← Back to writingSeries · 6 of 7 published
Building a NIS2-Compliant AWS Landing Zone
A 6-part build journal
An open-source AWS landing zone in Terraform, mapped explicitly to NIS2 Article 21 and ISO 27001:2022 Annex A — built in public, module by module, over six weeks.
- 00Read →Week 0 — Why I'm Doing ThisThe gap NIS2 leaves in public IaC, the project scope, and the six-week plan.
- 01Read →Week 1 — FoundationsKMS and S3 baseline modules, native terraform test, the full CI pipeline, and branch protection.
- 02Read →Week 2 — The Logging LayerCloudTrail, an AWS Config conformance pack, VPC Flow Logs, and the dependency-injection refactor.
- 03Read →Week 3 — Identity FoundationsAWS Organizations, Service Control Policies, and IAM Identity Center with MFA-enforced permission sets.
- 04Read →Week 4 — DetectionGuardDuty integrated with Security Hub, and EventBridge to SNS routing for high-severity findings.
- 05Read →Week 5 — Documentation as a DeliverableThe NIS2-to-ISO control mapping document, architecture diagrams, and README polish.
- 06Coming soonWeek 6 — The Real-AWS Validation RunA cost-controlled apply on real AWS, evidence capture, clean teardown, and the retrospective.