From ClickOps to 313 resources in code, with a plan that changes nothing.
The platform had grown the way most do: clicked together in the AWS console. It worked, but no one could see it, review it, or reproduce it, and it had never been security-audited.
- ClickOps, not code: infrastructure built by hand in the console: no source of truth, no review, no way to reproduce an environment.
- Invisible drift: nobody could say with confidence what was actually running, or whether a change would break something.
- An unaudited security posture: the account had never had a structured review of IAM, APIs, encryption, or the security services that should be on.
- Unclear spend: a monthly AWS bill with no clear view of where the money was going.
They wanted their AWS account as reviewable, reproducible code, and an honest read on how secure and cost-efficient it really was.
Discover
Enumerated every resource across all regions, documented configurations, and mapped the dependencies and data flows.
Codify
Imported 313 resources into 8 Terraform modules: remote state, a tagging strategy, and dev/prod parameterised.
Assess
Audited IAM, APIs, encryption, network, and cost, with Checkov and tfsec static analysis over the new code.
Validate & hand over
Full plan review with their engineers, a targeted apply to prove the lifecycle, docs, and a knowledge-transfer session.
// figures from the delivered Terraform project and assessment report.
“From console clicks to 313 resources in code, with a plan that adds, changes, and destroys nothing. A faithful mirror of production, and a security audit to go with it.”
The whole estate as Terraform
313 resources · 0/0/0 planWe imported 313 live resources into eight reusable Terraform modules (networking, compute, data, api, ai, security, observability, security-services). The proof it's faithful: terraform plan reports 0 to add, 0 to change, 0 to destroy: the code is an exact mirror of what's running. Remote state, a consistent tagging strategy, and dev/prod parameterisation came with it.
A security assessment that found real problems
IAM · APIs · servicesThe audit surfaced four critical IAM issues (programmatic users with full administrator access, a privilege-escalation path, and a notebook role carrying eight FullAccess policies), core security services switched off (GuardDuty, Security Hub, Access Analyzer, Macie), and around 30 orphaned IAM roles with ~80 policies left over from a feature with only two live instances.
API & data-protection review
close the open doorsAll eight public APIs were running with no authorizer (some endpoints fully open to the internet) on TLS 1.0 and with no access logging. Storage, by contrast, was a bright spot: every S3 bucket was encrypted with public access fully blocked. Every finding came with a severity and a fix.
Cost visibility & handover
own it from day oneWe mapped the ~$1,062/month bill and found a single service, OpenSearch Serverless, eating 46% of it, an obvious optimisation target. Then we handed it over properly: architecture docs, a repo README, a prioritised hardening roadmap, and a knowledge-transfer session so the team owns the code.
The shift isn't just tidiness; it changes how safely the team can move.
Before: infrastructure existed only as clicks in the console. No review, no history, no way to reproduce an environment, and a security posture nobody had measured.
After: the account is Terraform in Git (reviewable in pull requests, reproducible, and versioned) with a 0/0/0 plan proving the code matches reality, static-analysis scanning every change, and a clear, prioritised list of what to fix and what to switch on.
Terraform import
We import the live estate into code rather than recreating it, so there's zero disruption, and the plan-parity check (0/0/0) proves the code is a faithful mirror before anyone changes a thing.
Checkov + tfsec
Static analysis runs over the Terraform, flagging misconfigurations against hundreds of policy checks, so security review is built into the code, not bolted on afterwards.
AWS best practice
The assessment maps every finding to AWS best practice and the detection services that should be on (GuardDuty, Security Hub, Access Analyzer), with a severity-ranked roadmap to close the gaps.
services involved: aws