Skip to main content
All Projects

DMI Internship

AI-Assisted DevOps — Agentic Infrastructure Security Review

February 2026
DevSecOpsAgentic DevOpsClaude CodeTerraformSecurityAWSIaC

Applied agentic AI workflows using Claude Code and MCP subagents to audit Terraform infrastructure for security issues. Automated checks across S3, CloudFront, HTTPS, TLS, and state management — identified and triaged 8 confirmed security findings.

Overview

This project applied agentic AI tooling — Claude Code with MCP subagents — to perform a structured security audit of Terraform-provisioned AWS infrastructure. This is not a theoretical exercise; it produced 8 confirmed, actionable security findings triaged by severity and remediated in a structured loop.

The Agentic Audit Approach

Traditional infrastructure security reviews are manual, slow, and inconsistent. This project used an agentic workflow where Claude Code coordinated specialist MCP subagents to run automated checks across the Terraform codebase and live AWS infrastructure simultaneously.

The audit loop:

Audit subagent scans → Findings identified → Severity triaged → Verify in AWS Console → Improve Terraform → Re-audit

Each iteration tightened the security posture. The loop ran until all high-severity findings were resolved.

Audit Scope

The subagents checked across five domains:

  • S3 access controls — bucket policies, public access blocks, ACL configurations
  • CloudFront Origin Access Control (OAC) — ensuring S3 was only accessible via CloudFront, not directly
  • HTTPS enforcement — CloudFront viewer protocol policy, HTTP-to-HTTPS redirect
  • TLS policy — minimum TLS version enforcement on CloudFront distributions
  • Terraform state management — state file exposure, backend configuration security

Findings Triaged

8 confirmed security findings were identified across the five domains. Each was:

  1. Documented with the affected resource and configuration
  2. Assigned a severity (High / Medium / Low)
  3. Verified against the live AWS environment
  4. Remediated in the Terraform code
  5. Re-audited to confirm resolution

High-severity findings included direct S3 bucket accessibility bypassing CloudFront OAC, and an insufficiently restrictive TLS minimum version policy.

Technologies Used

  • Claude Code — agentic orchestration
  • MCP (Model Context Protocol) — subagent specialisation for domain-specific checks
  • Terraform — infrastructure under review; all remediations applied as code changes
  • AWS S3, CloudFront, IAM — the infrastructure audited
  • GitHub — audit findings and remediations tracked as commits with full traceability

Results

All 8 findings resolved. S3 bucket locked to CloudFront OAC — no direct public access. HTTPS enforced at the CDN layer. TLS minimum version raised. State backend secured. Full audit trail maintained in Git.

Key Learnings

Agentic AI tooling changes the economics of infrastructure security review. A manual audit of the same scope would have taken hours and required deep Terraform and AWS expertise to run consistently. The agentic approach ran in minutes, was reproducible, and produced a structured finding register with remediation traceability. This is not AI replacing security judgement — it is AI accelerating the surface area that a practitioner can cover systematically.