Secure automation of AWS tagging, cleanup, compliance, secret rotation and security scanning—using Python, AWS CLI, open-source tools and GitHub Actions CI/CD.
- Overview
- Real-World Risk
- What I Built
- Diagram
- Objectives
- Steps Performed
- [1. Project Setup]
- [2. Tagging Automation]
- [3. Automated Cleanup]
- Bonuses
- [1.1 Security Scanning with Prowler]
- [1.2 Compliance Check Automation]
- [1.3 Slack Integration & Notification]
- [1.4 Secret Rotation Automation]
- [1.5 Automation as Code: GitHub Actions]
- Screenshots
- Lessons Learned
- Notes and Limitations
- References
- Contact
This lab demonstrates secure, real-world AWS automation for:
- Tagging and cleaning up EC2s (cost & hygiene)
- Compliance checks and reporting
- Secret rotation (IAM) and notifications
- Live Slack alerting for all security actions
- Open-source security scanning with Prowler
- Automated scheduling and evidence collection via GitHub Actions
Manual AWS operations lead to:
- Untagged assets and cloud spend overruns.
- Orphaned instances—wasted resources and attack surface increase.
- Non-compliant AWS resources and risk of audit/security incidents.
- Forgotten, stale IAM keys (major breach vector)
- Security misconfigurations missed by manual review.
- No team visibility: security actions can go unnoticed.
A full-stack AWS automation portfolio lab that:
- Tags all untagged EC2s for visibility and billing clarity.
- Cleans up unused stopped EC2s.
Bonuses
- Runs Prowler for industry-standard AWS security scanning.
- Automates compliance checks (e.g., EBS encryption), with instant Slack alerts.
- Rotates IAM secrets and deletes old keys, alerting the team on each action.
- Runs everything in GitHub Actions, with secure secrets handling.
Simple Diagram
Detailed Diagram
- Build secure, modular AWS automation for tagging, cleanup, compliance, secret rotation and reporting.
- Collect and document “proof” (screenshots, reports) of all automation steps.
- Integrate Slack and CI/CD for operational visibility.
- Use AWS security best practices and evidence-driven DevOps.
- Created a clean repo:
tagging/,cleanup/,compliance/,secrets/,screenshots/&reports/. - Installed AWS CLI, Python 3, boto3, Prowler and configured IAM lab user with least privilege (Screenshot:
repo_folder_structure.png)
- Wrote and ran a Python script to tag untagged EC2s with a
Project: LabAutomationtag. - Verified in AWS Console (Screenshots:
tagging_script.png,tagging_script_execution.png&ec2s_after_scripts.png)
- Scripted cleanup of stopped EC2s older than 30 days (dry run for safety)
- Showed pre/post state in AWS Console (Screenshots:
cleanup_script.png,cleanup_script_execution.png&ec2s_after_scripts.png)
- Ran Prowler AWS security scan and saved results (Screenshots:
prowler_security_scan_running.png&prowler_security_scan_results.png)
- Python/boto3 script to detect unencrypted EBS volumes.
- Integrates with Slack: sends alerts if non-compliance is found (Screenshots:
compliance-check-script.png,compliance-check-terminal-output.png&slack-alert-message-channel.png)
- Created Slack app with Incoming Webhook.
- Automated notifications from scripts (test, compliance, secret rotation) (Screenshots:
slack-app-name-and-workspace.png,slack-enable-incoming-webhooks.png,slack-webhook-url-generated.png,slack-add-webhook-channel.png,slack-channel-message-from-script.png&slack-alert-message-channel.png)
- Python script rotates IAM user access key, deletes old key and sends Slack alert.
- Executed via GitHub Actions for auditability (Screenshots:
secret-rotation-script.png,rotate-key-slack-alert.png&rotate-key-workflow-success.png)
- All automation runs as code, scheduled/triggered in
.github/workflows/. - GitHub Actions securely injects AWS/Slack secrets via encrypted secrets (Screenshots:
github-actions-compliance-workflow-run.png,github-actions-compliance-yaml.png&rotate-key-workflow-success.png)
All screenshots are included in the screenshots/ folder.
| Step | Filename | Description |
|---|---|---|
| 1 | repo_folder_structure.png | Folder/project structure in VS Code |
| 2 | tagging_script.png | Tagging script code in editor |
| 2 | tagging_script_execution.png | Tagging script output (terminal) |
| 2/3 | ec2s_after_scripts.png | EC2s after tagging/cleanup (AWS Console) |
| 3 | cleanup_script.png | Cleanup script code in editor |
| 3 | cleanup_script_execution.png | Cleanup script output (terminal) |
| 1.1 | prowler_security_scan_running.png | Prowler running in terminal |
| 1.1 | prowler_security_scan_results.png | Security findings in Prowler HTML report |
| 1.2 | compliance-check-script.png | Compliance script code (EBS encryption) |
| 1.2 | compliance-check-terminal-output.png | Compliance check output (terminal) |
| 1.2 | slack-alert-message-channel.png | Slack channel message from compliance check |
| 1.3 | slack-app-name-and-workspace.png | Slack app/workspace selection dialog |
| 1.3 | slack-enable-incoming-webhooks.png | Slack: Incoming Webhooks enabled |
| 1.3 | slack-webhook-url-generated.png | Slack: Webhook URL generated (masked) |
| 1.3 | slack-add-webhook-channel.png | Slack: Added webhook to channel |
| 1.3 | slack-channel-message-from-script.png | Slack alert from script (test message) |
| 1.3 | slack-alert-message-channel.png | Slack compliance alert received |
| 1.4 | secret-rotation-script.png | IAM key rotation script code |
| 1.4 | rotate-key-slack-alert.png | Slack alert after key rotation |
| 1.4/1.5 | rotate-key-workflow-success.png | GitHub Actions workflow: key rotation success |
| 1.5 | github-actions-compliance-workflow-run.png | Compliance workflow run in Actions |
| 1.5 | github-actions-compliance-yaml.png | Compliance workflow YAML code in GitHub Actions |
- How to use Python/boto3 for scalable AWS automation: tagging, cleanup, compliance and key rotation.
- Integrate Slack for real-time team notifications on cloud security events.
- Run everything in CI/CD (GitHub Actions) for auditability and production readiness.
- How open-source security tools (Prowler) fit into continuous cloud security.
- Portfolio/documentation matters: screenshots & evidence “show not tell” your real skills.
- Demo scripts are for learning and proof-of-concept—use dry-run and least-privilege in production.
- Some screenshots are redacted for security.
- Security scanning coverage (Prowler) can be expanded as needed.
- Slack webhooks and AWS credentials are always managed as secrets, never in code.
- AWS CLI Documentation
- Boto3 Documentation
- Prowler AWS Security Tool
- AWS IAM Best Practices
- Slack Incoming Webhooks
- GitHub Actions Documentation
- Python Requests Library
Sebastian Silva C. – August 2025 – Berlin, Germany