← Back to writingSeries · 6 of 7 published

Building a NIS2-Compliant AWS Landing Zone

A 6-part build journal

An open-source AWS landing zone in Terraform, mapped explicitly to NIS2 Article 21 and ISO 27001:2022 Annex A — built in public, module by module, over six weeks.

  1. 00
    Week 0 — Why I'm Doing This
    The gap NIS2 leaves in public IaC, the project scope, and the six-week plan.
    Read →
  2. 01
    Week 1 — Foundations
    KMS and S3 baseline modules, native terraform test, the full CI pipeline, and branch protection.
    Read →
  3. 02
    Week 2 — The Logging Layer
    CloudTrail, an AWS Config conformance pack, VPC Flow Logs, and the dependency-injection refactor.
    Read →
  4. 03
    Week 3 — Identity Foundations
    AWS Organizations, Service Control Policies, and IAM Identity Center with MFA-enforced permission sets.
    Read →
  5. 04
    Week 4 — Detection
    GuardDuty integrated with Security Hub, and EventBridge to SNS routing for high-severity findings.
    Read →
  6. 05
    Week 5 — Documentation as a Deliverable
    The NIS2-to-ISO control mapping document, architecture diagrams, and README polish.
    Read →
  7. 06
    Week 6 — The Real-AWS Validation Run
    A cost-controlled apply on real AWS, evidence capture, clean teardown, and the retrospective.
    Coming soon