Reference Terraform for using core AWS services the right way — with security and cloud
operations baked in from the start, not bolted on later. Each example is small, self-contained,
CI-validated (terraform fmt + validate), and explains why as much as how.
These are teaching references, not a turnkey landing zone. Read the README in each example, understand the why, then adapt to your account. Nothing here stores a plaintext secret, uses a long-lived access key, or grants
*permissions.
- No long-lived credentials. Use IAM roles and short-lived credentials everywhere — for apps, CI/CD, and cross-service access. Static access keys are the #1 thing that leaks.
- Least privilege, always. Scope every policy to specific actions on specific resource ARNs.
"Action": "*"and"Resource": "*"are almost never correct. - Secrets live in a secret store, never in code, env files, or Terraform state you can read.
- Encrypt with intent. Prefer customer-managed KMS keys with tight key policies for anything sensitive, so access to the key is a second, auditable control.
- Turn on the account-level guardrails. GuardDuty, Security Hub, Config, IAM Access Analyzer, and CloudTrail are cheap relative to a breach and give you detection + an audit trail.
| Example | What it shows | Key services |
|---|---|---|
secrets-manager |
Store a secret and grant one role read-only access to only that secret | Secrets Manager, IAM |
iam-least-privilege |
A role scoped to exactly one bucket's objects — no wildcards | IAM, S3 |
codeconnections |
Connect CI/CD to GitHub with no stored token | CodeConnections (CodeStar Connections), IAM |
kms-encryption |
Customer-managed KMS key with a least-privilege key policy, used to encrypt S3 | KMS, S3 |
security-baseline |
Turn on the account guardrails in one module | GuardDuty, Security Hub, Config, IAM Access Analyzer, CloudTrail |
Each example is an independent Terraform root module. From any example directory:
terraform init
terraform plan # review before applying
terraform applySet the required variables (see each example's variables.tf). Some resources (e.g. a
CodeConnections connection) are created in a PENDING state and must be authorized once in the
console — the example README calls this out.
Most examples are near-free, but the security-baseline enables paid services (GuardDuty, Config,
Security Hub). They're inexpensive for a small account but not zero — read that README first.
MIT — see LICENSE.
Written by Durrell Gemuh — DevOps & Cloud Infrastructure Engineer, AWS Community Builder (Cloud Operations).