Infrastructure and cloud security prompts

Design a multi-account/subscription architecture for [AWS/Azure/GCP] that implements security isolation for [organization type]. Include:
- Account/subscription structure (dev, staging, prod, security, logging)
- Landing zone design with guardrails
- Network segmentation and VPC/VNet design
- Cross-account access patterns and trust relationships
- Centralized logging and security monitoring
- Billing and cost allocation strategy
- Service Control Policies (AWS) / Azure Policy / Organization Policy (GCP)
- Compliance boundary mapping for [ISO 27001/SOC 2/GDPR]

Output as architecture diagram description and infrastructure-as-code (Terraform/CloudFormation/ARM/Deployment Manager).

Create a Zero Trust network architecture for [cloud environment] hosting [application type]. Address:
- Identity-based perimeter (no implicit trust)
- Micro-segmentation and least privilege network access
- Service mesh or network policies implementation
- Encrypted communication (mTLS)
- Continuous verification and anomaly detection
- Integration with identity provider ([Okta/Azure AD/other])
- Device trust and posture assessment
- Migration path from traditional perimeter security

Map to ISO 27001 A.13.1, NIST SP 800-207, and SOC 2 CC6.6.

Design an infrastructure-as-code security framework for [Terraform/CloudFormation/Pulumi/ARM templates]. Include:
- Pre-commit hooks for IaC scanning ([Checkov/tfsec/other])
- Policy-as-code implementation (OPA/Sentinel/Cloud Custodian)
- Security rules for common misconfigurations (open S3 buckets, overly permissive security groups, unencrypted resources)
- CI/CD integration for automated scanning
- Remediation workflows and approval gates
- State file security and backend configuration
- Drift detection and compliance monitoring
- Developer training and secure defaults library

Align with ISO 27001 A.12.1, A.13.1, SOC 2 CC7.2.

Create a cloud resource tagging strategy for [AWS/Azure/GCP] that supports compliance and security. Define tags for:
- Data classification (Public/Internal/Confidential/Restricted)
- Environment (Dev/Staging/Prod)
- Owner and contact information
- Cost center and project
- Compliance scope (ISO 27001/SOC 2/GDPR/HIPAA)
- Backup and retention requirements
- Automated enforcement via policies
- Tag-based access controls and automation
- Audit reporting based on tags

Include policy-as-code examples for tag enforcement.

Design a network segmentation architecture for [cloud/on-premises/hybrid] environment hosting [application type]. Include:
- Security zones (DMZ, application tier, database tier, management)
- Firewall rules and security groups/NSGs
- East-west traffic controls (between zones)
- North-south traffic controls (external access)
- Jump box / bastion host configuration
- VPN and remote access segmentation
- Isolation for sensitive data processing (PCI/HIPAA/GDPR)
- Monitoring and alerting for lateral movement
- Documentation for audit evidence

Map to ISO 27001 A.13.1.3, SOC 2 CC6.6, PCI DSS Requirement 1.

Generate a WAF configuration and ruleset for [AWS WAF/Azure WAF/Cloudflare/other] protecting [application type]. Include:
- OWASP Top 10 protection rules
- Rate limiting and DDoS mitigation
- Geo-blocking requirements
- IP reputation lists (allowlist/blocklist)
- Custom rules for application-specific threats
- Logging and monitoring integration
- Incident response playbook for WAF alerts
- Testing and validation procedures
- Cost optimization strategies

Align with ISO 27001 A.13.1.3, A.14.1, SOC 2 CC6.6.

Design an encryption-at-rest strategy for [cloud provider] across [services used]. Include:
- Database encryption (RDS/SQL Database/Cloud SQL)
- Object storage encryption (S3/Blob Storage/Cloud Storage)
- Block storage encryption (EBS/Managed Disks/Persistent Disks)
- Application-level encryption for sensitive fields
- Key management service configuration ([AWS KMS/Azure Key Vault/Cloud KMS])
- Customer-managed vs. provider-managed key decision matrix
- Key rotation policies and automation
- Access controls for keys (RBAC, least privilege)
- Compliance mapping (GDPR Art. 32, ISO 27001 A.8.24, SOC 2 CC6.7)

Output as architecture document and IaC templates.

Create an encryption-in-transit enforcement policy for [environment]. Address:
- TLS/SSL version requirements (minimum TLS 1.2 or 1.3)
- Certificate management and automation (Let's Encrypt/ACM/other)
- Load balancer and reverse proxy TLS termination
- Backend encryption (ALB to EC2, App Gateway to VMs)
- Database connection encryption
- API and microservice mTLS
- Cipher suite restrictions
- HSTS and security headers
- Monitoring for unencrypted connections

Map to ISO 27001 A.13.2.3, A.10.1.1, SOC 2 CC6.7, NIST SP 800-52.

Generate an AWS security baseline configuration for [organization type]. Include:
- IAM password policy and MFA enforcement
- CloudTrail logging to dedicated security account
- GuardDuty and Security Hub enablement
- Config rules for compliance monitoring
- S3 bucket public access block (account-level)
- VPC Flow Logs configuration
- EBS encryption by default
- Systems Manager Session Manager (no SSH keys)
- Trusted Advisor security checks
- CIS AWS Foundations Benchmark alignment

Output as CloudFormation/Terraform and implementation checklist mapped to ISO 27001 Annex A controls.

Create an Azure security baseline for [subscription type]. Cover:
- Azure AD security defaults and Conditional Access policies
- Microsoft Defender for Cloud (all plans)
- Activity Log and diagnostic settings to Log Analytics
- Network Security Groups default-deny rules
- Azure Policy assignments (CIS Microsoft Azure Foundations Benchmark)
- Storage account secure transfer required
- Key Vault for secrets and certificate management
- Managed Identity for Azure resources
- Privileged Identity Management (PIM) for admin access
- Compliance dashboard configuration

Output as ARM templates/Bicep and policy assignments mapped to ISO 27001 and SOC 2.

Design a GCP security baseline for [organization/project]. Include:
- Organization policies (domain restricted sharing, VM external IP, etc.)
- Cloud Identity and IAM best practices
- Security Command Center (Premium tier) enablement
- Cloud Logging and Cloud Monitoring configuration
- VPC firewall rules and Private Google Access
- Default encryption with Cloud KMS
- Binary Authorization for container deployments
- Access Transparency and Access Approval
- Workload Identity for GKE
- CIS GCP Foundations Benchmark compliance

Output as Terraform and implementation guide mapped to compliance frameworks.

Generate a Kubernetes cluster hardening guide for [EKS/AKS/GKE/self-managed] running [workload type]. Include:
- RBAC policies (least privilege)
- Pod Security Standards/Policies (restricted profile)
- Network policies for pod-to-pod communication
- Secrets management (external secrets operator, CSI driver)
- Image scanning and admission control (OPA Gatekeeper, Kyverno)
- Runtime security (Falco, Aqua, Sysdig)
- Audit logging and monitoring
- Node hardening (CIS Benchmark)
- etcd encryption and backup
- Ingress controller security (TLS, authentication)

Map to ISO 27001 A.12.6, A.13.1, SOC 2 CC6.6-CC6.8.

Design a container image security pipeline for [Docker/containerd] images in [registry]. Include:
- Base image selection and approval (minimal, verified publishers)
- Vulnerability scanning in CI/CD (Trivy/Grype/Snyk/Clair)
- Image signing and verification (Cosign/Notary)
- SBOM generation
- Runtime scanning and drift detection
- Image retention and cleanup policies
- Secrets detection in layers
- Multi-stage build best practices
- Compliance checks for regulatory requirements

Align with NIST SP 800-190, ISO 27001 A.14.2.

Create a backup and recovery strategy for [cloud environment]. Address:
- Backup scope (databases, file storage, configurations, IaC state)
- RPO (Recovery Point Objective) and RTO (Recovery Time Objective) by service tier
- Backup frequency and retention policies
- Encryption of backups (at rest and in transit)
- Immutable backups and ransomware protection
- Cross-region/cross-cloud replication
- Access controls for backup data
- Testing and validation schedule (quarterly restore tests)
- Documentation and runbooks
- Compliance requirements (ISO 27001 A.8.13, SOC 2 CC9.1, GDPR Art. 32)

Output as architecture document and automation scripts.

Design a disaster recovery (DR) plan for [application/infrastructure] in [cloud provider]. Include:
- DR strategy (backup/restore, pilot light, warm standby, multi-region active)
- Failover and failback procedures
- Data replication mechanisms
- Infrastructure-as-code for rapid rebuild
- Communication and escalation plan
- Testing schedule (annual full DR test, quarterly tabletop)
- Success criteria and validation steps
- Roles and responsibilities
- Integration with business continuity plan
- Compliance documentation (ISO 27001 A.17.2, SOC 2 A1.2)

Include runbook templates and test report format.

Generate an automated evidence collection system for [AWS/Azure/GCP] compliance audits. Include:
- Configuration snapshots (daily/weekly)
- Encryption verification reports
- Access control reviews (IAM/RBAC)
- Network security group/firewall rule exports
- Logging and monitoring evidence
- Backup verification reports
- Vulnerability scan results
- Compliance dashboard (AWS Security Hub/Azure Secure Score/GCP SCC)
- Artifact storage with integrity verification
- Audit trail for evidence collection process

Map evidence to ISO 27001 Annex A, SOC 2 Trust Services Criteria, and NIST CSF controls.