Compliance Automation Engine

Compliance in the cloud is not a checkbox exercise — it is a continuous process that must keep pace with the speed of infrastructure changes. Manual compliance audits are expensive, slow, and outdated the moment they are published. In this challenge, you will design an automated compliance engine on AWS that continuously evaluates infrastructure against security standards (CIS AWS Foundations Benchmark, SOC 2, HIPAA), automatically remediates violations, and generates audit-ready evidence. The evaluation layer uses AWS Config rules — both managed rules for common checks (S3 bucket encryption, CloudTrail enabled, root account MFA) and custom rules implemented as Lambda functions for organization-specific policies. Config rules evaluate both on configuration change (immediately when a resource is modified) and on a periodic schedule for drift detection. AWS Security Hub aggregates findings from Config, GuardDuty, Inspector, and IAM Access Analyzer into a single compliance dashboard with severity scoring. The auto-remediation layer uses Config rules' automatic remediation with SSM Automation documents: non-compliant S3 buckets are automatically encrypted, security groups with 0.0.0.0/0 on SSH are automatically restricted, and IAM users without MFA receive automated notification with a 48-hour deadline before access restriction. For remediations that cannot be fully automated (they require human judgment), the engine creates tickets in an SQS queue consumed by a ticketing system integration, with escalation timers. The evidence collection pipeline uses CloudTrail for API-level audit trails, Config snapshots for point-in-time infrastructure state, and custom Lambda functions that take screenshots of security configurations and store them in an S3 evidence bucket with object lock for immutability. Compliance reports are generated automatically using Lambda functions that query Config, Security Hub, and the evidence bucket, producing PDF reports (stored in S3) formatted to match specific audit framework requirements. The engine supports multi-account governance using AWS Organizations with delegated administrator for Config and Security Hub, aggregating compliance data from all accounts into a central management account. Service Control Policies at the organization level provide preventive guardrails that supplement the detective controls. This challenge teaches compliance automation architecture, security governance at scale, and the AWS services that enable continuous compliance for regulated industries.