🔐 Compliance-as-Code: Multi-Account AWS Config Rule Deployment (GRC Engineering Lab)

---

1. 🧠 Overview

Scenario: You're a GRC engineer managing 100+ AWS accounts across multiple regions. Your mission? Enforce compliance with CIS, NIST 800-53, and ISO 27001 — not manually, but through scalable, automated AWS Config rules delivered as code.

This repo demonstrates how to:

• Transform written security controls into auditable AWS Config rules
• Deploy rules using GitHub Actions + CloudFormation
• Automate compliance enforcement across environments with traceability and version control

---

2. 🧩 Architecture Diagram

---

3. 🎯 Lab Objectives

• ✅ Define a managed AWS Config rule (IAM_PASSWORD_POLICY)
• ✅ Convert it into JSON format with tagging metadata
• ✅ Write a CloudFormation template for reusable deployments
• ✅ Configure GitHub Actions to validate + deploy rules on push
• ✅ Store AWS credentials securely using GitHub Secrets

5. How It Works

All AWS Config rules are defined as .json files inside the config-rules/ folder.

The rule is deployed via templates/config-rule-template.yaml.

On every Git push to config-rules/ or templates/, GitHub Actions automatically:

• Validates the rule format
• Loads AWS credentials from GitHub Secrets
• Deploys the rule using aws cloudformation deploy

6. CI/CD Pipeline (GitHub Actions)

Stage	Description
Checkout	Fetches code from the GitHub repository
Configure AWS Credentials	Loads secrets into the runner environment
CloudFormation Deploy	Applies the config rule using AWS CLI

7. Skills Demonstrated

• AWS Config (managed rule deployment)
• CloudFormation (parameterized infrastructure as code)
• GitHub Actions (CI/CD automation)
• GitHub Secrets (secure credential handling)
• Compliance-as-Code implementation
• IAM control enforcement
• Multi-region deployment automation

8. Resources

• AWS Config Documentation
• IAM Password Policy Rule (AWS Managed)
• CloudFormation Resource Types
• GitHub Actions AWS CLI Setup
• CIS AWS Foundations Benchmark