This portfolio demonstrates how to design, harden, and document secure AWS workloads using Terraform. It evolves across three steps, each adding stronger security and compliance layers:
-
Step 1 β Public EC2 + ALB
- Basic VPC, Internet Gateway, Security Groups
- Application Load Balancer + Public EC2
-
Step 2 β Private EC2 (SSM only)
- Private Subnets + NAT Gateway
- Private EC2 (no public IP) managed via Session Manager
- Encrypted EBS volumes + IMDSv2 enforced
-
Step 3 β Centralized Logging + VPC Endpoints
- Default EBS encryption enabled
- VPC Flow Logs β S3 with SSE-KMS (CMK protected)
- VPC Endpoints for SSM, EC2 Messages, and S3
- Scoped Security Groups for least privilege
- Secure AWS infrastructure codified with Terraform
- Application of security best practices: encryption, least privilege, bastionless access
- Mapping of technical design to ISO/IEC 27001 Annex A controls
- Evidence-based documentation: screenshots + Terraform code
| Step | Controls Implemented |
|---|---|
| Step 1 | A.8.12 Data leakage prevention (Security Group rules) A.5.23 Information security for use of cloud services (subnet segregation) |
| Step 2 | A.8.24 Use of cryptography (EBS encryption) A.8.28 Secure authentication (IMDSv2) A.8.16 Identity and access control (IAM role for SSM) A.8.12 Data leakage prevention (no public IP, egress-only networking) A.5.23 Information security for use of cloud services (bastionless via SSM) |
| Step 3 | A.8.15 Logging (VPC Flow Logs) A.8.16 Monitoring activities (Flow Logs to encrypted S3 with restricted policy) A.8.24 Use of cryptography (EBS default encryption, SSE-KMS, CMK) A.8.12 Data leakage prevention (VPC Endpoints restrict traffic) A.5.23 Information security for use of cloud services (private-only design with centralized audit trail) A.8.16 Identity and access control (SSM least privilege) A.8.28 Secure authentication (IMDSv2 enforced) |
π Full mappings: docs/iso27001-mapping.md
terraform-secure-vpc-ec2/
βββ providers.tf
βββ variables.tf
βββ outputs.tf
βββ main.tf
βββ modules/
β βββ compute/
β β βββ main.tf # Step 1 - Public EC2
β β βββ private.tf # Step 2 - Private EC2
β β βββ step3_encryption.tf # Step 3 - Encrypted EBS
β β βββ outputs.tf
β β βββ variables.tf
β βββ network/
β βββ main.tf # Step 1 - VPC, IGW
β βββ private.tf # Step 2 - Private subnets + NAT
β βββ step3_endpoints+logging.tf # Step 3 - Endpoints + Flow Logs
β βββ locals.tf
β βββ outputs.tf
β βββ variables.tf
βββ docs/
βββ diagrams/
β βββ architecture-diagram.png
βββ iso27001-mapping.md
βββ screenshots/
βββ step1/
βββ step2/
βββ step3/
terraform init
terraform plan
terraform applyThis step builds the foundation VPC with public subnets, an Internet Gateway, and a demo EC2 instance behind an ALB. It establishes the base networking layer to be secured and extended in later steps.
- I can codify a basic VPC architecture with Terraform.
- I can configure Internet Gateway, routing, and public subnets.
- I can launch a public EC2 instance behind an ALB.
- I can apply initial ISO/IEC 27001 Annex A mappings.
terraform-secure-vpc-ec2/
βββ main.tf
βββ providers.tf
βββ variables.tf
βββ outputs.tf
βββ modules/
β βββ network/
β β βββ main.tf # VPC, IGW, public subnets, public route table
β β βββ variables.tf
β β βββ outputs.tf
β βββ compute/
β βββ main.tf # Public EC2 + Security Group
β βββ variables.tf
β βββ outputs.tf
βββ docs/screenshots/step1/| Step | Screenshot |
|---|---|
| β VPC Created |  |
| β Internet Gateway Attached |  |
| β Public Subnets Created |  |
| β Public Route Table with IGW Route |  |
| β Public Route Table Associations |  |
| β EC2 in Public Subnet (Launch Config) |  |
| β Security Group Rules |  |
| β Terraform Apply Output |  |
- Basic segregation of subnets β Public vs private
- Security Groups β Limit inbound traffic
- Foundation β Compliance-ready design
- A.8.24 Data leakage prevention β Security Group rules
- A.5.23 Cloud security β Segregated subnet design
This step extends the baseline VPC (Step 1) by adding a private application tier. The design ensures the EC2 instance is not exposed to the internet and is managed securely via AWS Systems Manager Session Manager.
- I can design and codify a bastionless architecture using Terraform.
- I enforce least-privilege networking (egress-only, no inbound).
- I apply security best practices: IMDSv2, EBS encryption, IAM roles, SSM access.
- I map controls to ISO/IEC 27001 Annex A for compliance readiness.
terraform-secure-vpc-ec2/
βββ main.tf
βββ modules/
β βββ network/
β β βββ private.tf # Private subnets + NAT Gateway
β βββ compute/
β βββ private.tf # Private EC2 (SSM only, IMDSv2, encrypted EBS)
βββ docs/screenshots/step2/
| Step | Screenshot |
|---|---|
| β Private Subnets Created |  |
| β NAT EIP Allocated |  |
| β NAT Gateway Available |  |
| β Private Route Table with NAT Route |  |
| β Private Route Table Associations |  |
| β EC2 in Private Subnet (No Public IP, SSM Role) |  |
| β SSM Managed Instance |  |
| β SSM Session Active |  |
| β Terraform Apply Output |  |
- No inbound exposure β EC2 has no public IP, no SSH
- Bastionless access β Managed exclusively through AWS Systems Manager Session Manager
- Egress-only SG β Outbound ports 80/443 only (updates + SSM traffic)
- IMDSv2 enforced β Protects against SSRF credential theft
- Encrypted EBS volumes β Data at rest protected by default
- IAM role with SSM policy β Principle of least privilege for instance management
- A.8.20 Use of cryptography β Encrypted EBS volumes
- A.8.28 Secure authentication β IMDSv2 required
- A.8.24 Data leakage prevention β No public IP, egress-only networking
- A.5.23 Cloud security β Private subnets, bastionless access via SSM
- A.8.16 Identity & access control β Scoped IAM role for SSM access
This step enforces centralized logging, encryption, and private connectivity. It ensures auditability and compliance through VPC Flow Logs, KMS protection, and private VPC Endpoints.
- I can enforce encryption at rest & in transit.
- I can design centralized logging with KMS protection.
- I can configure VPC Endpoints for private-only traffic.
- I can demonstrate compliance mapping with ISO/IEC 27001.
terraform-secure-vpc-ec2/
βββ modules/
β βββ compute/
β β βββ step3_encryption.tf # Encrypted EBS volumes
β βββ network/
β βββ step3_endpoints+logging.tf # VPC Endpoints + Flow Logs
βββ docs/screenshots/step3/
| Step | Screenshot |
|---|---|
| β Default EBS Encryption Enabled |  |
| β EC2 Root Volume Encrypted |  |
| β KMS CMK Created for Logs |  |
| β VPC Flow Logs Active |  |
| β VPC Endpoint (Gateway for S3) |  |
| β VPC Endpoints (SSM, EC2 Messages) |  |
| β Security Group Scoped to HTTPS |  |
| β Logs S3 Bucket with SSE-KMS |  |
| β Flow Logs Delivered to S3 |  |
- EBS encryption β Default + CMK for compliance
- Centralized logging β Flow Logs β S3 (SSE-KMS)
- Private connectivity β SSM & S3 endpoints, no internet traversal
- Scoped Security Group β Only HTTPS traffic allowed
- Bastionless management β EC2 via SSM only
- A.8.24 Use of cryptography β EBS default encryption, SSE-KMS for logs
- A.8.15 Logging β VPC Flow Logs capture all traffic events
- A.8.16 Monitoring activities β Logs delivered to encrypted S3 bucket with restricted access policy
- A.8.12 Data leakage prevention β VPC Endpoints restrict traffic paths
- A.5.23 Information security for use of cloud services β Private-only design with centralized audit trail
- A.8.16 Identity & access control β IAM role for SSM (least privilege)
- A.8.28 Secure authentication β IMDSv2 enforced