Skip to content

Merlin-Studio/AWS-Financial-Services-Example

Repository files navigation

Generated by Merlin Studio (https://app.merlin-studio.cloud). Licensed under the Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0).

AWS Landing Zone — Acme Bank

Profile: STANDARD Compliance: CIS, PCI_DSS, SOX


What's in this repository

The same intent spec is compiled to two Terraform-family formats — apply the OpenTofu HCL directly, or feed the .auto.tfvars into your own community-module wrappers.

.
├── README.md                  (this file)
├── DEPLOYMENT_GUIDE.md        Step-by-step deploy runbook (OpenTofu + tfvars)
├── architecture.mmd           Mermaid diagram of the landing zone topology
├── PLACEHOLDERS.md            Every PLACEHOLDER_ token to replace before deploy
├── aws-opentofu/              Format 1: OpenTofu + Spacelift (HCL + per-stack YAML)
│   ├── versions.tf, providers.tf, backend.tf
│   ├── organizations.tf, accounts.tf, iam.tf, vpc.tf
│   ├── transit_gateway.tf, transit_gateway_inspection.tf, inspection_vpc.tf
│   ├── network_firewall.tf, hybrid_connectivity.tf
│   ├── security.tf, cloudtrail.tf, config.tf, kms.tf, s3_log_archive.tf
│   ├── backup.tf, budgets.tf, outputs.tf
│   ├── spacelift/stacks/*.yaml
│   └── .spacelift/config.yml
└── aws-tfvars/                Format 2: .auto.tfvars for terraform-aws-modules wrappers
    ├── organizations.auto.tfvars, accounts.auto.tfvars
    ├── network.auto.tfvars, iam.auto.tfvars, hybrid_connectivity.auto.tfvars
    ├── security.auto.tfvars, cloudtrail.auto.tfvars, kms.auto.tfvars
    └── backup.auto.tfvars

Quick facts

Organization name Acme Bank
Primary contact admin@gcp1.intentarch.app
Security contact my2mail@acme.com
Billing contact my3mail@acme.com
Home region us-east-2
Enabled regions us-east-1, us-east-2, us-west-1, us-west-2
Profile standard (mid-size)
Compliance cis, pci_dss, sox
OpenTofu 1.12.0
hashicorp/aws ~> 5.80

Account inventory

Mandatory accounts (org baseline)

Name Purpose OU
Management AWS Organizations payer + org control plane Root
LogArchive Central log archive (CloudTrail org trail, Config) Security
Audit Security tooling delegated administrator Security
SharedServices DNS resolver endpoints, golden AMIs, etc. Infrastructure
Network Central network hub (TGW, Site-to-Site VPN) Infrastructure

Workload accounts

Name OU Description
PciWorkload Workloads/Prod/PCI Dedicated CDE workload account — PCI-DSS 4.0 scope, SAQ-D level, ASV-scanned, isolated from non-CDE.
AppDev Workloads/Dev Application development account
AppProd Workloads/Prod Application production account

Before you deploy

  1. Search and replace PLACEHOLDER_ tokens. The wizard could not infer real AWS account IDs, OU IDs, or some ARNs. See PLACEHOLDERS.md if present.
  2. Pre-create your AWS Organization with a Management account. OpenTofu cannot bootstrap the org itself.
  3. Enable AWS Organizations trusted service access. organizations.tf carries the required principals on a count = 0 resource — a documentation anchor only, so Terraform does not enable them (it must not manage your existing org). From the management account, enable trusted access for each principal — or confirm AWS Control Tower already has — before deploying:
    aws organizations enable-aws-service-access --service-principal cloudtrail.amazonaws.com
    aws organizations enable-aws-service-access --service-principal config.amazonaws.com
    aws organizations enable-aws-service-access --service-principal controltower.amazonaws.com
    aws organizations enable-aws-service-access --service-principal guardduty.amazonaws.com
    aws organizations enable-aws-service-access --service-principal securityhub.amazonaws.com
    aws organizations enable-aws-service-access --service-principal ram.amazonaws.com
    aws organizations enable-aws-service-access --service-principal sso.amazonaws.com
    aws organizations enable-aws-service-access --service-principal fms.amazonaws.com
    And enable the organization policy types the zone uses:
    aws organizations enable-policy-type --root-id <ROOT_ID> --policy-type SERVICE_CONTROL_POLICY
    aws organizations enable-policy-type --root-id <ROOT_ID> --policy-type TAG_POLICY
    Skipping this breaks org-wide CloudTrail, the Config aggregator, GuardDuty / Security Hub org auto-enable, RAM sharing (Transit Gateway), IAM Identity Center, and Firewall Manager — they fail to deploy or silently no-op.
  4. Enable AWS IAM Identity Center in the management account if you want SSO permission sets to provision. Set the instance ARN in iam.auto.tfvars (or the OpenTofu identity_center data source).
  5. Bootstrap state storage for OpenTofu (S3 + DynamoDB lock) — see DEPLOYMENT_GUIDE.md.

Compliance posture

This zone is configured to meet the requirements of:

  • CIS
  • PCI DSS
  • SOX

Specific controls applied:

  • CloudTrail organization trail with KMS-CMK encryption and log file validation
  • AWS Config recorder + aggregator delegated to the Audit account
  • GuardDuty with auto_enable = true for all org members
  • Security Hub with framework-aligned standards subscriptions
  • IAM password policy: min length 14, rotation every 90 days
  • KMS CMKs with auto-rotation every 90 days
  • Object Lock on the central log archive bucket (when FedRAMP / SOX is in scope)
  • S3 default encryption + SSL-only bucket policies
  • VPC Flow Logs on every VPC, all-traffic, with CloudWatch + S3 destinations

How this Landing Zone was generated

This zone was authored by Merlin Studio v2, which uses a compile-AI approach. LLMs were used at design time to encode AWS best-practice patterns, compliance- framework requirements, and discovery-driven defaults into a static rules engine. At generation time, every value below was derived deterministically from your discovery answers + a layered rules engine — no LLM call happens during generation. The same answers always produce the same artifact.

Deeper reading: "Compiled AI for GCP Landing Zones" → dev.to/boristep. The methodology is identical for the AWS pipeline.

The layer model

Values in this spec come from up to four layers, with later layers winning on conflict:

1. Schema defaults       ← floor: a value exists for every field
2. Profile defaults      ← simple / standard / advanced — broad shape
3. Compliance overlays   ← HIPAA / CIS / PCI / FedRAMP add-ons (per framework)
4. Discovery overlays    ← driven by YOUR answers (multi-region, encryption, ...)
5. User edits            ← anything you typed in the wizard ALWAYS wins

Arrays append by name — a compliance overlay adding a required account (e.g. PhiWorkload) to your workload_accounts inventory does not erase the accounts you selected. Scalars: discovery overlays overwrite profile defaults (the discovery answer is the more specific signal); compliance overlays only fill empty slots; your saved values are merged last and override everything.


What fired for your spec

The wizard ran these overlays against your answers. Each entry is the rules-engine trace — what was added, why, and what triggered it.

Compliance overlays

Section Triggered by Rationale
02_account_hierarchy PCI_DSS PCI-DSS requires cardholder-data environment (CDE) isolation. A dedicated PCI account scopes Requirement 1.2 (network segmentation) and Requirement 7 (least-privilege) cleanly.
04_networking PCI_DSS PCI-DSS Req 1.2 mandates CDE network segmentation. The dedicated PciWorkload account (added by the account-hierarchy overlay) needs its own VPC, otherwise cardholder-data workloads would land in AppProd's VPC and drag every workload there into PCI scope. This CDE VPC has no public subnets — workloads run in private subnets, reach AWS services via VPC endpoints, and all egress flows through the Transit Gateway to centralized inspection, never sharing a network boundary with non-CDE workloads.

Discovery overlays

Section Overlay Triggered by Rationale
04_networking multi_region_secondary_networking multi_region_required=true Multi-region answers (warm/active-active DR) require a second hub VPC + workloads VPC in the secondary region, a secondary regional Transit Gateway, and an inter-region TGW peering attachment. Without these, the spec declares warm-standby but is physically single-region — a direct contradiction the generators cannot recover from.
04_networking regulated_centralized_egress compliance_requirements contains 'pci_dss' OR compliance_requirements contains 'fedramp_moderate' OR compliance_requirements contains 'fedramp_high' OR compliance_requirements contains 'nist_800_53' OR compliance_requirements contains 'eucs' Boundary-control frameworks (PCI-DSS Req 1 NSCs, NIST 800-53 / FedRAMP SC-7, EUCS) require a controlled, inspected egress boundary. The egress model is set to centralized so spoke egress flows through the inspection VPC's AWS Network Firewall; the compliance overlay adds that inspection VPC.
07_advanced_security regulated_enables_macie compliance_requirements contains 'pci_dss' OR compliance_requirements contains 'hipaa' OR compliance_requirements contains 'gdpr' OR compliance_requirements contains 'eucs' OR compliance_requirements contains 'nis2' Data-protection frameworks require knowing where sensitive data (PANs / PII / PHI) lives — PCI-DSS Req 3 / 12.5.1, HIPAA, GDPR. Amazon Macie is the native S3 discovery/classification control, so it is enabled by default when any of these is in scope. Matches the Architecture Scorecard, which fails Macie-off for these frameworks.
07_advanced_security regulated_enables_inspector compliance_requirements contains 'pci_dss' OR compliance_requirements contains 'fedramp_moderate' OR compliance_requirements contains 'fedramp_high' OR compliance_requirements contains 'nist_800_53' OR compliance_requirements contains 'eucs' PCI-DSS 11.3.1 (internal vulnerability scanning) and NIST 800-53 / FedRAMP RA-5 require continuous vulnerability scanning. Amazon Inspector is the native control, so it is enabled by default when any of these is in scope. Matches the Architecture Scorecard, which fails Inspector-off for these frameworks.
08_logging_monitoring multi_region_enables_log_replication multi_region_required=true Multi-region DR needs the central log bucket replicated to the secondary region so a regional outage does not destroy the audit trail of last resort.
10_backup_dr multi_region_secondary_region multi_region_required=true Multi-region answers (warm/active-active DR) require AWS Backup to copy recovery points to the secondary region. Pre-fill from discovery.secondary_region so the user does not have to retype it.
10_backup_dr warm_or_active_standby_strengthens_backup dr_requirements = 'warm_standby' OR dr_requirements = 'active_active' Warm-standby / active-active DR strategies imply org-level backup policy + vault lock so the secondary region can never lag.
17_ec2_compute encryption_cmk_drives_ebs_default_alias encryption_requirements = 'cmk' When the discovery encryption posture is cmk, EBS must default to a customer-managed key, not alias/aws/ebs.

This trace is scoped to the overlays whose resources are emitted in these foundation bundles. Overlays that targeted application-layer sections (data platform, observability, app services, EC2 fleet) also fired in the wizard but are not part of an OpenTofu/tfvars landing-zone foundation — see INPUT_ASSERTIONS.md for the full list.


Next

See DEPLOYMENT_GUIDE.md for the deploy-and-verify runbook for OpenTofu + tfvars.

About

PCI-DSS/SOX/CIS AWS multi-account landing zone built with Compiled AI by Merlin Studio - a regional bank's card platform compiled from one intent spec to OpenTofu + tfvars. SCP-isolated PCI cardholder-data (CDE) account, multi-region warm-standby DR, centralized inspected egress, 97/100 (A+) security scorecard. A reference, not a turnkey deploy

Topics

Resources

License

Stars

Watchers

Forks

Contributors