Cloud Compliance & Regulatory Automation
Automate cloud compliance. Covers continuous compliance monitoring, compliance-as-code, audit preparation, SOC 2, HIPAA, PCI-DSS, FedRAMP, and building compliance into CI/CD pipelines.
Cloud compliance is the engineering practice of continuously proving that your cloud infrastructure meets regulatory requirements. The old approach — annual audits with spreadsheet evidence — doesn’t work when infrastructure changes hundreds of times per day. Modern compliance is automated, continuous, and embedded into your deployment pipeline so that non-compliant changes are caught before they reach production.
Compliance Framework Comparison
| Framework | Scope | Key Requirements | Audit Type |
|---|---|---|---|
| SOC 2 Type II | Service organizations | Security, availability, confidentiality | Annual, 6-12 month observation |
| HIPAA | Healthcare data | PHI encryption, access controls, BAAs | Ongoing, OCR investigation |
| PCI-DSS v4.0 | Payment card data | Network segmentation, encryption, logging | Annual assessment (QSA or SAQ) |
| GDPR | EU personal data | Consent, data minimization, right to erasure | Ongoing, supervisory authority |
| FedRAMP | US government cloud | NIST 800-53 controls, continuous monitoring | Initial + annual assessment |
| ISO 27001 | Global info security | ISMS, risk assessment, controls | Certification audit + surveillance |
| NIST CSF | Cybersecurity | Identify, protect, detect, respond, recover | Self-assessment or audit |
Continuous Compliance Architecture
┌─────────────────────────────────────────────────┐
│ Developer Workflow │
│ Code → Commit → PR → CI/CD → Deploy │
└───────────────┬─────────────────────────────────┘
│
┌───────────┴───────────┐
│ Pre-Deploy Checks │
│ • Infrastructure scan │
│ • Policy-as-code │
│ • Secret detection │
│ • Dependency audit │
└───────────┬───────────┘
│
┌───────────┴───────────┐
│ Runtime Monitoring │
│ • Config drift │
│ • Access anomalies │
│ • Encryption status │
│ • Network exposure │
└───────────┬───────────┘
│
┌───────────┴───────────┐
│ Evidence Collection │
│ • Automated reports │
│ • Control evidence │
│ • Audit trail │
└───────────────────────┘Compliance-as-Code
AWS Config Rules
# Custom AWS Config rule: ensure all S3 buckets have encryption
def evaluate_compliance(configuration_item, rule_parameters):
resource_type = configuration_item.get("resourceType")
if resource_type != "AWS::S3::Bucket":
return {"compliance_type": "NOT_APPLICABLE"}
config = configuration_item.get("configuration", {})
# Check server-side encryption
encryption = config.get("serverSideEncryptionConfiguration")
if not encryption:
return {
"compliance_type": "NON_COMPLIANT",
"annotation": "S3 bucket does not have server-side encryption enabled",
}
# Check if using KMS (not just AES-256)
rules = encryption.get("rules", [])
for rule in rules:
sse_algorithm = rule.get("applyServerSideEncryptionByDefault", {}).get("sseAlgorithm")
if sse_algorithm == "aws:kms":
return {"compliance_type": "COMPLIANT"}
return {
"compliance_type": "NON_COMPLIANT",
"annotation": "S3 bucket must use KMS encryption (not AES-256)",
}CI/CD Compliance Gates
# GitHub Actions compliance pipeline
compliance-checks:
runs-on: ubuntu-latest
steps:
- name: Terraform Plan
run: terraform plan -out=tfplan
- name: Policy Check (OPA)
run: |
terraform show -json tfplan > plan.json
opa eval \
--data policies/ \
--input plan.json \
"data.compliance.violations"
- name: Secret Scanning
uses: trufflesecurity/trufflehog@main
with:
path: ./
- name: Dependency Vulnerability Scan
run: |
trivy fs --severity HIGH,CRITICAL .
- name: Infrastructure Security Scan
run: |
checkov --directory . --framework terraform
- name: Generate Compliance Evidence
run: |
# Auto-generate evidence for SOC 2 controls
python scripts/generate_evidence.py \
--control "CC6.1" \
--evidence-type "automated_scan" \
--scan-results checkov-results.jsonControl Implementation Map
SOC 2 Controls → Cloud Implementation
| SOC 2 Control | Cloud Implementation | Evidence |
|---|---|---|
| CC6.1 - Logical access | IAM roles with least privilege | IAM policy analyzer report |
| CC6.2 - User provisioning | SCIM provisioning from IdP | IdP sync logs |
| CC6.3 - Access removal | Automated offboarding scripts | HR system → IdP → cloud deprovisioning logs |
| CC6.6 - Network segmentation | Security groups, NACLs, WAF | Config rule compliance report |
| CC6.7 - Restriction of data flow | VPC endpoints, TLS enforcement | Network flow logs |
| CC6.8 - Vulnerability management | Automated scanning (Trivy, Inspector) | Weekly scan reports |
| CC7.1 - Monitoring | CloudWatch, Datadog, PagerDuty | Alerting configuration + incident logs |
| CC7.2 - Anomaly detection | GuardDuty, Sentinel | Detection findings and response actions |
| CC8.1 - Change management | GitOps, PR reviews, CI/CD approvals | Git history + deployment logs |
Audit Preparation
Audit Evidence Automation
def generate_audit_package(framework, period_start, period_end):
"""Generate compliance evidence package for auditors."""
evidence = {
"framework": framework,
"period": f"{period_start} to {period_end}",
"controls": [],
}
if framework == "SOC2":
controls = [
{
"control_id": "CC6.1",
"description": "Logical access controls",
"evidence_sources": [
collect_iam_policies(),
collect_mfa_status(),
collect_access_reviews(),
],
"compliance_status": evaluate_access_controls(),
},
{
"control_id": "CC7.1",
"description": "System monitoring",
"evidence_sources": [
collect_alerting_config(),
collect_incident_response_logs(),
collect_uptime_metrics(),
],
"compliance_status": evaluate_monitoring(),
},
]
evidence["controls"] = controls
# Generate PDF report
report = render_report(evidence)
return reportAnti-Patterns
| Anti-Pattern | Problem | Fix |
|---|---|---|
| Compliance after deployment | Non-compliant infra in production | Compliance gates in CI/CD pipeline |
| Manual evidence collection | Auditor prep takes weeks | Automated evidence generation |
| Point-in-time compliance | Compliant on audit day, drifts immediately | Continuous monitoring with alerts |
| Security team as bottleneck | Every change needs security review | Policy-as-code, automated scanning |
| One framework at a time | Duplicated controls across SOC 2, ISO, PCI | Map controls across frameworks (unified compliance) |
| Ignoring drift | Config changes after deployment go undetected | AWS Config, Azure Policy continuous monitoring |
Checklist
- Compliance frameworks identified (SOC 2, HIPAA, PCI, etc.)
- Controls mapped to cloud implementation per framework
- Policy-as-code: OPA/Sentinel/Config Rules enforced
- CI/CD compliance gates: IaC scanning, secret detection, vulnerability scan
- Continuous monitoring: drift detection, anomaly alerting
- Evidence automation: reports generated programmatically
- Access reviews: quarterly review of IAM roles and permissions
- Incident response: plan tested, evidence preserved
- Audit readiness: evidence package can be generated on demand
- Multi-framework mapping: controls shared across compliance standards
- Vendor risk: third-party compliance validated (BAAs, DPAs)
- Training: annual compliance training for engineering teams
:::note[Source] This guide is derived from operational intelligence at Garnet Grid Consulting. For cloud compliance consulting, visit garnetgrid.com. :::
