Building an Automated AWS Compliance Tool: A Complete Setup Guide

Posted Nov 1, 2025 Updated Nov 29, 2025

By Mabele Liango

7 min read

Hey there, fellow security professionals! If you’re tired of manually checking AWS configurations for compliance issues, or if you’re looking to automate your SOC 2 and ISO 27001 audit preparation, you’re in the right place. I’m going to walk you through setting up a production-ready automated compliance reporting tool that scans your AWS environment and generates detailed Excel reports.

🎯 What We’re Building

This tool automates the tedious work of compliance auditing by:

Scanning AWS IAM policies for risky wildcard permissions
Checking S3 buckets for encryption and public access
Auditing EC2 Security Groups for open risky ports (SSH, RDP, etc.)
Verifying VPC configurations including flow logs and endpoints
Analyzing EC2 instances for IMDSv2, encryption, and monitoring
Integrating with SIEM (Elasticsearch/ELK Stack) for security event correlation
Generating comprehensive Excel reports ready for auditors

Compliance Checks Coverage

The tool performs comprehensive checks across multiple AWS services:

IAM: 15 compliance checks
S3: 20 compliance checks
EC2: 25 compliance checks
VPC: 30 compliance checks
Security: 35 compliance checks
SIEM: 40 compliance checks

🏗️ Architecture Overview

The compliance tool integrates multiple AWS services and components:

AWS IAM ──┐
AWS S3  ──┼──> Compliance Scanner (Python + boto3) ──> Elasticsearch (SIEM)
AWS EC2 ──┤                                                  │
AWS VPC ──┘                                                  │
                                                             ▼
                                                      Report Builder
                                                      (Excel Reports)

Technology Stack

AWS IAM - Identity and Access Management
AWS S3 - Object Storage
AWS EC2 - Compute Service
AWS VPC - Virtual Private Cloud
Elasticsearch - SIEM Integration
Python 3.11 - Core Language
Docker - Containerization
Kubernetes - Orchestration

📋 Prerequisites

Before we dive in, make sure you have these installed:

1. Python 3.11+

python3 --version

2. AWS CLI configured

aws configure

You’ll need AWS credentials with read-only access to IAM, S3, EC2, and VPC.

3. Git

git --version

4. Docker (optional, for containerized deployment)

docker --version

💡 Pro Tip: If you don’t have AWS credentials yet, you can still test the tool using sample data! We’ll cover that in the testing section.

🚀 Step-by-Step Setup

Step 1: Clone the Repository

First, let’s get the code. If you have the repository URL, clone it:

git clone https://github.com/your-username/auto-compliance-tool.git

Or if you’re working from a local directory:

cd auto-compliance-tool

Step 2: Set Up Python Virtual Environment

Always use a virtual environment to keep dependencies isolated:

python3 -m venv venv

Activate it:

  
# On macOS/Linux
source venv/bin/activate

# On Windows
venv\Scripts\activate

Step 3: Install Dependencies

Install all required Python packages:

pip install -r requirements.txt

This installs:

boto3 - AWS SDK for Python
pandas - Data manipulation
openpyxl - Excel file generation
elasticsearch - SIEM integration
requests - HTTP library

Step 4: Configure AWS Credentials

Set up your AWS credentials. You have a few options:

Option A: Environment Variables (Recommended for testing)

  
export AWS_ACCESS_KEY_ID="your-access-key"
export AWS_SECRET_ACCESS_KEY="your-secret-key"
export AWS_DEFAULT_REGION="us-east-1"

Option B: AWS CLI Configuration

aws configure

This will prompt you for your credentials and save them to ~/.aws/credentials.

⚠️ Security Note: Make sure your AWS credentials have only the minimum required permissions (read-only access to IAM, S3, EC2, VPC). Never commit credentials to version control!

Step 5: Configure Baseline Checks

The tool uses baseline configurations to determine what to check. Review and customize config/baseline_checks.json:

  
{
  "iam_policy": {
    "disallow_wildcard_action": true
  },
  "s3_bucket": {
    "require_server_side_encryption": true,
    "block_public_access": true
  },
  "ec2_security_group": {
    "restricted_ports": [22, 3389, 445, 139]
  },
  "vpc": {
    "require_flow_logs": true,
    "check_endpoints": true
  },
  "ec2_instance": {
    "require_imdsv2": true,
    "require_encryption": true
  }
}

You can customize these based on your organization’s compliance requirements (SOC 2, ISO 27001, NIST 800-53, etc.).

Step 6: Configure SIEM (Optional)

If you have an Elasticsearch/ELK Stack instance, configure it in config/elk_config.json or set environment variables:

  
export ELASTICSEARCH_HOST="your-elasticsearch-host"
export ELASTICSEARCH_PORT="9200"
export ELASTICSEARCH_USER="elastic"
export ELASTICSEARCH_PASSWORD="your-password"

If you don’t have Elasticsearch set up yet, the tool will gracefully fall back to simulated data.

🧪 Testing Your Setup

Quick Test with Sample Data (No AWS Required!)

Want to see the tool in action without AWS credentials? We’ve got you covered:

python3 test/sample_data_generator.py

This generates a comprehensive test dataset with 132 different compliance findings and creates an Excel report. Check the reports/ directory for your generated report!

Test with Real AWS Credentials

Once your AWS credentials are configured, run the main script:

python main.py

The tool will:

Connect to your AWS account
Scan IAM policies, S3 buckets, EC2 instances, and VPCs
Query your SIEM (if configured)
Generate an Excel report in reports/Compliance_Report_YYYY-MM-DD.xlsx

✅ Success! If everything worked, you should see a new Excel file in the reports/ directory with all your compliance findings organized by category.

Understanding the Report

The Excel report contains multiple sheets:

Summary - Overview of all findings by status (FAIL, WARN, PASS)
AWS Findings - Detailed list of all AWS compliance issues
SIEM Findings - Security events from your SIEM
Recommendations - Suggested remediation steps

🚢 Deployment Options

Option 1: Docker Deployment

Build the Docker image:

docker build -t compliance-tool .

Run it:

  
docker run --rm -v $(pwd)/reports:/app/reports \
  -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
  -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
  compliance-tool

Option 2: Docker Compose (Multi-Container)

For a more complete setup with a report viewer:

docker-compose up -d

This starts:

The compliance scanner
An Nginx web server to view reports at http://localhost:8080
A scheduled scanner (runs daily at 2 AM)

Option 3: Kubernetes Deployment

Deploy to a Kubernetes cluster:

kubectl apply -f k8s/

This creates:

Namespace: compliance-system
Deployment: compliance-scanner
CronJob: Daily scheduled scans
PersistentVolumeClaim: For report storage
ConfigMap & Secrets: For configuration

Option 4: Amazon EKS (Production)

For a production-ready setup on Amazon EKS:

./eks/setup-eks.sh

This script:

Creates an EKS cluster with eksctl
Configures node groups
Sets up IAM roles
Deploys the compliance tool

Then deploy your application:

./eks/deploy-to-eks.sh

📚 More Info: Check out the eks/EKS_COMPLETE_GUIDE.md for detailed EKS setup instructions, including cost estimates (~$213/month) and troubleshooting tips.

🔧 Advanced Features

CI/CD Integration

The project includes complete CI/CD pipelines for:

GitHub Actions - See .github/workflows/ci-cd.yml
GitLab CI - See .gitlab-ci.yml
Jenkins - See Jenkinsfile

All pipelines include:

Code quality checks (Pylint)
Security scanning (Bandit SAST)
Container scanning (Trivy)
Dependency vulnerability checks (Safety)
Automated testing
Docker image building
Kubernetes deployment

Helm Charts

For easy Kubernetes deployment with customization:

helm install compliance-tool helm/compliance-tool/

Customize values in helm/compliance-tool/values.yaml before installing.

Infrastructure as Code with Pulumi

Provision the entire AWS infrastructure programmatically:

cd pulumi && pulumi up

This creates VPC, subnets, NAT gateways, EKS cluster, S3 buckets, and IAM roles - all from code!

Large Dataset Management

Generate and manage large compliance datasets:

python main.py --download-dataset 1000

This generates 1000 findings for testing report generation with large datasets.

🔍 Troubleshooting

Common Issues

Issue: “AWS credentials not found”

Solution: Make sure your AWS credentials are configured. Run aws configure or set environment variables.

Issue: “Permission denied” errors

Solution: Your AWS credentials need read-only access to IAM, S3, EC2, and VPC. Check your IAM policy.

Issue: “Elasticsearch connection failed”

Solution: This is okay! The tool will fall back to simulated SIEM data. If you want real Elasticsearch integration, check the ELK_SETUP_GUIDE.md.

Issue: “No module named ‘boto3’”

Solution: Make sure your virtual environment is activated and you’ve run pip install -r requirements.txt.

Getting Help

For more detailed troubleshooting, check out:

COMPREHENSIVE_TESTING_GUIDE.txt - Complete testing guide with troubleshooting
eks/EKS_COMPLETE_GUIDE.md - EKS-specific troubleshooting
ELK_SETUP_GUIDE.md - Elasticsearch setup and troubleshooting

📚 Additional Resources

Here are some helpful links to deepen your understanding:

🎓 What’s Next?

Now that you have the tool set up, here are some ideas to extend it:

Add more compliance frameworks - Implement checks for PCI DSS, HIPAA, GDPR
Automated remediation - Create scripts to automatically fix common issues
Slack/Teams integration - Send alerts when critical findings are discovered
Multi-account scanning - Extend to scan multiple AWS accounts
Custom dashboards - Build Grafana dashboards for compliance metrics
API endpoints - Expose the scanner as a REST API

🎉 Congratulations!

You’ve successfully set up an automated AWS compliance reporting tool! This is a production-ready solution that can save you hours of manual auditing work.

If you found this guide helpful, consider contributing back to the project or sharing it with your team. Happy compliance scanning! 🔒

DevSecOps, AWS, Automation, Compliance

This post is licensed under CC BY 4.0 by the author.