DevOps
Terraform for AI Security: Guardrails, Model Access Control, and Threat Detection
Secure AI workloads with Terraform. Deploy Bedrock guardrails, model access IAM policies, prompt injection detection
4 min read
DevOps
Terraform for Preemptive Cybersecurity: Proactive Defense Infrastructure on AWS
Build preemptive cybersecurity infrastructure with Terraform. Deploy GuardDuty, Security Hub, Inspector, Config rules
LLuca Berton1 min read
Preemptive cybersecurity is a Gartner 2026 strategic trend — security shifting from reactive incident response to predictive, continuously adaptive defense. Instead of waiting for breaches, preemptive security identifies and eliminates vulnerabilities before they're exploited.
Terraform is uniquely suited for this because security controls deployed as code are consistent, auditable, and automatically applied to new infrastructure.
Preemptive Security Stack
## Enable the full AWS security stack in one module
module "security_baseline" {
source = "./modules/security-baseline"
enable_guardduty = true # Threat detection
enable_security_hub = true # Security posture
enable_inspector = true # Vulnerability scanning
enable_config = true # Configuration compliance
enable_macie = true # Data classification
enable_access_analyzer = true # IAM analysis
notification_email = var.security_email
environment = var.environment
}GuardDuty: Threat Detection
#resource "aws_guardduty_detector" "main" {
enable = true
# Scan all data sources
datasources {
s3_logs {
enable = true
}
kubernetes {
audit_logs {
enable = true
}
}
malware_protection {
scan_ec2_instance_with_findings {
ebs_volumes {
enable = true
}
}
}
}
tags = { Component = "preemptive-security" }
}
# Auto-archive low-severity findings after 30 days
resource "aws_guardduty_filter" "auto_archive_low" {
name = "auto-archive-low"
detector_id = aws_guardduty_detector.main.id
action = "ARCHIVE"
rank = 1
finding_criteria {
criterion {
field = "severity"
less_than_or_equal = "3.9"
}
}
}
# SNS notification for high/critical findings
resource "aws_cloudwatch_event_rule" "guardduty_high" {
name = "guardduty-high-severity"
description = "Alert on high/critical GuardDuty findings"
event_pattern = jsonencode({
source = ["aws.guardduty"]
detail-type = ["GuardDuty Finding"]
detail = {
severity = [{ numeric = [">=", 7.0] }]
}
})
}
resource "aws_cloudwatch_event_target" "guardduty_sns" {
rule = aws_cloudwatch_event_rule.guardduty_high.name
arn = aws_sns_topic.security_alerts.arn
}Security Hub: Posture Management
#resource "aws_securityhub_account" "main" {}
# Enable security standards
resource "aws_securityhub_standards_subscription" "cis" {
depends_on = [aws_securityhub_account.main]
standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.4.0"
}
resource "aws_securityhub_standards_subscription" "aws_best" {
depends_on = [aws_securityhub_account.main]
standards_arn = "arn:aws:securityhub:${var.region}::standards/aws-foundational-security-best-practices/v/1.0.0"
}
resource "aws_securityhub_standards_subscription" "nist" {
depends_on = [aws_securityhub_account.main]
standards_arn = "arn:aws:securityhub:${var.region}::standards/nist-800-53/v/5.0.0"
}Inspector: Vulnerability Scanning
#resource "aws_inspector2_enabler" "main" {
account_ids = [data.aws_caller_identity.current.account_id]
resource_types = ["EC2", "ECR", "LAMBDA", "LAMBDA_CODE"]
}
# Auto-remediate critical findings via SSM
resource "aws_cloudwatch_event_rule" "inspector_critical" {
name = "inspector-critical-findings"
event_pattern = jsonencode({
source = ["aws.inspector2"]
detail-type = ["Inspector2 Finding"]
detail = {
severity = ["CRITICAL"]
status = ["ACTIVE"]
}
})
}
resource "aws_cloudwatch_event_target" "auto_patch" {
rule = aws_cloudwatch_event_rule.inspector_critical.name
arn = aws_ssm_document.auto_patch.arn
role_arn = aws_iam_role.automation.arn
}AWS Config: Continuous Compliance
#resource "aws_config_configuration_recorder" "main" {
name = "default"
role_arn = aws_iam_role.config.arn
recording_group {
all_supported = true
include_global_resource_types = true
}
}
resource "aws_config_delivery_channel" "main" {
name = "default"
s3_bucket_name = aws_s3_bucket.config_logs.id
depends_on = [aws_config_configuration_recorder.main]
}
resource "aws_config_configuration_recorder_status" "main" {
name = aws_config_configuration_recorder.main.name
is_enabled = true
depends_on = [aws_config_delivery_channel.main]
}
# Preemptive rules — detect before it's exploited
resource "aws_config_config_rule" "s3_public" {
name = "s3-no-public-access"
source {
owner = "AWS"
source_identifier = "S3_BUCKET_PUBLIC_READ_PROHIBITED"
}
}
resource "aws_config_config_rule" "encrypted_volumes" {
name = "ebs-encrypted"
source {
owner = "AWS"
source_identifier = "ENCRYPTED_VOLUMES"
}
}
resource "aws_config_config_rule" "rds_encrypted" {
name = "rds-encrypted"
source {
owner = "AWS"
source_identifier = "RDS_STORAGE_ENCRYPTED"
}
}
resource "aws_config_config_rule" "root_mfa" {
name = "root-account-mfa"
source {
owner = "AWS"
source_identifier = "ROOT_ACCOUNT_MFA_ENABLED"
}
}
resource "aws_config_config_rule" "no_public_sg" {
name = "no-unrestricted-ssh"
source {
owner = "AWS"
source_identifier = "INCOMING_SSH_DISABLED"
}
}Automated Remediation
## Auto-remediate public S3 buckets
resource "aws_config_remediation_configuration" "s3_block_public" {
config_rule_name = aws_config_config_rule.s3_public.name
target_type = "SSM_DOCUMENT"
target_id = "AWS-DisableS3BucketPublicReadWrite"
parameter {
name = "S3BucketName"
resource_value = "RESOURCE_ID"
}
parameter {
name = "AutomationAssumeRole"
static_value = aws_iam_role.automation.arn
}
automatic = true
maximum_automatic_attempts = 3
retry_attempt_seconds = 60
}
# Auto-enable EBS encryption
resource "aws_ebs_encryption_by_default" "enabled" {
enabled = true
}
# Auto-enable S3 Block Public Access at account level
resource "aws_s3_account_public_access_block" "main" {
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}IAM Access Analyzer
#resource "aws_accessanalyzer_analyzer" "main" {
analyzer_name = "account-analyzer"
type = "ACCOUNT"
tags = { Component = "preemptive-security" }
}
# Alerts on external access findings
resource "aws_cloudwatch_event_rule" "access_analyzer" {
name = "iam-external-access"
event_pattern = jsonencode({
source = ["aws.access-analyzer"]
detail-type = ["Access Analyzer Finding"]
detail = {
status = ["ACTIVE"]
}
})
}
resource "aws_cloudwatch_event_target" "analyzer_alert" {
rule = aws_cloudwatch_event_rule.access_analyzer.name
arn = aws_sns_topic.security_alerts.arn
}Hands-On Courses
#- Terraform for Beginners on CopyPasteLearn
- Terraform By Example — practical code examples
Conclusion
#Preemptive cybersecurity means finding and fixing vulnerabilities before attackers do. Terraform deploys the entire AWS security stack — GuardDuty, Security Hub, Inspector, Config rules, and automated remediation — as code. Every new account and environment gets the same security baseline. As threats evolve in 2026, infrastructure-as-code ensures your defenses are consistent, auditable, and automatically applied.
#Terraform#Security#AWS#Cybersecurity#DevOps
Related articles
DevOps
Terraform for Confidential Computing: Deploy Nitro Enclaves and TEEs on AWS
Deploy confidential computing with Terraform on AWS. Provision Nitro Enclaves for data-in-use protection, configure KMS attestation policies
4 min read
DevOps
Terraform for Data Sovereignty: Geopatriation and Sovereign Cloud on AWS
Implement data sovereignty and geopatriation with Terraform on AWS. Enforce data residency with SCPs, deploy region-locked infrastructure
4 min read
DevOps
Terraform for Post-Quantum Cryptography: Migrate TLS and KMS to PQC on AWS
Prepare for post-quantum cryptography with Terraform. Configure hybrid TLS policies, KMS key types, ACM certificates
4 min read