This repository contains a set of scripts designed to automate the generation of security requirements and secure Terraform modules for AWS services (supporting blog post can be found here). The process is broken down into four main scripts, each with specific roles in parsing, consolidating, and implementing security rules for AWS environments.
- checkov-requirements.py - Parses and standardizes security requirements from Checkov.
- prowler-requirements.py - Parses and standardizes security requirements from Prowler.
- requirements-generator.py - Uses an LLM to consolidate and enhance security requirements.
- terraform-creator.py - Uses an LLM to generate Terraform modules based on consolidated requirements or custom input.
- Purpose: This script extracts security requirements from Checkov, processes them, and outputs them in a standardized JSON format for each AWS service.
- Input: A manually created spreadsheet with Checkov rules. The spreadsheet was created by copying Checkov's requirements from Checkov's Policy Index into Excel, then editing to focus on commonly used AWS services.
- Output: A JSON file,
security-reqs.json, for each AWS service undercheckov-rules/.
Process:
- The script reads the modified Checkov spreadsheet, which contains requirements relevant to specific AWS services.
- For each service, a
security-reqs.jsonfile is created, containing the standardized security requirements.
- Purpose: This script collects and organizes security requirements from Prowler. After cloning the Prowler repository, some services were excluded to keep the focus on commonly used services.
- Input: Security rules from the Prowler repository.
- Output: A JSON file,
security-reqs.json, for each AWS service underprowler-rules/.
Process:
- The script iterates through Prowler's service-specific folders and collects security rules.
- For each service, a
security-reqs.jsonfile is generated in a standardized format for easy integration in later steps.
- Purpose: This script processes and consolidates requirements from Checkov and Prowler with the help of Anthropic's Claude 3.5 Sonnet model. The LLM enhances the initial requirements and structures them in a unified format.
- Input: JSON files generated from
checkov-requirements.pyandprowler-requirements.py. - Output: Consolidated JSON files under
security-requirements/for each service, e.g.,s3/security-reqs.json,glue/security-reqs.json, etc.
This setup is flexible and can be expanded by:
- Adding Sources: Incorporate additional tools or rules by updating the LLM prompt.
- Switching Cloud Providers: Modify the prompt to work with other providers, like Azure or GCP.
- Adjusting Requirements Style: Tailor the requirements to specific security configurations or to match internal policies by adjusting the input JSON files and prompt instructions.
- Purpose: This script generates Terraform modules for each AWS service based on the consolidated security requirements, focusing on reusability. The generated modules provide a modular approach, allowing users to use components like S3 buckets and KMS keys consistently across multiple configurations by passing required values.
- Input: Consolidated JSON files from
requirements-generator.pyor custom requirements JSON files formatted as specified. - Output: A directory for each AWS service under
aws-terraform/, containing:main.tf: Contains Terraform resources and configurations.variables.tf: Defines input variables for each module.notes.md: Documents implementation details and security considerations.
If you already have security requirements or policies defined, you can skip the Checkov and Prowler steps and provide your own JSON files directly to terraform-creator.py. Ensure your custom JSON files follow the same standardized format used by the requirements-generator.py output, and place them in the security-requirements/ directory. This allows you to leverage this automation solely for Terraform generation without modifying or generating new requirements.
The LLM prompt emphasizes modular and reusable code. For example, the prompt ensures that resources such as S3 buckets and KMS keys are implemented as standalone modules, which can be reused across configurations by simply passing relevant values. This approach ensures consistency and simplifies maintenance.
This prompt can be adjusted to accommodate different Terraform creation styles:
- Reusability vs. Inline Configuration: Generate fully modular code or in-line configurations depending on the team’s needs.
- Adding Cloud Providers: Adapt the prompt to output Terraform for Azure or GCP by switching the terminology.
- Additional Security Configurations: Adjust the LLM prompt to implement custom organizational policies, naming conventions, or tagging requirements.