██████╗ ███████╗██╗ ██╗███████╗███████╗ ██████╗ ██████╗ ██████╗ ███████╗
██╔══██╗██╔════╝██║ ██║██╔════╝██╔════╝██╔════╝██╔═══██╗██╔══██╗██╔════╝
██║ ██║█████╗ ██║ ██║███████╗█████╗ ██║ ██║ ██║██████╔╝███████╗
██║ ██║██╔══╝ ╚██╗ ██╔╝╚════██║██╔══╝ ██║ ██║ ██║██╔═══╝ ╚════██║
██████╔╝███████╗ ╚████╔╝ ███████║███████╗╚██████╗╚██████╔╝██║ ███████║
╚═════╝ ╚══════╝ ╚═══╝ ╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚══════╝
██████╗ ███╗ ██╗ █████╗ ██╗ ██╗███████╗
██╔═══██╗████╗ ██║ ██╔══██╗██║ ██║██╔════╝
██║ ██║██╔██╗ ██║ ███████║██║ █╗ ██║███████╗
██║ ██║██║╚██╗██║ ██╔══██║██║███╗██║╚════██║
╚██████╔╝██║ ╚████║ ██║ ██║╚███╔███╔╝███████║
╚═════╝ ╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚══╝╚══╝ ╚══════╝
Production-grade DevSecOps platform on AWS — Security-first, compliance-ready, built for financial services
┌─────────────────────────────────────────────────────────────────────────────┐
│ AWS eu-west-1 (Primary Region) │
│ │
│ ┌─────────────────────────── VPC 10.0.0.0/16 ───────────────────────────┐ │
│ │ │ │
│ │ PUBLIC SUBNETS (10.0.1-3.0/24) │ │
│ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │
│ │ │ ALB / WAF │ │ NAT GW (x3) │ │ Bastion HST │ │ │
│ │ └──────┬───────┘ └──────────────┘ └──────────────┘ │ │
│ │ │ │ │
│ │ PRIVATE SUBNETS (10.0.10-12.0/24) │ │
│ │ ┌──────▼──────────────────────────────────────────────────────────┐ │ │
│ │ │ EKS Cluster v1.29 │ │ │
│ │ │ ┌────────────┐ ┌────────────┐ ┌────────────┐ │ │ │
│ │ │ │ Node AZ-A │ │ Node AZ-B │ │ Node AZ-C │ │ │ │
│ │ │ │ t3.medium │ │ t3.medium │ │ t3.medium │ │ │ │
│ │ │ └──────┬─────┘ └──────┬─────┘ └──────┬─────┘ │ │ │
│ │ │ └───────────────┼───────────────┘ │ │ │
│ │ │ ┌──────────▼──────────┐ │ │ │
│ │ │ │ App Pods + HPA │ │ │ │
│ │ │ │ NetworkPolicy ON │ │ │ │
│ │ │ └─────────────────────┘ │ │ │
│ │ └─────────────────────────────────────────────────────────────────┘ │ │
│ │ │ │
│ │ ISOLATED SUBNETS (10.0.20-22.0/24) │ │
│ │ ┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐ │ │
│ │ │ RDS PostgreSQL │ │ ElastiCache │ │ Secrets Manager │ │ │
│ │ │ Multi-AZ HA │ │ Redis Cluster │ │ KMS Encrypted │ │ │
│ │ └──────────────────┘ └──────────────────┘ └──────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ │
│ SECURITY PLANE │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────┐ │
│ │GuardDuty │ │ Security │ │ AWS │ │Inspector │ │ Macie │ │
│ │(Threat │ │ Hub │ │ Config │ │ (Vuln │ │ (Data │ │
│ │Detection)│ │(CSPM) │ │(Drift) │ │ Scan) │ │ Discovery) │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ └──────────────┘ │
│ │
│ OBSERVABILITY PLANE │
│ ┌──────────┐ ┌──────────┐ ┌──────────────────────┐ ┌──────────────┐ │
│ │Prometheus│ │ Grafana │ │ ELK Stack │ │AlertManager │ │
│ │(Metrics) │ │(Dashbrd) │ │ (Logs/SIEM) │ │(PagerDuty) │ │
│ └──────────┘ └──────────┘ └──────────────────────┘ └──────────────┘ │
└─────────────────────────────────────────────────────────────────────────────┘
⬇ DR Replication
┌─────────────────────────────────────────────────────────────────────────────┐
│ AWS eu-central-1 (DR Region) │
│ RDS Read Replica | S3 Cross-Region | Config Aggregator │
└─────────────────────────────────────────────────────────────────────────────┘
┌─────────┐ ┌──────────────────────────────────────────────────────────┐
│ Push │───▶│ GitHub Actions Pipeline │
│ / PR │ │ │
└─────────┘ │ 1. TruffleHog ──▶ Secret scanning (blocks on find) │
│ 2. SonarQube ──▶ SAST + code quality (gate: A) │
│ 3. Snyk ──▶ SCA dependency audit (0 critical) │
│ 4. Trivy ──▶ Container image scan (0 critical) │
│ 5. OWASP ZAP ──▶ DAST against staging env │
│ 6. Checkov ──▶ IaC security scan (Terraform) │
│ │
│ ALL GATES PASS ──▶ Deploy to EKS │
│ ANY GATE FAILS ──▶ Pipeline BLOCKED + Slack alert │
└──────────────────────────────────────────────────────────┘
devsecops-aws/
├── README.md # This file
├── SECURITY.md # Security documentation & runbooks
├── .github/
│ └── workflows/
│ ├── ci-security.yml # Main security pipeline
│ ├── terraform-plan.yml # Infra PR validation
│ └── deploy.yml # Deploy to EKS
├── terraform/
│ ├── modules/
│ │ ├── vpc/ # VPC, subnets, routing, flow logs
│ │ ├── kms/ # KMS keys per service
│ │ ├── eks/ # EKS cluster + managed node groups
│ │ ├── rds/ # RDS PostgreSQL Multi-AZ
│ │ ├── iam/ # Roles, policies, IRSA
│ │ └── security/ # GuardDuty, Security Hub, Config, Inspector, Macie
│ └── environments/
│ ├── prod/
│ │ ├── main.tf
│ │ ├── variables.tf
│ │ └── terraform.tfvars.example
│ └── demo/
│ ├── main.tf
│ ├── variables.tf
│ └── terraform.tfvars
├── kubernetes/
│ ├── base/
│ │ ├── deployment.yaml
│ │ ├── service.yaml
│ │ ├── network-policy.yaml
│ │ └── hpa.yaml
│ └── overlays/
│ ├── prod/
│ └── demo/
├── monitoring/
│ ├── prometheus/
│ ├── grafana/
│ ├── alertmanager/
│ └── elk/
└── scripts/
├── setup.sh # Prerequisites installer
├── deploy-demo.sh # One-command demo deploy
└── destroy-demo.sh # Clean teardown
# 1. Run the automated prerequisites installer
chmod +x scripts/setup.sh && ./scripts/setup.sh
# Required tools (auto-installed by setup.sh):
# - AWS CLI >= 2.13
# - Terraform >= 1.6
# - kubectl >= 1.29
# - Helm >= 3.13
# - jq, git# ── Step 1: Clone & Configure ──────────────────────────────────────────────
git clone https://github.com/ahmed-devsecops/devsecops-aws.git
cd devsecops-aws
# ── Step 2: AWS Credentials ────────────────────────────────────────────────
aws configure
# Or use AWS SSO:
aws sso login --profile devsecops-demo
export AWS_PROFILE=devsecops-demo
# Verify identity
aws sts get-caller-identity
# ── Step 3: Configure Demo Variables ───────────────────────────────────────
cd terraform/environments/demo
# terraform.tfvars is pre-configured for demo — review and adjust:
cat terraform.tfvars
# ── Step 4: Initialize Terraform ───────────────────────────────────────────
terraform init \
-backend-config="bucket=devsecops-demo-tfstate" \
-backend-config="key=demo/terraform.tfstate" \
-backend-config="region=eu-west-1"
# ── Step 5: Plan & Review ──────────────────────────────────────────────────
terraform plan -var-file=terraform.tfvars -out=demo.tfplan
# ── Step 6: Deploy (~10 minutes) ───────────────────────────────────────────
terraform apply demo.tfplan
# ── Step 7: Configure kubectl ──────────────────────────────────────────────
aws eks update-kubeconfig \
--region eu-west-1 \
--name devsecops-demo-eks
# ── Step 8: Deploy Kubernetes Manifests ────────────────────────────────────
kubectl apply -k kubernetes/overlays/demo/
# ── Step 9: Deploy Monitoring Stack ────────────────────────────────────────
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo add grafana https://grafana.github.io/helm-charts
helm repo update
helm upgrade --install prometheus prometheus-community/kube-prometheus-stack \
-f monitoring/prometheus/values-demo.yaml \
--namespace monitoring --create-namespace
helm upgrade --install grafana grafana/grafana \
-f monitoring/grafana/values-demo.yaml \
--namespace monitoring
# ── Step 10: Verify Deployment ─────────────────────────────────────────────
kubectl get pods --all-namespaces
kubectl get svc --all-namespaces
# Access Grafana dashboard (port-forward)
kubectl port-forward -n monitoring svc/grafana 3000:80
# Open: http://localhost:3000 (admin / see Secrets Manager)
echo "✅ Demo environment deployed! Estimated cost: ~\$0.25/hour"# ── Clean teardown — ALWAYS run after demo ─────────────────────────────────
# Step 1: Remove Kubernetes resources
kubectl delete -k kubernetes/overlays/demo/
helm uninstall prometheus -n monitoring
helm uninstall grafana -n monitoring
# Step 2: Destroy infrastructure
cd terraform/environments/demo
terraform destroy -var-file=terraform.tfvars
# Step 3: Verify no resources remain
aws resourcegroupstaggingapi get-resources \
--tag-filters Key=Environment,Values=demo \
--query 'ResourceTagMappingList[].ResourceARN'
echo "✅ Demo environment destroyed. Final cost: check AWS Cost Explorer"| Category | Implementation | Standard |
|---|---|---|
| Identity & Access | IAM least-privilege, IRSA for pods, MFA enforced | CIS 1.1x |
| Network Security | VPC isolation, Security Groups, NACLs, K8s NetworkPolicy | PCI-DSS 1.x |
| Encryption at Rest | KMS CMK per service (EBS, RDS, S3, Secrets) | PCI-DSS 3.4 |
| Encryption in Transit | TLS 1.3 everywhere, ACM certificates | PCI-DSS 4.1 |
| Secret Management | AWS Secrets Manager + External Secrets Operator | CIS 1.19 |
| Threat Detection | GuardDuty (ML-based), Security Hub (CSPM) | ISO A.12.6 |
| Vulnerability Mgmt | Inspector (EC2/ECR), Trivy (CI), Snyk (SCA) | ISO A.12.6 |
| Configuration Drift | AWS Config + 40+ managed rules | CIS 3.x |
| Audit Logging | CloudTrail (all regions), VPC Flow Logs, EKS audit | PCI-DSS 10.x |
| Data Discovery | Macie (S3 PII detection) | GDPR / ISO |
| SAST | SonarQube Quality Gate A, security hotspot review | OWASP |
| DAST | OWASP ZAP automated scan in pipeline | OWASP |
| Container Security | Distroless images, non-root, read-only rootfs | CIS K8s |
| Pod Security | Pod Security Standards (Restricted profile) | CIS K8s |
| Observability | Prometheus + Grafana + ELK SIEM | ISO A.12.4 |
| Service | Config | Cost/hr |
|---|---|---|
| EKS Cluster | Control plane | $0.10 |
| EC2 Nodes | 2x t3.small | $0.046 |
| RDS PostgreSQL | db.t3.micro, Single-AZ | $0.034 |
| NAT Gateway | 1x | $0.045 |
| ALB | 1x | $0.008 |
| GuardDuty | On-demand | ~$0.004 |
| Total | ~$0.25/hr |
💡 Tip: A full demo session (deploy + screenshots + destroy) typically runs 1-2 hours = $0.25–$0.50 total
| Service | Config | Cost/month |
|---|---|---|
| EKS Cluster | Control plane | $73 |
| EC2 Nodes | 6x t3.medium (Multi-AZ) | $180 |
| RDS PostgreSQL | db.t3.medium, Multi-AZ | $290 |
| NAT Gateways | 3x | $98 |
| GuardDuty | Continuous | ~$60 |
| Security Hub | Continuous | ~$35 |
| Inspector | Continuous | ~$25 |
| Macie | Continuous | ~$20 |
| Estimated Total | ~$900/month |
terraform/modules/
├── vpc/ # VPC + subnets + routing + flow logs + VPC endpoints
├── kms/ # CMK per service with key rotation + policies
├── eks/ # EKS 1.29 + managed node groups + OIDC + addons
├── rds/ # PostgreSQL 15 + Multi-AZ + encryption + parameter groups
├── iam/ # Roles + policies + IRSA + permission boundaries
└── security/ # GuardDuty + Security Hub + Config + Inspector + MacieEach module follows the pattern:
main.tf— Resources with security justifications in commentsvariables.tf— Typed inputs with validation rulesoutputs.tf— Minimal surface area outputsversions.tf— Pinned provider versions
# Copy the example and fill in your values
cp terraform/environments/prod/terraform.tfvars.example \
terraform/environments/prod/terraform.tfvars
# NEVER commit terraform.tfvars to git (it's in .gitignore)| Framework | Controls Covered | Status |
|---|---|---|
| CIS AWS Foundations v1.4 | 49/49 | ✅ Compliant |
| PCI-DSS v3.2.1 | 12 Requirements | ✅ Compliant |
| OWASP Top 10 | All 10 categories | ✅ Mitigated |
| ISO 27001:2022 | 93 controls | ✅ Aligned |
- Fork the repository
- Create a feature branch:
git checkout -b feature/your-feature - All PRs must pass the 6-gate security pipeline
- Security issues: see SECURITY.md for responsible disclosure
MIT License — see LICENSE for details.
Built with ❤️ for financial-grade security
If this project helped you, consider giving it a ⭐