Shift-Left AWS Security Monitoring with Automated CI/CD Pipeline
InfraGuard is a comprehensive AWS security monitoring solution that combines runtime infrastructure scanning with shift-left security to detect and prevent security misconfigurations before deployment.
π³ Now available on Docker Hub! Just docker pull tasnimmizaoui/infraguard:latest and start scanning.
-
Dual-Mode Security Scanning
- Runtime Scanning: Monitor existing AWS infrastructure for security risks
- Plan-Time Scanning: Analyze Terraform plans before deployment (shift-left)
-
Automated CI/CD Pipeline
- GitHub Actions integration with security gates
- Blocks deployments with critical security findings
- Automatic infrastructure deployment on push to main
-
Full Terraform Infrastructure
- CloudTrail for audit logging
- VPC Flow Logs for network monitoring
- S3 buckets with encryption and versioning
- Lambda-based automated scanning
- IAM roles following least privilege
-
Comprehensive Security Checks
- S3: Public access, encryption, versioning
- Security Groups: SSH/RDP exposure, overly permissive rules
- IAM: Overpermissive policies, unused credentials
- CloudTrail: Audit logging configuration
- VPC: Flow logs enablement
- Quick Start Guide - Get started in 5 minutes
- Architecture Overview - System design and components
- Deployment Guide - CI/CD pipeline setup
- Shift-Left Security - Plan-time scanning implementation
- AWS Setup - AWS prerequisites and configuration
- API Reference - CLI commands and usage
- Docker (for easiest setup) OR Python 3.11+
- AWS Account with configured credentials
- Terraform 1.6+ (optional, for infrastructure deployment)
- GitHub Account (optional, for CI/CD)
# Pull the pre-built image from Docker Hub
docker pull yourusername/infraguard:latest
# Run security scan (mount your AWS credentials)
docker run --rm \
-v ~/.aws:/home/infraguard/.aws:ro \
-e AWS_REGION=eu-north-1 \
yourusername/infraguard:latest check-all
# Run specific scans
docker run --rm -v ~/.aws:/home/infraguard/.aws:ro -e AWS_REGION=eu-north-1 \
yourusername/infraguard:latest check-iam
docker run --rm -v ~/.aws:/home/infraguard/.aws:ro -e AWS_REGION=eu-north-1 \
yourusername/infraguard:latest check-networkWindows PowerShell:
docker pull yourusername/infraguard:latest
docker run --rm `
-v C:\Users\$env:USERNAME\.aws:/home/infraguard/.aws:ro `
-e AWS_REGION=eu-north-1 `
yourusername/infraguard:latest check-all# Clone repository
git clone https://github.com/tasnimmizaoui/InfraGuard.git
cd InfraGuard
# Build and run
docker-compose build
docker-compose run --rm infraguard check-all# Clone and install
git clone https://github.com/tasnimmizaoui/InfraGuard.git
cd InfraGuard
pip install -r requirements.txt
# Configure AWS
aws configure
export AWS_REGION=eu-north-1
# Run security scan
python main.py check-all
# Scan Terraform plan before deployment
terraform plan -out=tfplan
terraform show -json tfplan > tfplan.json
python main.py scan-plan --plan-file tfplan.json# Bootstrap Terraform backend
cd terraform/bootstrap
terraform init
terraform apply
# Deploy main infrastructure
cd ..
terraform init
terraform applySee Quick Start Guide for detailed instructions.
ββββββββββββββββββββββββββββββββββββββββ
β GitHub Actions Pipeline β
β (Push to main triggers deployment) β
ββββββββββββββ¬ββββββββββββββββββββββββββ
β
βββββββββΌβββββββββββββββ
β β
ββββββ΄βββββββ ββββββ΄βββββ
β Runtime β βPlan-Timeβ
β Scanning β β Scanningβ
β (Existing)β β (Shift- β
β Infra) β β Left) β
ββββββ¬βββββββ ββββββ¬βββββ
β β
ββββββββ¬ββββββββββββββββ
β
βββββββββ΄ββββββββ
β Security Gate β
β (Block on β
β Critical) β
βββββββββ¬ββββββββ
β
βββββββββ΄ββββββββ
β Terraform β
β Apply β
βββββββββ¬ββββββββ
β
βββββββββ΄βββββββββββββββ
β AWS Infrastructure β
β β’ CloudTrail β
β β’ VPC Flow Logs β
β β’ Lambda Scanner β
β β’ S3 Buckets β
ββββββββββββββββββββββββ
See Architecture Documentation for details.
# Scan all AWS resources
python main.py check-all --output-file findings.json
# Scan specific services
python main.py check-iam
python main.py check-s3
python main.py check-network# Create and scan Terraform plan
cd terraform
terraform plan -out=tfplan
terraform show -json tfplan > tfplan.json
python ../main.py scan-plan --plan-file tfplan.jsonThe pipeline automatically runs on every push to main:
- Security Scan - Scans existing AWS infrastructure
- Security Gate - Blocks on critical findings
- Terraform Plan - Creates deployment plan
- Plan Scan - Analyzes planned changes (shift-left)
- Deploy - Applies infrastructure if all checks pass
InfraGuard/
βββ infra_guard/ # Core Python package
β βββ policy_engine.py # Reusable security policies
β βββ plan_analyzer.py # Terraform plan scanner
β βββ detection_rules.py # Runtime scanner
β βββ ...
βββ terraform/ # Infrastructure as Code
β βββ modules/ # Reusable Terraform modules
β βββ bootstrap/ # Backend initialization
β βββ main.tf # Main configuration
βββ .github/workflows/ # CI/CD pipeline
β βββ security-scan.yml
βββ docs/ # Documentation
βββ tests/ # Test suites
βββ main.py # CLI entry point
# Run test pipeline locally
bash test_pipeline.sh
# Test with insecure configuration
cd test_plan/insecure_test
terraform plan -out=tfplan
terraform show -json tfplan > tfplan.json
python ../../main.py scan-plan --plan-file tfplan.json- π΄ CRITICAL: Immediate security risk (e.g., S3 bucket public, default security group open)
- π HIGH: Significant security concern (e.g., SSH open to internet, no CloudTrail)
- π‘ MEDIUM: Moderate security issue (e.g., no VPC Flow Logs)
- π’ LOW: Best practice recommendation (e.g., S3 versioning disabled)
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Built By HungryHeidi for AWS Security