AWS Partner Network (APN) Blog
Strengthen AWS Security Posture with Robust Infrastructure as Code Strategy
 |
 |
By: Aharon Twizer, CEO – ControlMonkey
By: Andreas Rotaru, Solutions Architect – AWS
By: Olushola Oladipupo, Solutions Architect – AWS
By: Ioannis Moustakis, Sr Solutions Architect – AWS
Modern software development teams are increasingly adopting DevOps practices to accelerate development cycles. As organizations recognize security as a shared responsibility, they have evolved to DevSecOps – integrating security practices directly into engineering teams to strengthen their security posture. This approach empowers developers, operations, and security teams to collaborate and take ownership of security throughout the development lifecycle. However, implementing consistent security practices across teams can remain challenging, particularly in establishing clear foundations for all teams to effectively collaborate.
Platform engineering has emerged as a way to standardize tools and best practices across engineering organizations. While development teams benefit from this standardization, security teams still rely heavily on verification reviews and approvals. This creates a bottleneck, with security architects and engineers struggling to match the pace of development.
At AWS, security is the top priority. This blog showcases how ControlMonkey, an AWS partner solution and end-to-end Infrastructure as Code (IaC) platform for Terraform, OpenTofu, and Terragrunt helps to automate security workflows. We’ll explore how ControlMonkey enhances AWS Control Tower to automate security workflows across growing multi-account AWS environments.
Tackling DevSecOps Challenges
Traditional quality and security models implement security checks late in the software development lifecycle. Figure 1 shows the “shift left” approach, which addresses this challenge by moving security tasks earlier into the design and implementation phases. While this is a step in the right direction, automated security checks and controls are essential to help make this approach successful. These automated guardrails integrate standardized security practices into engineering processes from the very beginning of a project.
Figure 1 – Shift Left with ControlMonkey and AWS Control Tower
To explore this approach, let’s consider a payment provider that handles credit card data and must comply with the global Payment Card Industry Data Security Standard (PCI DSS).
We’ll first look at how AWS Control Tower provides a foundation for secure, compliant infrastructure. Finally, we’ll explore how ControlMonkey enhances this foundation by allowing teams to enable control policies that are directly added to the IaC review GitOps process. ControlMonkey analyzes potential issues before resources are deployed to AWS, helping customers streamline PCI DSS compliance and catching problems early in the development cycle.
How Infrastructure as Code Transforms Security
Infrastructure as Code helps transform security from a manual, error-prone process into an automated, consistent, and auditable practice that scales with your organization. This transformation happens through four key mechanisms:
- Consistency and Repeatability: IaC verifies that security configurations are applied uniformly across all environments. Instead of relying on manual processes that vary between deployments, security settings are codified and automatically replicated, reducing configuration drift and human error.
- Version Control and Auditability: Security changes are tracked through version control systems, creating a complete audit trail of who made what changes and when. This visibility is useful for compliance frameworks like PCI DSS.
- Security as Code: Security policies become an integral part of the development process rather than an afterthought. Teams can embed security guardrails directly into their infrastructure templates, building-in compliance from day one.
- Immutable Infrastructure: Rather than patching running systems—which introduces risk and complexity—IaC helps teams to rebuild infrastructure from known, secure templates. This approach reduces security issues by ensuring systems are deployed from a trusted, validated baseline.
This shift from reactive security management to proactive, code-driven security helps organizations to scale their security practices alongside their infrastructure growth.
Payment Card Industry Data Security Standard
The PCI DSS is an information security standard established by major credit card companies (American Express, Discover, JCB, MasterCard, and Visa) to protect cardholder data. PCI DSS applies to any organization that stores, processes, or transmits credit card data. AWS Artifact provides documentation showing AWS’s infrastructure compliance, but customers must still demonstrate how their specific implementation meets PCI DSS requirements for their cardholder data environment.
With PCI DSS v4.0.1, improvements over v3.2.1 have been introduced, including customized implementation approaches, stronger authentication requirements, and expanded security testing protocols. Both AWS Control Tower and ControlMonkey solutions support PCI DSS v4.0.1, helping customers to maintain compliance with the latest standard.
How AWS Control Tower establishes Your Security Foundation
AWS operates under a shared responsibility model for security — AWS secures the cloud infrastructure while customers secure their applications and data within the cloud. To help organizations establish this secure foundation at scale, AWS Control Tower provides an orchestrated approach to multi-account governance that directly enforces security objectives.
AWS Control Tower creates a well-architected landing zone that embodies security best practices from day one. AWS Control Tower automatically sets up compliant multi-account environments quickly, instead of manual security configuration. This foundation includes several key security capabilities.
AWS Control Tower Controls
AWS Control Tower implements three types of security controls that work together to maintain your security posture:
- Preventive controls use service control policies (SCPs) to disallow actions that will lead to policy violations—essentially creating guardrails that prevent security misconfigurations before they occur.
- Detective controls continuously monitor your environment using AWS Config rules, identifying detective control compliance violation and drift from security baselines in real-time.
- Proactive controls, as shown in figure 2, establish best practices by proactively validating compliance while deploying resources through AWS CloudFormation.
Figure 2 – AWS Control Tower proactive Control Example
Automated Account provisioning with Security Baselines
Through Account Factory, AWS Control Tower provisions new AWS accounts with consistent security configurations. This includes pre-configured logging, monitoring, and access controls that align with compliance frameworks like PCI DSS, reducing the risk of accounts being deployed without proper security foundations.
Centralized Security Monitoring
The AWS dashboard provides unified visibility into your organization’s security and compliance status across all accounts. This centralized view allows security teams to quickly identify violations, track remediation efforts, and demonstrate compliance posture to auditors.
Comprehensive Audit Trail
Control Tower automatically configures AWS CloudTrail for comprehensive API logging and AWS Config for resource configuration tracking across all managed accounts. This creates the detailed audit trail important for compliance frameworks and security investigations.
Drift Detection and Prevention
Control Tower continuously monitors for “drift” – any deviation from your established security baselines. When drift is detected, automated alerts notify administrators, enabling rapid remediation before security concerns will be exploited.
AWS Control Tower helps organizations maintain compliance with standards like PCI DSS v4.0 when handling sensitive data, including payment information. However, its proactive controls currently only scan deployments made through AWS CloudFormation. In the next section, we’ll show how ControlMonkey extends this capability to Terraform deployments, enabling proactive governance across both IaC platforms.
How ControlMonkey enhances Security
ControlMonkey takes a proactive approach to security by integrating guardrails directly into the IaC development process. This shift-left strategy helps prevent issues rather than relying on remediation after deployment. Instead of waiting for manual reviews or post-deployment scans, ControlMonkey helps identify misconfigurations, compliance concerns, and policy violations are flagged and resolved before code is ever merged or deployed, as part of its out-of-the-box IaC pipeline. This not only accelerates release cycles but also helps reduce the cost of fixing security issues later in production.
Proactive PCI-DSS Compliance
Organizations that handle payment card data must comply with PCI-DSS requirements. AWS Control Tower helps establish governance and guardrails at the AWS account level. ControlMonkey provides additional PCI-DSS policy enforcement through Terraform/OpenTofu configurations. These tools work together in two ways: AWS Control Tower manages account-level controls, while ControlMonkey helps maintain PCI-DSS compliance for resources provisioned using Terraform/OpenTofu within those AWS accounts.
As shown in figure 3, ControlMonkey delivers PCI-DSS compliance as a managed policy package, as part of its broader portfolio of built-in security standards.
Figure 3 – ControlMonkey Control Policies Overview
IaC Risk Index
The IaC Risk Index in ControlMonkey helps DevOps and security teams collaborate effectively by providing a common security metric. The shared metric creates a direct path for cloud and security teams to evaluate and respond to risks. With objective data, teams prioritize actions based on measurable risks rather than subjective opinions. The IaC Risk Index helps identify infrastructure issues in IaC-managed resources and potential security concerns in resources not managed through IaC pipelines. Resources outside IaC pipelines bypass important security validations against policies and compliance requirements. Without proactive monitoring, even moderate issues in these unmanaged resources develop into serious security risks.
As shown in figure 4, organizations use the IaC Risk Index Dashboard to get a comprehensive view of their security posture and increase the percentage of infrastructure validated against security guardrails before deployment. This approach allows engineering teams to take targeted action and provides security teams with measurable validation.
Figure 4 – IaC Risk Index Dashboard
Call to Action
Get started strengthening your cloud security today by visiting the AWS Control Tower documentation to set up your landing zone. Get ControlMonkey through AWS Marketplace to enhance your security controls. The combination of AWS Control Tower and ControlMonkey helps you maintain security and compliance while enabling developer productivity. To learn more about maximizing your cloud governance with ControlMonkey, visit ControlMonkey.io.
.
ControlMonkey – AWS Partner Spotlight
ControlMonkey is an AWS Specialization Partner and Terraform Operations platform that enables networking and DevOps teams to take a proactive DevOps strategy regarding cloud operations.