Using generative AI for proactive IaC code generation that’s compliant with service control policies using Amazon Bedrock

As organizations scale their use of Amazon Web Services (AWS), managing cloud infrastructure through infrastructure as code (IaC) becomes essential for consistency, automation, and speed. However, making sure that the IaC templates strictly adhere with organizational service control policies (SCPs) remains a major challenge, especially in environments with complex account structures and evolving governance requirements.

Manually validating IaC templates against SCPs is time-consuming and error prone. Developers might unknowingly attempt to deploy resources or use services restricted by SCPs, leading to deployment failures, increased troubleshooting time, and compliance risks. Security and system teams are then burdened with post-deployment reviews and remediation, which slows down innovation and increases operational overhead.

In this post, we explore how you can use generative AI to automate and enhance the creation of SCP-compliant IaC. For this, we’ve used Amazon Bedrock, AWS Lambda functions, and foundation models in our solution. By combining these technologies, you can establish a proactive workflow that makes sure IaC is generated as required by your organizations policies before deployment. This post demonstrate how this generative AI-powered approach can help you to generate IaC that’s compliance-aligned with your organization’s standard SCP.

Understanding SCP compliance requirements

AWS SCPs help you enforce security, access, and cost controls across the AWS accounts in your environment. As teams increasingly rely on IaC for automating cloud infrastructure deployments, making sure that this code aligns with SCPs has become essential. However, manual validation of IaC templates is time-consuming and often happens too late, increasing the risk of non-compliant deployments and rework.

Our solution integrates SCP awareness directly into the IaC generation process using Amazon Bedrock and generative AI. By validating infrastructure requirements against organizational policies at the start, this approach helps developers create compliance-aligned IaC templates, saving time, reducing risk, and maintaining governance at scale.

Solution overview

This solution enables automated generation of SCP-compliant IaC using generative AI capabilities through Amazon Bedrock. It uses foundation models for creating IaC that adheres to organizational policies and compliance requirements, streamlining the development process while helping to ensure that governance standards are maintained.

The architecture is designed with a secure-by-design approach. To help ensure that only authorized developers can generate code, the system is protected by Amazon Cognito for identity management and AWS WAF to safeguard the API endpoints from malicious traffic and distributed denial of service (DDoS) attacks.

The workflow starts with a user authenticating through Amazon Cognito. After being authorized, the user submits infrastructure requirements using natural language prompts to Amazon API Gateway. Requests are validated by an Amazon Cognito authorizer and filtered by AWS WAF before being transferred to a Lambda function.

The Lambda function reads the context from a dynamic Amazon Simple Storage Service (Amazon S3) knowledge base, which is automatically synchronized in real-time with your organization’s SCP lifecycle (including creation and deletion of policies). It then enriches the user’s prompt with this governance context and sends it to the Amazon Bedrock foundation model. Additionally, the solution implements Amazon Bedrock Guardrails to help ensure that the generated output adheres to responsible AI standards such as blocking sensitive data like personally identifiable information (PII) and facilitating topic relevancy.

The Amazon Bedrock foundation model understands and processes user requirements while maintaining context about organizational policies and compliance needs, returning the compliance aligned IaC template to the user through API Gateway.

By implementing this architecture, you can help ensure that the generated infrastructure code conforms with organizational SCPs, security and governance requirements are met proactively, development teams receive immediate feedback on policy compliance, and infrastructure deployments adhere to organizational standards.

Prerequisites

To deploy this solution, you need to have the following prerequisites in place:

• AWS Organizations with SCPs enabled
• Model access for Amazon Nova Lite
• Terraform CLI installed (v1.11 or later)
• Two S3 buckets for the SCP knowledge base and Lambda deployment packages respectively
• An Amazon Virtual Private Cloud (Amazon VPC) with a private subnet and associated route table
• An AWS Key Management Service (AWS KMS) key for encryption

Solution deployment

Use the following steps to deploy the solution using a sample application.

1. Clone the repository.

git clone https://github.com/aws-samples/sample-for-ai-generated-iac-code-according-to-scp.git

2. Navigate to the project database directory.

cd sample-for-ai-generated-iac-code-according-to-scp

3. Initialize Terraform.

terraform init

4. Run the Terraform plan command to view the list of resources that this solution will create.

terraform plan

5. Run the Terraform apply command. The flag --auto-approve is optional. If you don’t use that, you will be prompted to manually enter a confirmation.

terraform apply --auto-approve

Solution workflow

This solution, shown in the following diagram, automates the generation of SCP-compliant IaC by using AWS services and the Amazon Bedrock foundation models. The solution seamlessly integrates policy capture, context generation, and AI-powered code creation to help ensure that infrastructure deployments align with organizational requirements.

1. SCP creation: Organizations create SCPs based on security and compliance requirements. These foundational governance tools are implemented at the Organizations level to help enforce standards across the enterprise environment.
2. CloudTrail event logging: When SCPs are created or modified, AWS CloudTrail automatically captures these changes in detailed event logs, which can be viewed in the AWS Management Console for CloudTrail, as shown in the following screenshot. These logs serve as a comprehensive record, containing both the policy content and essential metadata that will be used for context generation later in the workflow.

3. EventBridge filtering: Custom Amazon EventBridge rules will actively monitor and capture CloudTrail events specifically related to SCP changes. These rules facilitate precise filtering and routing of relevant policy modifications to the extractor Lambda function, maintaining an efficient flow of information.
4. Lambda extraction: The extractor Lambda function processes incoming events to isolate and extract critical policy content and requirements. This processed information is then stored in Amazon S3, establishing a reliable and accessible data source for context generation. It can be accessed using the Amazon CloudWatch console, as shown in the following screenshot.

5. Developer request: Developers interface with the system through natural language prompts, specifying their infrastructure requirements. These intuitive requests detail the desired AWS resources and configurations, initiating the intelligent code generation process.
6. Request processing: API Gateway serves as the primary entry point for developer interactions, receiving and routing requests appropriately. Each request is forwarded to the context-generating Lambda function, facilitating consistent request handling and processing.

7. Context generation: The context-generating Lambda function analyzes incoming requests against the stored SCP database with precision. By combining user requirements with policy constraints, it creates an enhanced context that facilitates compliance alignment from the initial design phase.
8. Data source analysis: Through methodical searching of the Amazon S3 data source, the Lambda function identifies and extracts relevant policy information. This comprehensive analysis helps ensure that the applicable constraints and requirements for the requested resource type are properly considered.
9. Foundation model processing: The enhanced request, enriched with proper context and constraints, is transmitted to the Amazon Bedrock foundation model. This carefully crafted request helps ensure that the model has complete information about both technical requirements and policy constraints.
10. AI response generation: The foundation model processes the enhanced context to generate compliance aligned IaC. This intelligent generation process incorporates the specified requirements while facilitating adherence to organizational policies.
11. Response delivery: The context-generating Lambda function performs final validation and formatting of the generated code. The resulting compliance aligned IaC is then securely returned to the developer through API Gateway.
12. Output presentation: The system delivers clear, actionable output to developers, including both compliance aligned infrastructure code and detailed explanations, as shown in the following screenshot. This comprehensive output package helps ensure that developers understand the policy-mandated configurations and requirements.

13. Resource deployment: Developers can confidently implement the generated IaC in their AWS environments. This final step results in the creation of compliance aligned resources that align with organizational SCPs and governance requirements.

The end-to-end workflow demonstrates how you can use AI capabilities to streamline your infrastructure deployment process while maintaining strict compliance alignment with your organizations SCPs. This automated approach accelerates development and facilitates consistent application of security and governance standards across infrastructure deployments.

Clean up

Use the following steps to clean up the infrastructure created for this solution. The solution can be built, updated, or modified using a variety of DevOps tools or procedures. To clean up the infrastructure:

1. Empty the data source S3 bucket.
2. Navigate into the project base directory.

cd sample-for-ai-generated-iac-code-according-to-scp

3. The flag --auto-approve is optional. If you don’t use that, you will be prompted to enter a confirmation manually.

terraform destroy --auto-approve

Conclusion

Using this generative AI solution provides a practical way to simplify and accelerate IaC development while staying aligned with SCPs. By using automated policy validation and generating compliance aligned templates from the start, this approach helps reduce manual effort, speed up deployments, and minimize risk. As organizational policies and cloud services continue to evolve, this flexible architecture can give teams a future-ready path to maintain strong governance without slowing innovation.

Additional resources

To learn more about the underlying services and best practices, see the following resources::

• Amazon Bedrock documentation – Learn how to build generative AI applications using foundation models with built-in security and governance controls.
• AWS Organizations and SCPs – Understand how SCPs help enforce security and compliance guardrails across AWS accounts.
• IaC best practices – Guidance on designing scalable, repeatable, and secure infrastructure using tools such as Terraform.
• AWS Well-Architected Framework Security Pillar – Best practices for implementing preventive controls and governance at scale.
• Responsible AI and guardrails in Amazon Bedrock – Learn how to apply content filtering, topic restrictions, and data protection when building generative AI-powered workflows.

About the authors

Chintamani Aphale is a Delivery consultant in AI/ML work stream with experience in domains such as analytics, infrastructure, development and performance. He focuses on automating complex scenarios with AI and analytics capabilities with enhanced security and helping customer to achieve their AI/ML goals. Outside of work, he enjoys playing chess and football and spend time in gardening

Ishwar Chauthaiwale is a Lead Consultant – DevOps at Amazon Web Services with over 9 years of experience architecting and operating large-scale, secure cloud platforms. He specializes in DevOps, Kubernetes, advanced automation, and enterprise Generative AI and Agentic AI architectures on AWS. Ishwar works closely with customers to modernize complex environments, design resilient and scalable cloud and AI platforms, and implement production-ready solutions that accelerate cloud adoption and drive sustained operational excellence.

Urbija Goswami is an Associate Delivery Consultant at Amazon Web Services with over 1.5 years of experience. She specializes in DevOps and her technical expertise spans Kubernetes orchestration, CI/CD implementation , Infrastructure as Code (IaC), containerization, and advanced automation solutions. When she’s not working, she likes to tend to her plants, read and dabble in writing.