AWS Compliance Collector

NIST 800-53 audits require evidence — screenshots, exports, control mappings — that's tedious to gather by hand and stale the moment you collect it. Most teams either rent a GRC SaaS or run a quarterly fire drill. Both are expensive.

This collector automates the evidence pass for an AWS account: it pulls findings from Security Hub, Config, and IAM, maps them to NIST controls, and emits an audit-ready PDF plus a drift report against the last scan.

A Python service built around Boto3 with one collector module per source (Security Hub, Config, IAM). A central orchestrator runs them in parallel, deduplicates findings, and writes to DynamoDB using a single-table design — partition key is account#{accountId}, sort key is scan#{timestamp}#{finding}. Drift detection diffs the latest scan against the prior one for the same account.

Control mappings live in versioned JSON under mappings/nist-800-53-r5.json. ReportLab renders the PDF from a templated layout. Terraform provisions the IAM role, DynamoDB table, and an EventBridge schedule.

DynamoDB single-table over RDS.Findings are append- only and queried by account + time range — exactly what Dynamo's composite key is good at. RDS would've been overkill and added a subnet group / VPC dance to the Terraform.

botocore.Stubber for tests, not moto.Stubber gives you exact-API-call assertions. Moto's state simulation drifts from real AWS behavior more than you'd expect for edge cases like Security Hub finding pagination.

PDF instead of HTML report.Auditors want a frozen artifact they can sign off on. PDF removes ambiguity about whether they reviewed today's data or yesterday's.

Add CIS Benchmark mapping alongside NIST. Wire Lambda invocation so scans run on Security Hub event changes, not just on a schedule. Build a thin dashboard layer (the current notebooks are good for learning, not for ops).