A Python-based automation tool utilizing Boto3 to programmatically deploy secure, compliant AWS network infrastructures with enterprise-grade security controls.
AWS Secure Network Builder automates the creation of production-ready VPCs, tiered subnets, and hardened Security Groups based on YAML configuration files. Built with infrastructure-as-code principles, this tool eliminates manual AWS console clicks and enforces consistent security standards across deployments.
ποΈ VPC Automation
One-click deployment of VPCs with custom CIDR blocks and comprehensive tagging strategies.
ποΈ Tiered Architecture
Automatically creates Public (DMZ) and Private (App/Data) subnets across multiple Availability Zones for high availability.
π Security First
Deploys "Zero Trust" Security Groups and strict Network ACLs by default, following AWS Well-Architected Framework principles.
π Gateway Management
Intelligently provisions and configures Internet Gateways (IGW) and NAT Gateways with proper routing.
π State Tracking
Exports deployment state to JSON for comprehensive auditing, compliance reporting, or infrastructure teardown.
Ensure you have the following installed and configured:
- Python 3.9 or higher
- AWS CLI configured with appropriate credentials
- Boto3 library for AWS API interactions
- Active AWS account with VPC creation permissions
Clone the repository and install dependencies:
git clone https://github.com/yourusername/aws-secure-net.git
cd aws-secure-net
pip install -r requirements.txtOr install dependencies manually:
pip install boto3 pyyamlaws configureProvide your AWS Access Key ID, Secret Access Key, default region, and output format when prompted.
aws-secure-net/
βββ configs/ # YAML configuration files
β βββ prod-vpc.yaml # Production environment config
β βββ dev-vpc.yaml # Development environment config
β βββ staging-vpc.yaml # Staging environment config
βββ logs/ # Deployment and error logs
β βββ builder.log # Main application log
βββ modules/ # Modular Python components
β βββ __init__.py
β βββ vpc.py # VPC creation and management
β βββ security.py # Security Groups and NACLs
β βββ gateways.py # IGW and NAT Gateway logic
β βββ utils.py # Helper functions
βββ output/ # State files and deployment artifacts
β βββ vpc-state.json # Resource ID mappings
βββ tests/ # Unit and integration tests
βββ builder.py # Main execution script
βββ requirements.txt # Python dependencies
βββ .gitignore
βββ LICENSE
βββ README.md
The following diagram illustrates the complete automation flow from configuration loading to AWS resource provisioning:
%%{init: {'theme':'base', 'themeVariables': { 'primaryColor':'#FF9900','primaryTextColor':'#232F3E','primaryBorderColor':'#232F3E','lineColor':'#545B64','secondaryColor':'#146EB4','tertiaryColor':'#fff','fontSize':'16px'}}}%%
graph TD
Start([π Start Builder]) --> LoadConfig[/π Load config.yaml/]
LoadConfig --> ValidateCreds{π Validate AWS<br/>Credentials}
ValidateCreds -->|β Failed| LogError[β οΈ Log Error & Exit]
ValidateCreds -->|β
Success| InitSession[Initialize Boto3 Session]
InitSession --> CreateVPC[Create VPC & Apply Tags]
CreateVPC --> CreateIGW[Create Internet Gateway]
CreateIGW --> CreateRT[Create Route Tables<br/>Public & Private]
CreateRT --> LoopSubnets[π Loop Through Subnets]
LoopSubnets --> CheckType{Subnet Type?}
CheckType -->|π Public| AssocIGW[Associate with IGW<br/>Route Table]
CheckType -->|π Private| AssocNAT[Associate with NAT<br/>Route Table]
AssocIGW --> ApplySecurity[Apply NACLs &<br/>Security Groups]
AssocNAT --> ApplySecurity
ApplySecurity --> LogResources[π Log Resource IDs]
LogResources --> MoreResources{More Subnets<br/>to Create?}
MoreResources -->|Yes| LoopSubnets
MoreResources -->|No| ExportState[πΎ Export State to JSON<br/>output/ directory]
ExportState --> End([β
Deployment Complete])
LogError --> End
classDef startEnd fill:#FF9900,stroke:#232F3E,stroke-width:3px,color:#fff
classDef process fill:#146EB4,stroke:#232F3E,stroke-width:2px,color:#fff
classDef decision fill:#EC7211,stroke:#232F3E,stroke-width:2px,color:#fff
classDef input fill:#527FFF,stroke:#232F3E,stroke-width:2px,color:#fff
classDef critical fill:#D13212,stroke:#232F3E,stroke-width:2px,color:#fff
classDef success fill:#1D8102,stroke:#232F3E,stroke-width:2px,color:#fff
class Start,End startEnd
class InitSession,CreateVPC,CreateIGW,CreateRT,AssocIGW,AssocNAT,ApplySecurity,LogResources,ExportState process
class ValidateCreds,CheckType,MoreResources decision
class LoadConfig input
class LogError critical
class LoopSubnets success
Create a YAML configuration file in the configs/ directory. Here's a comprehensive example:
# configs/prod-secure-vpc.yaml
vpc_name: "prod-secure-network"
cidr: "10.0.0.0/16"
region: "us-east-1"
enable_dns_hostnames: true
enable_dns_support: true
tags:
Environment: "Production"
ManagedBy: "AWS-Secure-Builder"
CostCenter: "Engineering"
subnets:
# Public Subnets (DMZ Layer)
- name: "public-web-1a"
cidr: "10.0.1.0/24"
type: "public"
az: "us-east-1a"
- name: "public-web-1b"
cidr: "10.0.2.0/24"
type: "public"
az: "us-east-1b"
# Private Subnets (Application Layer)
- name: "private-app-1a"
cidr: "10.0.10.0/24"
type: "private"
az: "us-east-1a"
- name: "private-app-1b"
cidr: "10.0.11.0/24"
type: "private"
az: "us-east-1b"
# Private Subnets (Database Layer)
- name: "private-db-1a"
cidr: "10.0.20.0/24"
type: "private"
az: "us-east-1a"
- name: "private-db-1b"
cidr: "10.0.21.0/24"
type: "private"
az: "us-east-1b"
nat_gateway:
enabled: true
availability_zone: "us-east-1a"
security_groups:
web_tier:
- protocol: "tcp"
from_port: 443
to_port: 443
cidr: "0.0.0.0/0"
- protocol: "tcp"
from_port: 80
to_port: 80
cidr: "0.0.0.0/0"Run the deployment script with your configuration file:
python3 builder.py --config configs/prod-secure-vpc.yamlAdvanced Options:
# Dry-run mode (validate without deploying)
python3 builder.py --config configs/prod-secure-vpc.yaml --dry-run
# Verbose logging
python3 builder.py --config configs/prod-secure-vpc.yaml --verbose
# Specify custom output directory
python3 builder.py --config configs/prod-secure-vpc.yaml --output-dir ./custom-outputCheck the output state file:
cat output/prod-secure-network-state.jsonVerify in AWS Console:
Navigate to AWS Console β VPC Dashboard to inspect your newly created infrastructure components.
Using AWS CLI:
aws ec2 describe-vpcs --filters "Name=tag:Name,Values=prod-secure-network"| Parameter | Type | Required | Description |
|---|---|---|---|
vpc_name |
string | β | Unique identifier for the VPC |
cidr |
string | β | IPv4 CIDR block (e.g., 10.0.0.0/16) |
region |
string | β | AWS region for deployment |
enable_dns_hostnames |
boolean | β | Enable DNS hostname resolution (default: true) |
enable_dns_support |
boolean | β | Enable DNS support (default: true) |
| Parameter | Type | Required | Description |
|---|---|---|---|
name |
string | β | Subnet identifier |
cidr |
string | β | Subnet CIDR block (must be within VPC CIDR) |
type |
string | β | public or private |
az |
string | β | Availability Zone (e.g., us-east-1a) |
Remove all created resources using the state file:
python3 builder.py --teardown --state-file output/prod-secure-network-state.jsonDeploy the same architecture across multiple regions:
python3 builder.py --config configs/prod-secure-vpc.yaml --regions us-east-1,us-west-2,eu-west-1Example GitHub Actions workflow:
name: Deploy AWS Network
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.9'
- name: Install dependencies
run: pip install -r requirements.txt
- name: Deploy VPC
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: python3 builder.py --config configs/prod-secure-vpc.yamlThis tool implements several security-hardening measures:
- Principle of Least Privilege: Security Groups deny all traffic by default
- Network Segmentation: Clear separation between public, application, and data tiers
- Encrypted Communications: VPC Flow Logs enabled by default
- Audit Trail: All resource creation logged with timestamps and user context
- Immutable Infrastructure: State files enable consistent, repeatable deployments
Your AWS user/role needs the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateVpc",
"ec2:CreateSubnet",
"ec2:CreateInternetGateway",
"ec2:CreateNatGateway",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateNetworkAcl",
"ec2:CreateTags",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:AllocateAddress"
],
"Resource": "*"
}
]
}We welcome contributions from the community! Whether it's bug fixes, feature enhancements, or documentation improvements, your help makes this tool better for everyone.
- Fork the repository on GitHub
- Create a feature branch from
main:git checkout -b feature/add-vpn-support
- Make your changes with clear, descriptive commits
- Add tests for new functionality
- Update documentation as needed
- Push your branch and open a Pull Request
# Clone your fork
git clone https://github.com/yourusername/aws-secure-net.git
cd aws-secure-net
# Create virtual environment
python3 -m venv venv
source venv/bin/activate
# Install development dependencies
pip install -r requirements-dev.txt
# Run tests
pytest tests/We follow PEP 8 guidelines. Please run linting before submitting:
flake8 modules/ builder.py
black modules/ builder.pyFound a bug? Open an issue on GitHub Issues
Have questions? Start a discussion in GitHub Discussions
Need enterprise support? Contact us at [email protected]
Planned features for future releases:
- β¬ VPN Gateway support
- β¬ Transit Gateway integration
- β¬ VPC Peering automation
- β¬ AWS Organizations support
- β¬ Terraform state file export
- β¬ CloudFormation template generation
- β¬ Cost estimation before deployment
- β¬ Compliance scanning (CIS, PCI-DSS)
Built with β€οΈ using:
- Boto3 - AWS SDK for Python
- PyYAML - YAML parser and emitter
- Click - Command-line interface creation kit
Special thanks to all contributors who have helped shape this project!
Made with βοΈ for the AWS community