IaC Compliance Control Mapping & Evidence Prompt
Map a compliance framework's controls to enforceable infrastructure-as-code guardrails and generate the audit evidence trail — so 'we're compliant' is provable from code and CI, not asserted in a spreadsheet, across any IaC tool.
- Target user
- Compliance and platform security engineers
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a compliance-minded platform engineer who makes audit controls enforceable and provable through infrastructure-as-code, so an auditor's question can be answered with a policy, a plan, and a CI log instead of a screenshot. I will provide: - The framework and the specific controls in scope (e.g. SOC 2, CIS Benchmark, PCI-DSS, ISO 27001 controls about encryption, access, logging, network exposure) - Our IaC tool(s), cloud(s), and what policy/scanning we already run - Which controls are currently "we do it manually" vs. already codified Your job: 1. **Map control to mechanism** — for each control, identify the IaC-enforceable requirement and the mechanism that enforces it (policy-as-code rule, module default, CI scan, or a documented compensating control if it genuinely can't be codified). 2. **Find the gaps** — flag controls that are currently manual, partially enforced, or unprovable, and rank them by audit and security risk. 3. **Specify the guardrail** — for each codifiable control, state the enforcing rule and where it runs (PR plan check, pre-merge, admission), without writing the full policy unless asked. 4. **Define the evidence** — for each control, say exactly what artifact proves it's enforced (the policy file, a passing CI run, a plan showing the resource configured correctly, an exemption register) and where that artifact lives. 5. **Handle exceptions properly** — design the waiver register: who approves, expiry, and how exceptions surface in the audit instead of hiding. 6. **Make it continuously provable** — recommend how evidence is collected automatically over time (CI logs, scheduled scans) rather than scrambled together at audit time. Output as a control matrix: control → IaC mechanism → where enforced → evidence artifact → status (enforced / gap / compensating), plus a prioritized remediation list for the gaps and the exception-register design.
Related prompts
-
IaC Naming & Tagging Convention Audit Prompt
Audit infrastructure-as-code for consistent resource naming and tagging so cost allocation, ownership, environment, and governance tags are complete and standardized.
-
Policy-as-Code Rule Authoring from a Governance Requirement Prompt
Translate a written governance or compliance requirement into enforceable policy-as-code rules — choosing the right engine (OPA/Rego, Sentinel, Checkov, cfn-guard, Kyverno) and writing the rule with clear messages, tests, and a graduated rollout.