Preemptive cybersecurity is a Gartner 2026 strategic trend — security shifting from reactive incident response to predictive, continuously adaptive defense. Instead of waiting for breaches, preemptive security identifies and eliminates vulnerabilities before they’re exploited.
Terraform is uniquely suited for this because security controls deployed as code are consistent, auditable, and automatically applied to new infrastructure.
Preemptive Security Stack
# Enable the full AWS security stack in one module
module "security_baseline" {
source = "./modules/security-baseline"
enable_guardduty = true # Threat detection
enable_security_hub = true # Security posture
enable_inspector = true # Vulnerability scanning
enable_config = true # Configuration compliance
enable_macie = true # Data classification
enable_access_analyzer = true # IAM analysis
notification_email = var.security_email
environment = var.environment
}
GuardDuty: Threat Detection
resource "aws_guardduty_detector" "main" {
enable = true
# Scan all data sources
datasources {
s3_logs {
enable = true
}
kubernetes {
audit_logs {
enable = true
}
}
malware_protection {
scan_ec2_instance_with_findings {
ebs_volumes {
enable = true
}
}
}
}
tags = { Component = "preemptive-security" }
}
# Auto-archive low-severity findings after 30 days
resource "aws_guardduty_filter" "auto_archive_low" {
name = "auto-archive-low"
detector_id = aws_guardduty_detector.main.id
action = "ARCHIVE"
rank = 1
finding_criteria {
criterion {
field = "severity"
less_than_or_equal = "3.9"
}
}
}
# SNS notification for high/critical findings
resource "aws_cloudwatch_event_rule" "guardduty_high" {
name = "guardduty-high-severity"
description = "Alert on high/critical GuardDuty findings"
event_pattern = jsonencode({
source = ["aws.guardduty"]
detail-type = ["GuardDuty Finding"]
detail = {
severity = [{ numeric = [">=", 7.0] }]
}
})
}
resource "aws_cloudwatch_event_target" "guardduty_sns" {
rule = aws_cloudwatch_event_rule.guardduty_high.name
arn = aws_sns_topic.security_alerts.arn
}
Security Hub: Posture Management
resource "aws_securityhub_account" "main" {}
# Enable security standards
resource "aws_securityhub_standards_subscription" "cis" {
depends_on = [aws_securityhub_account.main]
standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.4.0"
}
resource "aws_securityhub_standards_subscription" "aws_best" {
depends_on = [aws_securityhub_account.main]
standards_arn = "arn:aws:securityhub:${var.region}::standards/aws-foundational-security-best-practices/v/1.0.0"
}
resource "aws_securityhub_standards_subscription" "nist" {
depends_on = [aws_securityhub_account.main]
standards_arn = "arn:aws:securityhub:${var.region}::standards/nist-800-53/v/5.0.0"
}
Inspector: Vulnerability Scanning
resource "aws_inspector2_enabler" "main" {
account_ids = [data.aws_caller_identity.current.account_id]
resource_types = ["EC2", "ECR", "LAMBDA", "LAMBDA_CODE"]
}
# Auto-remediate critical findings via SSM
resource "aws_cloudwatch_event_rule" "inspector_critical" {
name = "inspector-critical-findings"
event_pattern = jsonencode({
source = ["aws.inspector2"]
detail-type = ["Inspector2 Finding"]
detail = {
severity = ["CRITICAL"]
status = ["ACTIVE"]
}
})
}
resource "aws_cloudwatch_event_target" "auto_patch" {
rule = aws_cloudwatch_event_rule.inspector_critical.name
arn = aws_ssm_document.auto_patch.arn
role_arn = aws_iam_role.automation.arn
}
AWS Config: Continuous Compliance
resource "aws_config_configuration_recorder" "main" {
name = "default"
role_arn = aws_iam_role.config.arn
recording_group {
all_supported = true
include_global_resource_types = true
}
}
resource "aws_config_delivery_channel" "main" {
name = "default"
s3_bucket_name = aws_s3_bucket.config_logs.id
depends_on = [aws_config_configuration_recorder.main]
}
resource "aws_config_configuration_recorder_status" "main" {
name = aws_config_configuration_recorder.main.name
is_enabled = true
depends_on = [aws_config_delivery_channel.main]
}
# Preemptive rules — detect before it's exploited
resource "aws_config_config_rule" "s3_public" {
name = "s3-no-public-access"
source {
owner = "AWS"
source_identifier = "S3_BUCKET_PUBLIC_READ_PROHIBITED"
}
}
resource "aws_config_config_rule" "encrypted_volumes" {
name = "ebs-encrypted"
source {
owner = "AWS"
source_identifier = "ENCRYPTED_VOLUMES"
}
}
resource "aws_config_config_rule" "rds_encrypted" {
name = "rds-encrypted"
source {
owner = "AWS"
source_identifier = "RDS_STORAGE_ENCRYPTED"
}
}
resource "aws_config_config_rule" "root_mfa" {
name = "root-account-mfa"
source {
owner = "AWS"
source_identifier = "ROOT_ACCOUNT_MFA_ENABLED"
}
}
resource "aws_config_config_rule" "no_public_sg" {
name = "no-unrestricted-ssh"
source {
owner = "AWS"
source_identifier = "INCOMING_SSH_DISABLED"
}
}
Automated Remediation
# Auto-remediate public S3 buckets
resource "aws_config_remediation_configuration" "s3_block_public" {
config_rule_name = aws_config_config_rule.s3_public.name
target_type = "SSM_DOCUMENT"
target_id = "AWS-DisableS3BucketPublicReadWrite"
parameter {
name = "S3BucketName"
resource_value = "RESOURCE_ID"
}
parameter {
name = "AutomationAssumeRole"
static_value = aws_iam_role.automation.arn
}
automatic = true
maximum_automatic_attempts = 3
retry_attempt_seconds = 60
}
# Auto-enable EBS encryption
resource "aws_ebs_encryption_by_default" "enabled" {
enabled = true
}
# Auto-enable S3 Block Public Access at account level
resource "aws_s3_account_public_access_block" "main" {
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
IAM Access Analyzer
resource "aws_accessanalyzer_analyzer" "main" {
analyzer_name = "account-analyzer"
type = "ACCOUNT"
tags = { Component = "preemptive-security" }
}
# Alerts on external access findings
resource "aws_cloudwatch_event_rule" "access_analyzer" {
name = "iam-external-access"
event_pattern = jsonencode({
source = ["aws.access-analyzer"]
detail-type = ["Access Analyzer Finding"]
detail = {
status = ["ACTIVE"]
}
})
}
resource "aws_cloudwatch_event_target" "analyzer_alert" {
rule = aws_cloudwatch_event_rule.access_analyzer.name
arn = aws_sns_topic.security_alerts.arn
}
Hands-On Courses
- Terraform for Beginners on CopyPasteLearn
- Terraform By Example — practical code examples
Conclusion
Preemptive cybersecurity means finding and fixing vulnerabilities before attackers do. Terraform deploys the entire AWS security stack — GuardDuty, Security Hub, Inspector, Config rules, and automated remediation — as code. Every new account and environment gets the same security baseline. As threats evolve in 2026, infrastructure-as-code ensures your defenses are consistent, auditable, and automatically applied.