := range sg.IpPermissions {
if *rule.FromPort == 22 {
for _, ip := range rule.IpRanges {
if *ip.CidrIp == "0.0.0.0/0" {
t.Errorf("SG %s allows SSH from anywhere", *sg.GroupId)
}
}
}
}
}
}
Summary
Compliance automation with CI/CD pipelines, Prowler, Checkov, and Terratest ensures continuous verification. Catch configuration drift proactively, not reactively.
Key takeaways: | CI/CD pipeline: weekly automated compliance scan with Prowler and Checkov | | Compliance as Code: Terratest tests infrastructure compliance in Go | | Automated detection catches drift between manual audits | | Reports uploaded as artifacts for auditor evidence | | Slack notification on scan failure for immediate response | | Test S3 encryption, SG rules, IAM policies, CloudTrail, and more |
You've completed this course! You now know compliance from GDPR to automation.