Skip to content
February 7, 2025AI + Cloud6 min read

AutomatingAWSOperationsControlswithClaudeCodeandInfrastructureasCode

Claude CodeAWSTerraformIAMCompliance

Operations controls are the backbone of any secure, well-governed AWS environment. But manually writing Service Control Policies (SCPs), IAM policies, Config rules, and compliance checks across dozens of accounts is tedious, error-prone, and a massive time sink.

Enter Claude Code.

In this post, I'll walk through exactly how I use Claude Code to automate the creation, validation, and deployment of operations controls across multi-account AWS environments -- turning days of policy writing into minutes of AI-assisted engineering.

The Operations Controls Challenge

In a typical enterprise AWS landing zone, you need:

  • Service Control Policies (SCPs) to restrict what services and actions are allowed per OU
  • IAM policies following least-privilege principles for dozens of roles
  • AWS Config rules to detect non-compliant resources
  • GuardDuty configurations with custom threat detection
  • CloudTrail with proper logging and alerting
  • Backup policies ensuring data protection compliance
  • Cost controls with budgets and anomaly detection

Writing all of this by hand in Terraform or CloudFormation is incredibly time-consuming. Each policy requires understanding complex JSON/HCL syntax, AWS IAM action namespaces, and the nuances of conditions and resource constraints.

Using Claude Code for SCP Generation

Here's my workflow for generating Service Control Policies:

Step 1: Describe the Intent

I tell Claude Code what I need in plain English:

Generate a Terraform resource for an AWS SCP that:
- Denies all actions in regions outside us-east-1 and us-west-2
- Denies creation of IAM users with console access (enforce SSO)
- Denies disabling of CloudTrail, GuardDuty, or Config
- Denies modifications to the security audit role
- Allows an exception for the management account
- Includes proper condition keys for the region restriction

Step 2: Claude Code Generates Production-Quality Terraform

Claude generates the complete aws_organizations_policy resource with properly structured JSON policy documents, condition blocks, and Terraform variables for customization. It handles edge cases I might miss -- like ensuring the aws:RequestedRegion condition key is used correctly and that global services like IAM, STS, and CloudFront are exempted from region restrictions.

Step 3: Validate and Iterate

I review the output and ask Claude to refine:

Add a statement that denies s3:DeleteBucket for any bucket
with a tag "compliance:critical". Also add a NotAction
exception for sts:AssumeRole so cross-account access still works.

Claude modifies the policy precisely, explaining each change.

Automating IAM Policy Generation

IAM policies are where most security incidents originate. I use Claude Code to enforce least-privilege:

The Prompt Pattern

Generate a Terraform IAM policy for a Lambda function that:
- Reads from DynamoDB table "orders" in us-east-1
- Writes to S3 bucket "processed-orders"
- Publishes to SNS topic "order-notifications"
- Reads secrets from Secrets Manager with prefix "/prod/orders/"
- Has NO other permissions
- Uses resource ARNs, not wildcards
- Includes condition keys to restrict to the VPC endpoint

Claude Code generates a policy with specific resource ARNs, proper actions (no wildcards), and condition keys like aws:sourceVpc -- exactly the kind of granular policy that would take 30+ minutes to write and validate by hand.

Bulk Policy Generation

For large environments, I describe a role matrix:

I have 5 microservices: auth-service, orders-service, payments-service,
notifications-service, and analytics-service. Each runs on ECS Fargate.
Generate individual IAM task roles for each with least-privilege access
to their respective DynamoDB tables, S3 buckets, and SQS queues.
Follow the naming convention: {service}-task-role.

Claude generates all 5 policies with proper resource scoping. What would take half a day becomes a 10-minute review.

AWS Config Rules as Code

Compliance monitoring is critical but setting up custom Config rules is complex. Here's how I automate it:

Generate Terraform for AWS Config rules that check:
1. All S3 buckets have encryption enabled (SSE-S3 or SSE-KMS)
2. All RDS instances have automated backups with 7+ day retention
3. All security groups don't have 0.0.0.0/0 ingress on port 22
4. All EBS volumes are encrypted
5. All IAM users have MFA enabled
Use AWS managed rule identifiers where available,
custom Lambda rules where needed. Include remediation actions
using SSM Automation documents.

Claude generates the full Terraform configuration including the Config rules, the remediation configurations, the SSM documents, and the IAM roles needed to execute remediations.

GuardDuty + EventBridge Automation

For threat response automation:

Generate Terraform for a GuardDuty setup that:
- Enables GuardDuty in all enabled regions
- Creates EventBridge rules for high-severity findings
- Triggers a Lambda that:
  1. Enriches the finding with asset owner information from a DynamoDB table
  2. Creates a Jira ticket via API
  3. Sends a Slack notification with finding details
  4. For EC2 findings: automatically isolates the instance by replacing its security group
- Include proper IAM roles and CloudWatch log groups

This kind of multi-service automation would normally require days of development. With Claude Code, I get a working first draft in minutes and iterate from there.

The Complete Workflow

Here's my end-to-end workflow for operations controls:

  1. Define requirements in a plain-English document
  2. Generate Terraform using Claude Code with detailed prompts
  3. Review and refine through conversation with Claude
  4. Validate using terraform validate, tflint, and checkov
  5. Test in a sandbox account using Terragrunt
  6. Deploy through CI/CD pipeline with plan approval gates
  7. Monitor with AWS Config and GuardDuty for compliance drift

Claude Code doesn't replace the engineer's judgment -- it amplifies it. I still review every policy, understand every condition key, and validate every deployment. But the 80% of boilerplate work that used to consume my days is now handled by AI.

Key Lessons Learned

  1. Be specific in prompts: The more detail you provide about resources, regions, accounts, and conditions, the better the output.
  2. Always validate: Claude-generated policies should always be tested with AWS Access Analyzer and Config rule evaluations.
  3. Iterate conversationally: Don't try to get perfect output in one prompt. Start broad, then refine.
  4. Version control everything: Treat AI-generated Terraform the same as hand-written code -- PR reviews, plan outputs, and approval workflows.
  5. Build a prompt library: Save your best prompts for reuse. I maintain a library of ~50 operations control prompt templates.

Conclusion

Claude Code has transformed how I build operations controls. What used to be the most tedious part of cloud engineering -- writing hundreds of lines of IAM policy JSON and Terraform HCL -- is now the most efficient. The result is more comprehensive security controls, deployed faster, with fewer human errors.

The future of cloud security isn't just automation -- it's AI-assisted automation where the engineer focuses on intent and architecture while AI handles the implementation details.

Want to see how AI can accelerate your cloud security posture? Let's talk.