Skip to main content

Using Quick Start with the Terraform for AWS integration

Automatically discover and configure evidence collection from your AWS infrastructure

Micah Spieler avatar
Written by Micah Spieler
Updated over a week ago

The Quick Start feature for the Terraform for AWS integration helps you identify and configure evidence collection from your existing AWS resources. Rather than manually writing low-code Terraform configurations for each piece of evidence, Quick Start scans your AWS environment, suggests relevant resources for your compliance requirements, and generates the Terraform code needed to collect that evidence automatically.

What is Quick Start for AWS?

Quick Start is an AI-powered tool that streamlines the process of setting up Terraform integrations with AWS. When you connect your AWS account through Strike Graph's Terraform integration, Quick Start can scan your AWS infrastructure using AWS Config Service to discover resources that map to your compliance evidence requirements.

Once Quick Start identifies relevant AWS resources, it steps you through a workflow that confirms the resources and then automatically generates the Terraform data blocks needed to collect evidence from those resources, eliminating the need to manually write complex Terraform configurations. This feature is particularly valuable for organizations with extensive AWS infrastructure who want to maximize automation of their evidence collection.

Prerequisites

Before using Quick Start with AWS, you'll need:

  • An active Terraform for AWS integration configured in Strike Graph

  • AWS Config enabled inside your AWS account

  • AWS IAM permissions that include AWSConfigUserAccess policy (or equivalent read-only access to AWS Config Service)

  • Evidence items active in your organization

Getting started with Quick Start

Step 1: Configure your Terraform for AWS integration

If you haven't already set up Terraform for AWS, follow the instructions in the Terraform for AWS integration guide.

When configuring the IAM role or user for the integration, ensure you include the AWSConfigUserAccess policy in addition to any other required permissions.

The Quick Start feature specifically requires read access to AWS Config Service actions. This allows Strike Graph to discover what resources exist in your AWS account without making any changes to your infrastructure.

Step 2: Launch Quick Start from the Integration Manager

Navigate to the Integration Manager in Strike Graph and locate your Terraform for AWS integration. Look for the 'Quick Start' button near the 'Reconnect' options.

Click on Quick Start to begin the discovery process. Strike Graph will scan your AWS environment to identify resources that can be used for evidence collection.

Note: The initial scan may take a few minutes depending on the size of your AWS infrastructure. The system needs to query AWS Config Service across your enabled regions to build a complete inventory of available resources.

How Quick Start works

When you launch Quick Start, Strike Graph performs the following steps automatically:

Discovery phase

Strike Graph connects to your AWS account using the configured Terraform integration credentials and queries AWS Config Service to retrieve information about active resources in your infrastructure. The system focuses on resource types that commonly map to compliance evidence requirements, such as EC2 instances, security groups, IAM configurations, S3 bucket settings, and more.

Mapping phase

Once resources are discovered, Strike Graph matches the sources to evidence items active in your repository.

When complete, you'll see a list of the potential evidence items that Quick Start has identified as relevant to your active resources.

Review and selection

You have full control over which collections to configure. Step through and review each suggested resource-to-evidence mapping and select the ones that make sense for your organization. You can:

  • Accept a suggestion to proceed with Terraform generation

  • Reject a suggestion if the resource isn't relevant

  • Skip suggestion to decide later

Quick Start presents mappings in a guided workflow, allowing you to review each evidence item systematically. This ensures you have visibility into what will be collected before any Terraform code is generated.

Terraform generation

For each mapping you accept, Strike Graph's AI automatically generates the appropriate Terraform data block and local values needed to collect evidence from that AWS resource. The generated Terraform is:

  • Tailored to the specific AWS resource type and configuration

  • Formatted according to Terraform best practices

  • Ready to use for evidence collection

  • Includes appropriate arguments and constraints for the resource

You can review the generated Terraform before submitting it. The code is displayed in an editable format, allowing you to make any adjustments if needed before proceeding with evidence collection.

Evidence collection setup

Once you approve the generated Terraform, you can immediately submit it to collect evidence.

When you submit the Terraform for collection, Quick Start configures the automated collection for you, and then executes the data block request to attach the results to the corresponding evidence items in your repository.

Examples of AWS resource-to-evidence mappings

Quick Start attempts to map AWS resources to your active evidence requirements. These mappings are based on common compliance frameworks and typical AWS infrastructure patterns. Here are some examples of resource types Quick Start can discover and map:

Compute resources:

  • EC2 instances → Server configurations, antivirus settings, system hardening

  • Lambda functions → Application configurations, serverless architecture documentation

Security and identity:

  • IAM users, roles, and policies → Access control documentation, user lists, permission matrices

  • Security groups → Network segmentation, firewall rules

  • KMS keys → Encryption key management evidence

Storage:

  • S3 buckets → Data storage policies, backup configurations, encryption settings

  • EBS volumes → Storage encryption, backup documentation

Networking:

  • VPCs → Network architecture documentation

  • CloudWatch logs → Logging and monitoring evidence

Configuration and compliance:

  • Config rules → Compliance monitoring settings

  • CloudTrail → Audit logging evidence

The specific mappings available depend on your defined evidence requirements and the resources present in your AWS account.

Troubleshooting Quick Start

Quick Start button doesn't appear

If you don't see the Quick Start option on your Terraform for AWS integration, it may not be enabled for your account. Please contact your Customer Success Manager to discuss.

No resources discovered during scan

If Quick Start doesn't find any resources in your AWS account:

  • Confirm that your IAM permissions include access to AWS Config Service

  • Verify that AWS Config is enabled in at least one region of your AWS account

  • Check that the regions you expect to scan are included in the discovery process

  • Review the AWS Config Service settings to ensure resource recording is active

Generated Terraform fails during collection

If the AI-generated Terraform code produces errors when attempting to collect evidence:

  • Review the error message for specific details about what failed

  • Verify that the resource ID or name is still valid (resources may have been deleted or renamed since discovery)

  • Check that your IAM permissions include read access for the specific resource type

  • Confirm that the resource exists in the expected region

For general Terraform troubleshooting guidance, refer to the Terraform integration troubleshooting documentation.

Mappings don't seem relevant

If Quick Start suggests resource-to-evidence mappings that don't align with your evidence requirements:

  • Remember that you can reject any mapping that doesn't make sense for your organization

  • Provide feedback to your Customer Success Manager about mapping quality to help improve future suggestions

  • Consider whether your evidence descriptions could be more specific to enable better matching

AWS Config permissions errors

If you see errors related to AWS Config permissions:

  • Verify that the AWSConfigUserAccess policy (or equivalent) is attached to the IAM role/user used by the integration

  • Ensure the policy hasn't been accidentally removed or modified

  • Check for any Service Control Policies (SCPs) in your AWS Organization that might restrict Config access

  • Confirm that AWS Config Service is available in the regions you're attempting to scan

Did this answer your question?