A step-by-step guide for AWS EC2 provisioning using Terraform: EC2 and Compliance — Part 11

Joel Wembo
5 min readJun 25, 2024

--

Automating EC2 Deployment with Security and Compliance in Terraform

Compliance responsibility for Amazon EC2 varies based on data sensitivity, company objectives, and regulations. Not all AWS services are HIPAA-eligible. To enhance security, follow the principle of least privilege and enable AWS Config for monitoring and enforcing best practices.

To enhance readability, this handbook is divided into chapters and split into parts. The first, part, “A step-by-step guide for AWS EC2 provisioning using Terraform: HA, ALB, VPC, and Route53 — Part 1”, and the second part “A step-by-step guide for AWS EC2 provisioning using Terraform: HA, CloudFront, WAF, and SSL Certificate — Part 2”, and “A step-by-step guide for AWS EC2 provisioning using Terraform: Cloud Cost Optimization, AWS EC2 Spot Instances — Part 3”, was covered in a separate article to keep the reading time manageable and ensure focused content. The next part or chapter will be published in the next post, upcoming in a few days, A step-by-step guide for AWS EC2 provisioning using Terraform: Azure and AWS VPN Site-to-site Connection for EC2 (multi-cloud) using Terraform — Part 13 and so much more !!

Here are some compliance frameworks relevant to Amazon EC2:

  1. AWS Foundational Security Best Practices: These guidelines cover foundational security controls and best practices for securing AWS services, including EC21.
  2. ABS Cloud Computing Implementation Guide: This framework provides guidance for implementing secure cloud computing in Australia, including EC21.
  3. Australian Prudential Regulation Authority (APRA) CPG 234: APRA’s guidelines for managing information security risk, which apply to EC2 instances1.
  4. Canadian Centre for Cyber Security (CCCS): The CCCS framework includes controls for monitoring and securing EC2 instances2.
  5. Federal Risk and Authorization Management Program (FedRAMP): Both the Low and Moderate Baseline Controls of FedRAMP address EC2 security and monitoring requirements2.
  6. National Institute of Standards and Technology (NIST): NIST guidelines map to security controls for EC2 and other AWS services3.
  7. Payment Card Industry Security Standards Council (PCI): PCI compliance requirements also apply to EC2 instances3.
  8. International Organization for Standardization (ISO): ISO standards can be used to assess EC2 security practices3.

Terraform allows you to automate the provisioning and management of AWS resources, including EC2 instances. Here’s a step-by-step guide to get you started, with a focus on compliance:

Navigate to the project directory and run terraform init to initialize the project and download the AWS provider.

Create the Terraform Configuration File (main.tf):

Terraform
# Configure the AWS provider
provider "aws" {
region = "us-east-1" # Update with your desired region
}

# Define the EC2 Instance resource
resource "aws_instance" "web_server" {
ami = "ami-0e3822b7f00327221" # Update with desired AMI ID
instance_type = "t2.micro"
# ... other instance configuration options
}

# Enforce Compliance with Security Groups

resource "aws_security_group" "web_server_sg" {
name = "web_server_security_group"

ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # Restrict access later
}

egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"] # Restrict outbound traffic later
}
}

# Associate the Security Group with the Instance
resource "aws_instance_attachment" "web_server_attachment" {
instance_id = aws_instance.web_server.id
security_group_name = aws_security_group.web_server_sg.name
}

Explanation:

  • This configuration defines an EC2 instance (web_server) with a specific AMI ID and instance type.
  • The aws_security_group resource creates a security group with restricted ingress and egress rules (initially allowing all traffic for demonstration).
  • The aws_instance_attachment associates the security group with the instance, enforcing the security policy.

Refine Security Groups for Compliance:

  • Update the ingress rule in aws_security_group to only allow traffic from specific IP addresses or VPCs for enhanced security.
  • Update the egress rule to restrict outbound traffic to specific destinations based on your compliance requirements.

Plan and Apply the Configuration:

  • Run terraform plan to preview the changes Terraform will make.
  • Review the plan carefully to ensure it aligns with your expectations.
  • If satisfied, run terraform apply to provision the EC2 instance with the defined security configuration.

Additional Considerations for Compliance:

  • Compliance Standards: Identify compliance standards (e.g., PCI DSS, HIPAA) applicable to your EC2 instance and tailor the configuration accordingly.
  • Security Best Practices: Implement security best practices like encryption at rest and in transit, and user access controls.
  • State Management: Configure Terraform state management for secure storage and version control of your infrastructure configuration.

This guide provides a starting point for provisioning EC2 instances with Terraform while emphasizing the importance of security configuration for compliance. Remember to customize the configuration based on your specific requirements and compliance needs.

Update: Once you are done with this tutorial, you might to check a follow-up tutorial in the next part in a few days, A step-by-step guide for AWS EC2 provisioning using Terraform: VPN, VPC peering, Site-to-site Connection, tunnels, AWS VPN, Azure VPN client & Gateway (multi-cloud) using Terraform — Part 12

To enhance readability, this handbook is divided into chapters and split into parts. The first, part, “A step-by-step guide for AWS EC2 provisioning using Terraform: HA, ALB, VPC, and Route53 — Part 1”, and the second part “A step-by-step guide for AWS EC2 provisioning using Terraform: HA, CloudFront, WAF, and SSL Certificate — Part 2”, and “A step-by-step guide for AWS EC2 provisioning using Terraform: Cloud Cost Optimization, AWS EC2 Spot Instances — Part 3”, was covered in a separate article to keep the reading time manageable and ensure focused content. The next part or chapter will be published in the next post, upcoming in a few days, A step-by-step guide for AWS EC2 provisioning using Terraform: Azure and AWS VPN Site-to-site Connection for EC2 (multi-cloud) using Terraform — Part 13 and so much more !!

Thank you for Reading !! 🙌🏻, don’t forget to subscribe and give it a CLAP 👏, and if you found this article useful contact me or feel free to sponsor me to produce more public content. see me in the next article.🤘

About me

I am Joel Wembo, AWS certified cloud Solutions architect, Back-end developer, and AWS Community Builder, I‘m based in the Philippines 🇵🇭; and currently working at prodxcloud as a DevOps & Cloud Architect. I bring a powerful combination of expertise in cloud architecture, DevOps practices, and a deep understanding of high availability (HA) principles. I leverage my knowledge to create robust, scalable cloud applications using open-source tools for efficient enterprise deployments.

I’m looking to collaborate on AWS CDK, AWS SAM, DevOps CI/CD, Serverless Framework, CloudFormation, Terraform, Kubernetes, TypeScript, GitHub Actions, PostgreSQL, and Django.”

For more information about the author ( Joel O. Wembo ) visit:

Links:

Further Resources:

--

--

Joel Wembo

I am a Cloud Solutions Architect at prodxcloud. Expert in AWS, AWS CDK, EKS, Serverless Computing and Terraform. https://www.linkedin.com/in/joelotepawembo