Scenario: You're a GRC engineer managing 100+ AWS accounts across multiple regions. Your mission? Enforce compliance with CIS, NIST 800-53, and ISO 27001 — not manually, but through scalable, automated AWS Config rules delivered as code.
This repo demonstrates how to:
- Transform written security controls into auditable AWS Config rules
- Deploy rules using GitHub Actions + CloudFormation
- Automate compliance enforcement across environments with traceability and version control
- ✅ Define a managed AWS Config rule (IAM_PASSWORD_POLICY)
- ✅ Convert it into JSON format with tagging metadata
- ✅ Write a CloudFormation template for reusable deployments
- ✅ Configure GitHub Actions to validate + deploy rules on push
- ✅ Store AWS credentials securely using GitHub Secrets
All AWS Config rules are defined as .json files inside the config-rules/ folder.
The rule is deployed via templates/config-rule-template.yaml.
On every Git push to config-rules/ or templates/, GitHub Actions automatically:
- Validates the rule format
- Loads AWS credentials from GitHub Secrets
- Deploys the rule using
aws cloudformation deploy
| Stage | Description |
|---|---|
Checkout |
Fetches code from the GitHub repository |
Configure AWS Credentials |
Loads secrets into the runner environment |
CloudFormation Deploy |
Applies the config rule using AWS CLI |
- AWS Config (managed rule deployment)
- CloudFormation (parameterized infrastructure as code)
- GitHub Actions (CI/CD automation)
- GitHub Secrets (secure credential handling)
- Compliance-as-Code implementation
- IAM control enforcement
- Multi-region deployment automation