Automates Windows OS patching, CIS hardening, golden AMI, and zero-downtime rollout using Terraform IaC and Python (Boto3).
Reduced 1-week manual patching to under 1 hour with 100% compliance and zero downtime.
This project automates end-to-end Windows EC2 security lifecycle in an Auto Scaling Group (ASG):
- Patch & Harden a running instance via AWS SSM + PowerShell
- Create hardened golden AMI (
NoReboot=True) - Deploy latest app from S3 via UserData
- Provision VPC, ASG, ALB, Launch Template using Terraform IaC
- Perform rolling refresh (90% healthy) to replace old instances
- Register new instances with Load Balancer
| Feature | Benefit |
|---|---|
| AWS SSM + PowerShell | No RDP, fully automated patching & hardening |
| CIS-Level Hardening | Disable Guest, enforce passwords, firewall, disable services |
| Zero Downtime | NoReboot=True + ASG rolling refresh |
| Terraform IaC | Reproducible, secure infrastructure |
| S3 + UserData | Auto-deploy latest app on boot |
| CloudWatch Monitoring | Full traceability |
- Python (Boto3) – Automation logic
- Terraform – VPC, ASG, ALB, Launch Template
- AWS SSM – Run PowerShell on Windows EC2
- ASG + ALB – Scalable, resilient deployment
- S3 – Store app installer
cd aws-windows-auto-patching-hardening-zero-downtime-asg-terraform-python
terraform init && terraform apply -auto-approve
python auto_deploy.py