Day 21 – AWS Policy and Governance using Terraform | #30DaysOfAWSTerraform
🔐 Day 21 – AWS Policy and Governance using Terraform #30DaysOfAWSTerraform – Mini Project 7
I’m a Cloud & DevOps Engineer passionate about building reliable, scalable, and automated cloud infrastructures. I work extensively with AWS, Kubernetes, Terraform, Docker, and CI/CD pipelines to deliver production-ready environments.
My journey started in technical troubleshooting, where I gained strong root-cause analysis and system diagnostic skills. Transitioning into cloud engineering, I have built 3-tier microservices architectures, automated VPCs using Terraform, and containerized legacy applications for performance and portability.
I enjoy solving real-world problems, optimizing cloud cost and performance, and creating automated workflows that reduce manual effort. I’m continuously learning and applying best practices in DevOps, IaC, and cloud security.
Core Skills: AWS • Kubernetes • Docker • Terraform • CI/CD • Linux • Networking • Monitoring • Automation • Troubleshooting
Looking For: Cloud Engineer | DevOps Engineer | SRE (Junior/Mid-level) roles where I can build, automate, and scale cloud workloads.
Day 21 of the #30DaysOfAWSTerraform challenge introduced one of the most critical but often ignored areas seen in real cloud environments — Policy and Governance.
Until now, most of my learning focused on creating infrastructure.
But Day 21 made me realize something important:
Building infrastructure is easy.
Protecting and governing it is what really matters in production.
🎯 Objective of Day 21
The goal of this mini project was to implement AWS Policy Creation and Governance using Terraform, focusing on:
Security enforcement using IAM policies
Continuous compliance monitoring using AWS Config
S3 security best practices
Resource tagging standards
Automated detection of misconfigurations
This project demonstrates how governance can be implemented as code, instead of relying on manual checks or trust.
🧠 Why Policy & Governance is Important
In real-world AWS environments:
Multiple engineers work on the same account
Accidental deletions happen
Resources are created without encryption
Tags are often forgotten
Security rules drift over time
Without governance:
Security incidents increase
Audits become painful
Cost tracking becomes impossible
👉 Day 21 exists to solve these exact problems.
🏗️ Project Structure
The project is organized in a clean and readable way:
day21/
├── provider.tf # AWS provider configuration
├── variables.tf # Input variables
├── main.tf # Secure S3 bucket and shared resources
├── iam.tf # IAM policies and demo user
├── config.tf # AWS Config setup and rules
├── outputs.tf # Output values
└── README.md # Documentation
Each file has a clear responsibility, making the project easy to understand and maintain.
🔐 IAM Policies – Preventing Bad Actions
IAM policies form the first layer of governance.
They prevent violations before they happen.
IAM Policies implemented:
1️⃣ MFA Delete Policy
Denies S3 object deletion unless MFA is enabled
Protects against accidental or malicious deletes
Even users with permissions cannot bypass this rule
2️⃣ S3 Encryption in Transit Policy
Denies S3 access if HTTPS is not used
Enforces secure communication (TLS)
Prevents data interception
3️⃣ Required Tags Policy
Enforces mandatory tags like
EnvironmentandOwnerPrevents resource creation without governance metadata
Enables cost tracking and ownership clarity
4️⃣ Demo IAM User
A sample IAM user is created
Policies are attached to demonstrate enforcement
Helps simulate real-world access restrictions
👉 These policies demonstrate least privilege and defensive security using Terraform.
🛡️ AWS Config – Continuous Compliance Monitoring
IAM policies alone are not enough.
Some misconfigurations:
Already exist
Happen over time
Cannot be blocked at creation
This is where AWS Config comes in.
AWS Config provides continuous monitoring of AWS resources and evaluates them against predefined rules.
📏 AWS Config Rules Configured
This project sets up 7 AWS Config rules:
S3 Public Write Prohibited
S3 Public Read Prohibited
S3 Encryption Enabled
EBS Volumes Encrypted
Required Tags (Environment & Owner)
IAM Password Policy Enabled
Root Account MFA Enabled
Each rule automatically checks resources and marks them as:
✅ Compliant
❌ Non-Compliant
No manual auditing required.
🪣 S3 – Audit & Evidence Storage
AWS Config requires an S3 bucket to store:
Configuration snapshots
Compliance history
Resource change logs
S3 Security Best Practices Applied:
Server-side encryption enabled
Versioning enabled
Public access fully blocked
Force destroy enabled (lab cleanup)
This ensures that governance data itself is secure and auditable.
🔁 End-to-End Governance Flow
Here’s how everything works together:
User attempts an AWS action
IAM policies prevent bad actions
Resource state is recorded
AWS Config evaluates compliance
Results are stored in S3
Violations are visible in AWS Config dashboard
This creates a defense-in-depth governance model.
💡 Key Learnings from Day 21
Governance must be automated, not manual
IAM prevents bad actions, AWS Config detects bad states
Policy as Code improves security and consistency
Tagging is a governance requirement, not optional
Compliance should be continuous, not periodic
🏁 Final Thoughts
Day 21 shifted my mindset from:
“How do I create resources?”
to:
“How do I protect, control, and govern cloud environments?”
This is exactly how enterprise AWS environments acknowledge security, compliance, and accountability.
🎥 Day 09 Video ( link )
🔗 GitHub Repository
👉 https://github.com/nazeer-s-cloud/Terraform-Full-Course-Aws/tree/main/lessons/day21
🏷️ Hashtags
#aws #30DaysOfAWSTerraform #30dayterraformchallenge #Terraform #AWS #CloudSecurity #IAM #AWSConfig #Governance #InfrastructureAsCode #LearningInPublic
