diff --git a/.dockerignore b/.dockerignore
index 955803882..8b1378917 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +1 @@
-Dockerfile
-docker-compose.yml
-.dockerignore
-.git
-.github
-.gitignore
+
diff --git a/KaiMonkey-master b/KaiMonkey-master
new file mode 100644
index 000000000..e69de29bb
diff --git a/defender.yaml b/defender.yaml
new file mode 100644
index 000000000..3797b41c8
--- /dev/null
+++ b/defender.yaml
@@ -0,0 +1,188 @@
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: twistlock-view
+rules:
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"] # Allow Defenders to list RBAC resources
+  verbs: ["list"]
+- apiGroups: ["apps"]
+  resources: ["deployments", "replicasets"] # Allow Defenders to get Deployments and ReplicaSets
+  verbs: ["get"]
+- apiGroups: [""] # Core API
+  resources: ["namespaces", "pods"] # Allow Defenders to get Namespaces and Pods
+  verbs: ["get"]
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: twistlock-view-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: twistlock-view
+subjects:
+- apiGroup:
+  kind: ServiceAccount
+  name: twistlock-service
+  namespace: twistlock
+---
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: twistlock-secrets
+  namespace: twistlock
+type: Opaque
+data:
+  service-parameter: aG9HZmt0amVyejVUY204bnBDaHdDTGwrZnBBdmF0anBBZWYxcWtpOHc3V1UyanpDaXFidi9vMStONEo3NnNXakFkUzJtZ1VDZitlNkM3UjBlVmw1THc9PQ==
+  defender-ca.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURIVENDQWdXZ0F3SUJBZ0lSQU1kZ0wyZkVKbkRYSG5aSHpXUUxxZXd3RFFZSktvWklodmNOQVFFTEJRQXcKS0RFU01CQUdBMVVFQ2hNSlZIZHBjM1JzYjJOck1SSXdFQVlEVlFRREV3bFVkMmx6ZEd4dlkyc3dIaGNOTWpNeApNRE13TVRBMU16QXdXaGNOTWpZeE1ESTVNVEExTXpBd1dqQW9NUkl3RUFZRFZRUUtFd2xVZDJsemRHeHZZMnN4CkVqQVFCZ05WQkFNVENWUjNhWE4wYkc5amF6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0MKZ2dFQkFMVmxIZERSVVJGV3hacytGVXB1RUlLMFcrUFNYOGtqdzlJUjc5b0RIOTVLRGJEb05nYWlBZHVpS0FGSQpqaWdMYWV1RWJ0SVViMkZ3YlROZ3hFd2lhYXdTRUh0dGxEQ1FWRFM4eFpURjJwY1NOQktOSzVJWjhselM3OGNCCkFPRVpYV09sWE5iQ3F5TEt0NzZWbVNGamZMUlNpei9WdUpCY01pR05wMGZNaFpIb2FPRXVaeXA2MkdySmZuS0IKSW5zQk1ZcDJFa1Z3ZHhlUmVuc25rNDNOWXV5bW1LcHJwazdrTjFZVnY0SUFGUEZFZXZCSUFNd0VQU1FiMU93NQp0elByU1kzQ3hPQmN2RjRNZXcxK04zM0FHYU5mbjZPRHl4eWpZL0laVE9zd0paM05rcmkrTzdmZFBTdWtWMG5XCk9sV1ZGSUsvMEJUVmNIYmgxUzlaQ09sbC9wc0NBd0VBQWFOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdLc01BOEcKQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGQVpFUDhTVWZnaWhYZXJUejY3N1B0V0wwL285TUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQkFRQkxCaE9jL2NjbWJRK200dlhNbEc0SjNxQld5Z09FYlZUSzNGWkhsNXNrCjV2NTJCM2V4T2JNbTdYNGN3TVYvVTlJdFIyZVIyRTB3MkZFVlJ3VWR5UWZhKzVBMDNMTjBuWnB2TTF3Nm81VFUKME1vNDc1eU52SXo2SHY0UHRkanRlTFNFZG9wWWxnVEhQS3dMMUpSVGgwU3l3ODFUdnFtS1I4aWdKUklHTGR1bwp1L3BGUmVmeUhCd0E0aCtndkYzWGhJMnFjQXJ1K0xoQlkvNlNuWWFma3BCcllVMHFBWTNnYWs0T3loK05kdGVxCjFtVjRjV3k4c1g1aEhXS2c3Mzd3amVXWVJta3AyckovTDJ2MG9seEN5WVUycWVEa1NUQ2hFbWM4TFMvblhLRUkKWmh6d01obUM2S09hS2l4Q0RjRm5VRzBFbkc3MGRXRmdSbjRDcFc5cjBLYkgKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  defender-client-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lRWDdLd0g1TXVNL1JraENKS2VEN21rekFOQmdrcWhraUc5dzBCQVFzRkFEQW8KTVJJd0VBWURWUVFLRXdsVWQybHpkR3h2WTJzeEVqQVFCZ05WQkFNVENWUjNhWE4wYkc5amF6QWVGdzB5TlRBeQpNRGt3TWpReE1EQmFGdzB5T0RBeU1Ea3dNalF4TURCYU1DZ3hFakFRQmdOVkJBb1RDVlIzYVhOMGJHOWphekVTCk1CQUdBMVVFQXhNSmJHOWpZV3hvYjNOME1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0MKQVFFQXYvcTBXNTZQYm5vNlRYaHBJdFdRVmRReUhEMzlON3F0YkI0bWtJenY3dTl4c05jQmE3d21ZOUNvUTlqbApwbldFN2xxblUvNFBMcWxlVmxXVmpnUUVPamtEdERYMi9ScEo3RndYV1M0cVErZ0hIYVVnbjJDc1VOeGt5RUFXCmZlRC9jb3NJZEowdmhTYU1ETXVwSmJMb0xWR1N6VjN0WnU2RDdKWmxFNG90cnRkV3FKK3VaeE01ZDA3Y2pxc0oKQ2RURGNqbXVHc2MzOGhMY09oQnNPUW9ja080T094WjQvMzZJSm1JaGlOTDRXR2pUQnpicXVVS2U0Wi9WN1c1aQpSUUNvM1pXQm82azQxZHNUaTg1UFNJQm9zZkVTd3RPa1Zsb0J3YllYdnk4RDkzNEdSS2VyWVJUdThnTkN6VDRlCjZOQTJMNFIvR0lobWY4R244cEpVV2Q2N2h3SURBUUFCbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQjRBd0V3WUQKVlIwbEJBd3dDZ1lJS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlFHUkQvRQpsSDRJb1YzcTA4K3UrejdWaTlQNlBUQUpCZ1VxQkFFQ0J3UUFNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNNCkJyOXY0d2YxWHhIdFA0ZlhBQUdiaE9oY3JpQ0VrZ25UR0g0VG9HVkF1NEF1Z3pPSXYyZk1yM0czUGdmbzBGMmkKem8yRStDemJZekpvK1I0Q3hGZkhiS3BCbUVRU2c0dGJZeWFheExneTRSZWVCaENHbGs0WnhML3c4UWp6eDlXUApkc2pRN2E3c09lamgzd3hOSXhyRnpvVmc5VHdZcjcvS2hwaGV3T25WRXE5N0s4NHNRYktMM3MxQlgvYm1jRXpXClVTcDljcXFlV0ZHQU1uRGdXVWNPUWc2NXZVMkpCS2NJTWYxWlR3VTN3Ykh4ajNTMkNXeHRyVHY0cXlxVmtSOVQKYWpTR21iQzBrNmY1bmpENThzellTY2pNZUwzYWpmNlBtWFg0TkhwcWVJTFBCelp0M25KM0NKbysrWmdYZHRIegovNXN2R0hHNHUzN3lQWUJGeUNvMAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+  defender-client-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpQcm9jLVR5cGU6IDQsRU5DUllQVEVECkRFSy1JbmZvOiBBRVMtMjU2LUNCQywyNjRiNWRlNGIwN2E5OTEyNmQ2YjQwYTZhZTU4MjBlZQoKczZmcm5MNU5nY3drNzNJVWRvVENFRS9jSWRPRkRUbzZSUHFyMlZFRFIvSGo1NjVXTG5ONnVBczNvYkJ5YXNhLwplNnNMUEIvMGlxUElZZFo3WHJqSW5wYmNaUmVnem5nVVJtdVJZUHlLT0JSdHNOeEQvb0RCTW9JMHM3emtKTjVSCjJ0bk9Iem1aMm8veXZvLzlocXN4SUh1ZFdacEhtL1lacTZNUEJZSk5QMDEwL2xkMTltaXZJQnJQbXg3N0FwTWEKTmdQalFkek8vS2dpdlpJaWpxSnhVNEwrRkY0bDlpTU96SWFuUG90Mng2cjF0bHBSdVBOcDQ4bG1OSnk2UFJ3dwpLUnRBTnU4cmRnOEYrTzZjNitnY1hVek9nM2wrd0RieTRvTENVQjRsNXBpTU03M2tPSFR2U1B6cWM0RzR3REF2CmtZL0p5SXpBMkU2SS9rYTg4cC9mRnVQZG1zRHEyQkJHNVpLNE4zSFNLcW1heWc3WUM4NnFkaHNlNG5kdm83cUQKZU9Mb1RSOEE3cTRJUE1ZSlBtQlhOWndCZHRleEk1ZE9tTkVYR2xhaGVZV3NGS0FONHRRdUgydlR5K1g5YklmTQo5eXo1R2FMZHJ4SU1ubDgrRzliVWF5c09JVWxYM0treHRORDNWdXI5V21tT0ZFMk1rZzlIa21kUGpkOXJxZ2YzCjRYcmxRRXFtV1E0Z0wxVkpON0o2MEN4dGV3UnJJTDd2Qi8rc3kyMU9oeUtFSTRWR2F6THNhVklaRjhtd0ZFeWsKcVhPOU11RkZpTnFNbmYwMkZkQjZhTVc2RXBXS0NlZTdnVm03aGJRV2lXalZyNEFoRFN3SE0yUmsxcnJlenNVUwp1djZRVHJtN0s1Y1JYTnV3T1pQaVZiL1AzUDVMczcxZVR0RFdjWE00bzFORFBlWWs4L2RHcXFZLy92R3RSd25TCnlQMkgzZks5WFZqRFdqWnA4S2RhaUwwbm12Z2RsVE9uSkMyS2lRcjlqVjJ3bHhoMHpxcHBZRGJKM3VzbGRuYTUKUlIvcTVuTFdlR2ZVV3d3S3NEcUNTZm9hekJrQlVRa0E0Vm5qRUpIL3FPb29vQVFZZThPeldnNzNDWno5ZFl1WQp2ZzFYWDJQM2R6U1M4NkIyaVdvendsUmRiR0JacG0wbDlWcTdkSy9pUzBIa0d0RXl6Q0xxRDIwN2VFckM4VnBOCjNuTndCdTRWWEdKQXJlUnhaNGx2TGtQVCsycGpPdDRjVTNLalZjU2hyWGlLQzRRSDVSTWhYSUhpNjBTRHZoK2YKbXpnWFY4SjZGZW1VeU90aXdLVEs2UzVoNXFLQUNCY0hxVlhtT3pxRDIxWFpndVRyTEVzOVZ5elIwMm5ONis5WgpzUE90cjBvcXRNbU1abWpnaUJIQ0ZueW9PSGhkMTF6VmtuZnZidUJlQnJtWWJnTWRWMGRxY2p4ZlMxV3ZQV3VhCkdCWW4xNmZxby80MEI4ZytXRkxOUEdmaS9yRlkzVTE5U0h3SW9OZGV6MGl0NitRTUtKd1I4UUUrV2s1MFRvUUgKUmZSOXQ4c2NLN3hPTmNwRzRHM29zVlgxK3cwMDhlZEtHWUx3ZkljWjQ4QlVPclM2VUdZZlNlZ09vZVowRzIxQQpIQ3U3Q1ZlMkNzVkQvRVFTeFVwYTNPU01oaXZqeVlzRG1ic3VhYlZENXRYanAxcUxqM0F4V214S1RSV2ZEajJGCndtU1RraFFrRXRjZW43K3VxNnpyeVNGWG5ZeTRkSU9NaGdXdkhJOEo5amFhYk9DVStsenRnWXRMNlE4VDVveTIKYXRJVXdPeDVjaVFuSi9ESWpqVG40ZVhRSjk5eFVVZnkvYVZCQ1ZSd21Zb3hhaUxMakdSOTE1S3dhOW5PblQySQpWd0pjUlUyK1Rkb3JZYVRYWC9NcFZ4SlpPUUpMNjhvWnpESVN5ZWFxbzd6TG9jQWYrZ0Irb2FodnNUY3dVaE1tCjVDREZsbWFNZEtaZ1FyQ2czYlRBaWFvbjRYZHNvWE1scm5NcktvMllWcFZQdC9rcXdQNk5CcnRxLzdGdEl2MkYKNlp6azF4di8rTzdrWTk4clRMalJ1eEVwVzVYT1lJUEQzbmxGM0dBZlhiOU9BTms3bzlLQi9acUt5YytxeVE1cAotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+  admission-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURURENDQWpTZ0F3SUJBZ0lSQUlkMkV6RUVOOHJGR3NNWm9oVFRnK0l3RFFZSktvWklodmNOQVFFTEJRQXcKS0RFU01CQUdBMVVFQ2hNSlZIZHBjM1JzYjJOck1SSXdFQVlEVlFRREV3bFVkMmx6ZEd4dlkyc3dIaGNOTWpVdwpNakUyTURVeE5UQXdXaGNOTWpnd01qRTJNRFV4TlRBd1dqQVVNUkl3RUFZRFZRUUtFd2xVZDJsemRHeHZZMnN3CmdnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURsRlgyRmRaQjQ4anZvREVBY0NCcXMKL09qZnh0azY5RUdMaWNrTVgrUmdFSkE3RzAzWFFHdzlwYjlwY0F0anFhNGNvNXdDdXo4SGQ1N2xlak5mQWpvcQo5WmRSWHFHQ01XYmpmUVArMjJTT2g5M0R6c21Jd0VaWkJob0daQ09nRitpd2xqWitPSmo4bXFSUzF1a1JBWUZxCmpQT25USkMwL1BFbGhqRit2Qk9xN0x5VzRkSGp2SUdFRjhlZkt5Ynp1NmZ3RnBSaS9lVVIraTFIM0F6ck5pL1UKc3E1VnAzWVlsZXJGTlhMMmw5RFhleU9GcjRuY3hBTU9mMFVTTy93SCtoK2c3YTJCSTd2WkJwZjhWS1N3REg2ZApTVWlDNmhuTUJ4MXNtOEpCTko0YzZ4ZTMxWnpDM3NFb0tPZkZHckova1FqMk8veWlNbC9kSnpzcG9NUElqWXJwCkFnTUJBQUdqZ1lRd2dZRXdEZ1lEVlIwUEFRSC9CQVFEQWdPb01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUMKQmdnckJnRUZCUWNEQVRBTUJnTlZIUk1CQWY4RUFqQUFNQjhHQTFVZEl3UVlNQmFBRkFaRVA4U1VmZ2loWGVyVAp6Njc3UHRXTDAvbzlNQ0VHQTFVZEVRUWFNQmlDRm1SbFptVnVaR1Z5TG5SM2FYTjBiRzlqYXk1emRtTXdEUVlKCktvWklodmNOQVFFTEJRQURnZ0VCQUs5ZUZZMUFtajBCVWs4d0U3dDF6UXl1TFJXYzR5NXVwZDhZU2tyeXVhQ0oKakZ0TlRDYjdOYWVJTU1vRis2c2hNL0FTazIrczFEUkxnaHArbU94K3l3SzJTcXFRSCtPQ01nRGdSTXBaZTM3cApZVGluSUNmQmZ6c3ZVazdOSE9jb2hEYW1kcWUyR3pMMjB6Z0J0NGkrTGRTTjNJZmh2VnkzVXlHdlViOWtYaGFDCkpPcEtFbkpCNnpWOW03UUZPWEd5ckJLeEhRT2VmUXRIUGtWNW92UnNPL0JUR2dXMUcvRm9LUVJLK0FOZTNvT3IKaURobVVRd0RjRGRWWFdNcGZHMTBldE9INlowZ3BxQVZBZEVuRFhqaXpyME50MUhFMWhMeUg2M0lHRGo3SkNYMAo0NXh5NCtCTHNyZlVtR2p2OS8wVmRhSHZrcE1wMTVOVFpyRnh3Q1FGa2dzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+  admission-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpQcm9jLVR5cGU6IDQsRU5DUllQVEVECkRFSy1JbmZvOiBBRVMtMjU2LUNCQyw1YzUzMjQ4ODY0ZWJlMzMzMmYzN2U0MjMzZmMxMDVlYwoKUUdqY0Y0RXZabS96anR3V2gwOFg5WDB4dDlwU1J6Z2Y5Ulprejk0c2NBK2huWTJ1dmthMTl0bG4wTEJoT2FWcApzOE5NMllMRGlicC9uR2FLazJVZWZjT0k0c3g2OGc4Yk5EbFd5SVQrZE9jcnAybU03WkFEaGhZWW50MlJNanFZClhJN0xVMFM1YXZsa0xEOUF2amVXNTdwZFU5cTRjWnlyM3dleFB3UXQxbG5ZWm5FUm5uUzRZekI3SW9FRkQvWTQKRHVQcG10aUUyNjZHUXpjVkkvZ2lGT2d2Yi9NbzBtOHd0M1YrUS9nR1hxRUh2ejlWN1IyZ2RjVXV4eC9Ccmp1VgpXYkttNHM4RWpFemVwUHZpeVBnTWtPcDdLYSsvTEJXT0RTV2o5TVNsYWpoSis1UTZaZVlubGlqRkJ2OVg3N1lCCnlXbkM5ZTFUbEx1RzltSTVmZFVRWTZGWndRaUJYT2dhNnl5RnduT0laUDZFU2MxdU5Cbk9XSnlrSWovT2NmclEKV0ZZWFBFU0JsN2dwL1JVK3ZEZVdCci80alAwQm4zTExJbDg5c1FWYTlia1pCRzlMQ2JZZmpreEpSTnlETTJGbwpreThscmJHeThxQlNsckFXOUhlWENjR3FUVStMZDNhWVE2c3h4QVJpUG5GZjBpMkxzcVRpcCtxSUZ4NE9uNjNCCnRrN1pKNVpwQm93NUY1U215NzZqYk9yM2FXU2hZZU1hbEZ4eGlLRXprOE9XYUxsbWNreXNiNTdRbXE1NXVnZXgKb25FU3NFWS9IeHkyVElPSzdXMzdudC9pV0FKKzJ3bmFUNFJubzNmVlVCYmtkYVRaMlF0N0pxVnFHcm5MUDBBOQplUXQwRllubUFsSnRNbVRabmRzbE5waThWQlJpOWlML2t4NjFmeGdGZHc3bHdpdThyeDgvQ3NOeE9OS3piSFlNCnQwejIzNHdtejNwc1NLSzhINUNyZW1Pc0FkVDZlWURjVTVET3orRHFPWlBwZHd1dzlpNUdTellncEllcWxnS0UKNDJDWEJjRHZjZXhHK0RZRzZHSWhTRU9ESjEzVjlpakd2VlVzdTRMTWxyTlpVSG9jODVGWVBUTGI4eVhFMjRqUQowWENMcmd5WlFSYlM3ZE5ZNGsxWlFYMXoydDlCVDk3Nk96TG51eWJsS2hiczNUZUpQN2FiT3RiZ1VEb3JwbEJJCmpFTlpqdHVaTlROZmcwMEhiaFVYd3J2Ly82ZythOVU2ekNxRUpQeURYU2tuWlNzMzlkdFJUSkVuK1R1c1cwa28KM0dHTjcvMVZDSlk5QWhveXk2aVNDb2ZkL0FFdmw4WWsyTjdHVGtDeS9qaXVaMlFjUmlYR096Z3paSndTNm1yRApVSGFaY0JrYkgzS21yRE9EazYxQUN3Rys2NnpYaVQ4RnNrVG9iNGVaVDZHUjJCUUxqUFhoK3FkcXl5SVFVMEZ5CjFTSlZJcngycGRrZVBWMjhoNGx6VnBla2FLUzBhQ0h5Qi9yYkY5a0oxeUM3RDhWODJPK0tEMDNvZHZnL2VkZWQKd0hGMTUzRWh1YjZvb2w2MWszR1JmNkUzbXdpNTBWbEJ3M0lWdW9oWXg5ZG1GVUJDajlaY1YyWFVpOTNrRDRJSwpIeitic2JMSGpVOXptSE9wKzl6VHhuM3lzQWdIZEE2bGMvWm5DOWNnRjl3QmtjanEwRmVmR1FQbzNVbENMU3M2CmIxcTluZEE3emhMUENUUnQ1TXRNQURHL09zckFVZVV4WlB0c05zTkpGMGx6czhvUUFSQ01pNUdkcXhqczNmTHQKUXpzaXVKUUF0QktRMEppclVWMUJiN0FSRk9oMVRaWDN5NndWeEVETVZad3hIcU9TcHBLeC8yeG10MG15UWdFOAp6T3I4aEo0VHpKSzRldDNLUFJqc2M4QjJERllUOGJmMjRJbm1XeDhoWENXYm81WmVta2JraENkRnQzQ1lWR0w5CnlGZnlJME4rV3RLMlV2YlFTcXRzRVFqeUNYT3V6blpJOWdjSEVYajRHNE5SQjNwT1Q0K1lSMFRKWFhCak9KNloKVjN1QnBxakJQLzU2TUNOMXJaMjdEM29UNy9QRVROd2hjN3pDWlg5anpMOVdKZHE0RVRnUVhGYnlLRk52ZEtndQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+
+---
+apiVersion: v1
+kind: ServiceAccount # Service Account is used for managing security context constraints policies in Openshift (SCC)
+metadata:
+  name: twistlock-service
+  namespace: twistlock
+secrets:
+- name: twistlock-secrets
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: twistlock-defender-ds
+  namespace: twistlock
+spec:
+  selector:
+    matchLabels:
+      app: twistlock-defender
+  template:
+    metadata:
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/twistlock-defender: unconfined
+      labels:
+        app: twistlock-defender
+    spec:
+      serviceAccountName: twistlock-service
+      restartPolicy: Always
+      containers:
+      - name: twistlock-defender
+        image: registry-auth.twistlock.com/tw_cpelxriy4ibicc78s02yvelqgc2c4cvj/twistlock/defender:defender_33_03_138
+        volumeMounts:
+        - name: data-folder
+          mountPath: "/var/lib/twistlock"
+        - name: certificates # Setting the certificates mount after data-folder since it is nested and was overridden in CRI based GKE cluster
+          mountPath: "/var/lib/twistlock/certificates"
+        - name: docker-sock-folder
+          mountPath: "/var/run"
+        - name: passwd
+          mountPath: "/etc/passwd"
+          readOnly: true
+        - name: syslog-socket
+          mountPath: "/dev/log"
+        - name: cri-data
+          mountPath: /var/lib/containerd
+        - name: cri-rke2-data
+          mountPath: /var/lib/rancher/rke2/agent/containerd
+        - name: runc-proxy-sock-folder
+          mountPath: "/run"
+        env:
+        - name: WS_ADDRESS
+          value: wss://asia-south1.cloud.twistlock.com:443
+        - name: DEFENDER_TYPE
+          value: cri
+        - name: LOG_PROD
+          value: "true"
+        - name: SYSTEMD_ENABLED
+          value: "false"
+        - name: DOCKER_CLIENT_ADDRESS
+          value: "/var/run/docker.sock"
+        - name: DEFENDER_CLUSTER_ID
+          value: "e3543129-2dcb-eb5e-5555-33fbe2b56313"
+        - name: DEFENDER_CLUSTER_NAME_RESOLVING_METHOD
+          value: "default"
+        - name: DEFENDER_CLUSTER
+          value: ""
+        - name: MONITOR_SERVICE_ACCOUNTS
+          value: "true"
+        - name: MONITOR_ISTIO
+          value: "false"
+        - name: COLLECT_POD_LABELS
+          value: "true"
+        - name: INSTALL_BUNDLE
+          value: "eyJzZWNyZXRzIjp7fSwiZ2xvYmFsUHJveHlPcHQiOnsiaHR0cFByb3h5IjoiIiwibm9Qcm94eSI6IiIsImNhIjoiIiwidXNlciI6IiIsInBhc3N3b3JkIjp7ImVuY3J5cHRlZCI6IiJ9fSwiY3VzdG9tZXJJRCI6ImluZGlhLTExMzE5NjA4MzEiLCJhcGlLZXkiOiJQRTNEYTE4ZTZPNlhqbGNjOUsrejR3NU9aWENSVWRVOHM3OG10aW5qcytTdUxUcE5sYTlnaVcwZWFZSDN2dm82elo0dDMzTFhWbUM1VHRUaml0SjluUT09IiwibWljcm9zZWdDb21wYXRpYmxlIjpmYWxzZX0="
+        - name: HOST_CUSTOM_COMPLIANCE_ENABLED
+          value: "true"
+        - name: CLOUD_HOSTNAME_ENABLED
+          value: "false"
+        - name: FIPS_ENABLED
+          value: "false"
+        securityContext:
+          readOnlyRootFilesystem: true
+          privileged: false
+          capabilities:
+            add:
+            - NET_ADMIN  # Required for process monitoring
+            - NET_RAW    # Required for iptables (CNNF, runtime DNS, WAAS). See: https://bugzilla.redhat.com/show_bug.cgi?id=1895032
+            - SYS_ADMIN  # Required for filesystem monitoring
+            - SYS_PTRACE # Required for local audit monitoring
+            - SYS_CHROOT # Required for changing mount namespace using setns
+            - MKNOD      # A capability to create special files using mknod(2), used by docker-less registry scanning
+            - SETFCAP    # A capability to set file capabilities, used by docker-less registry scanning
+            - IPC_LOCK   # Required for perf events monitoring, allowing to ignore memory lock limits
+        resources: # See: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#how-pods-with-resource-requests-are-scheduled
+          limits:
+            memory: "512Mi"
+            cpu: "900m"
+          requests:
+            cpu: "256m"
+      volumes:
+      - name: certificates
+        secret:
+          secretName: twistlock-secrets
+          defaultMode: 256
+      - name: syslog-socket
+        hostPath:
+          path: "/dev/log"
+      - name: data-folder
+        hostPath:
+          path: "/var/lib/twistlock"
+      - name: passwd
+        hostPath:
+          path: "/etc/passwd"
+      - name: docker-sock-folder
+        hostPath:
+          path: "/var/run"
+      - name: cri-data
+        hostPath:
+          path: /var/lib/containerd
+      - name: cri-rke2-data
+        hostPath:
+          path: /var/lib/rancher/rke2/agent/containerd
+      - name: runc-proxy-sock-folder
+        hostPath:
+          path: "/run"
+      hostPID: true
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+---
+apiVersion: v1
+kind: Service # Expose the Defender as admission controller. Remark: by default, Defender will not listen on the service port
+metadata:
+  name: defender
+  namespace: twistlock
+  labels:
+    app: twistlock-defender
+spec:
+  ports:
+  - port: 443
+    targetPort: 9998
+  selector:
+    app: twistlock-defender
diff --git a/note.txt b/note.txt
new file mode 100644
index 000000000..9adb0d0ea
--- /dev/null
+++ b/note.txt
@@ -0,0 +1,4 @@
+admansdmamdn
+
+
+asdbajsbdjk
diff --git a/terraform/aws/default.tfvars b/terraform/aws/default.tfvars
new file mode 100644
index 000000000..156c0c392
--- /dev/null
+++ b/terraform/aws/default.tfvars
@@ -0,0 +1,10 @@
+region      = "us-east-1"
+environment = "development"
+db_username = "kai_monkey_user_ob6RGj"
+db_password = "kHJ!4dusp7A#Xf21URhhZ1#"
+
+default_tags = {
+  project : "kai-monkey",
+  createdBy : "tenable"
+  environment : "development"
+}
diff --git a/terraform/aws/main.tf b/terraform/aws/main.tf
new file mode 100644
index 000000000..7ce04078e
--- /dev/null
+++ b/terraform/aws/main.tf
@@ -0,0 +1,48 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "~> 3.11"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.region
+}
+
+module "network" {
+  source       = "./modules/network"
+  environment  = var.environment
+  default_tags = var.default_tags
+}
+
+module "storage" {
+  source         = "./modules/storage"
+  private_subnet = module.network.private_subnet
+  vpc_id         = module.network.vpc_id
+  environment    = var.environment
+  default_tags   = var.default_tags
+  db_username    = var.db_username
+  db_password    = var.db_password
+}
+
+module "compute" {
+  source = "./modules/compute"
+  environment = var.environment
+  region = var.region
+  elb_target_group_arn = module.network.target_lb_group_arn
+  private_subnet = module.network.private_subnet
+  public_subnet = module.network.public_subnet
+  elb_sg = module.network.target_lb_security_group
+  elb_url = module.network.elb_url
+}
+
+resource "local_file" "web-access" {
+  content  = <<JSON
+{
+  "fqdn": "${module.network.elb_url}"
+}
+  JSON
+  filename = "./web-access.json"
+}
diff --git a/terraform/aws/modules/compute/data.tf b/terraform/aws/modules/compute/data.tf
new file mode 100644
index 000000000..034e9d010
--- /dev/null
+++ b/terraform/aws/modules/compute/data.tf
@@ -0,0 +1,15 @@
+data "aws_ami" "ubuntu_ami" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  owners = ["099720109477"] # Canonical
+}
\ No newline at end of file
diff --git a/terraform/aws/modules/compute/main.tf b/terraform/aws/modules/compute/main.tf
new file mode 100644
index 000000000..1e687002f
--- /dev/null
+++ b/terraform/aws/modules/compute/main.tf
@@ -0,0 +1,132 @@
+data "template_file" "km_ecs_template" {
+  template = file("./modules/compute/task-definitions.json")
+  vars = {
+    ENVIRONMENT = var.environment
+    LOG_GROUP   = aws_cloudwatch_log_group.km_log_group.name
+    REGION      = var.region
+  }
+}
+
+resource "aws_iam_role" "km_ecs_task_execution_role" {
+  name = "km_ecs_task_execution_role_${var.environment}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ecs-tasks.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+
+  tags = merge(var.default_tags, {
+    name        = "km_ecs_task_execution_role_${var.environment}"
+  })
+}
+
+resource "aws_iam_policy" "km_ssm_secrets_policy" {
+  name        = "km_ssm_secrets_policy_${var.environment}"
+  description = "Kai Monkey SSM Secrets Policy"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "KaiMonkeySSMSecretsPolicyGet",
+            "Effect": "Allow",
+            "Action": "secretsmanager:GetSecretValue",
+            "Resource": "*"
+        },
+        {
+            "Sid": "KaiMonkeySSMSecretsPolicyGetDecrypt",
+            "Effect": "Allow",
+            "Action": [
+                "kms:Decrypt",
+                "ssm:GetParameters",
+                "ssm:GetParameter"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "km_ecs_task_exec_role_policy_attach" {
+  role       = aws_iam_role.km_ecs_task_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+resource "aws_iam_role_policy_attachment" "km_ssm_secrets_policy_policy_attach" {
+  role       = aws_iam_role.km_ecs_task_execution_role.name
+  policy_arn = aws_iam_policy.km_ssm_secrets_policy.arn
+}
+
+resource "aws_ecs_cluster" "km_ecs_cluster" {
+  name = "km_ecs_cluster-${var.environment}"
+
+  tags = merge(var.default_tags, {
+    Name = "km_ecs_cluster_${var.environment}"
+  })
+}
+
+resource "aws_ecs_task_definition" "km_ecs_task" {
+  family                   = "km_ecs_task_${var.environment}"
+  container_definitions    = data.template_file.km_ecs_template.rendered
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = 512
+  memory                   = 1024
+  execution_role_arn       = aws_iam_role.km_ecs_task_execution_role.arn
+  tags = merge(var.default_tags, {
+    Name = "km_ecs_task_${var.environment}"
+  })
+}
+
+resource "aws_ecs_service" "km_ecs_service" {
+  name            = "km_ecs_service_${var.environment}"
+  cluster         = aws_ecs_cluster.km_ecs_cluster.id
+  task_definition = aws_ecs_task_definition.km_ecs_task.arn
+  desired_count   = 1
+  launch_type     = "FARGATE"
+
+  load_balancer {
+    target_group_arn = var.elb_target_group_arn
+    container_name   = "km-frontend"
+    container_port   = 80
+  }
+  network_configuration {
+    assign_public_ip = true
+    subnets          = var.private_subnet
+    security_groups  = [ var.elb_sg ]
+  }
+  tags = merge(var.default_tags, {
+  })
+}
+
+resource "aws_cloudwatch_log_group" "km_log_group" {
+  name              = "km_log_group_${var.environment}"
+  retention_in_days = 1
+
+  tags = merge(var.default_tags, {
+    Name = "km_log_group_${var.environment}"
+  })
+}
+
+resource "aws_instance" "km_vm"{
+  ami = data.aws_ami.ubuntu_ami.id
+  instance_type = "t2.micro"
+  vpc_security_group_ids = [ var.elb_sg ]
+  subnet_id = var.public_subnet[0]
+  tags = merge(var.default_tags, {
+    Name = "km_vm_${var.environment}"
+  })
+}
\ No newline at end of file
diff --git a/terraform/aws/modules/compute/task-definitions.json b/terraform/aws/modules/compute/task-definitions.json
new file mode 100644
index 000000000..ec99ccff2
--- /dev/null
+++ b/terraform/aws/modules/compute/task-definitions.json
@@ -0,0 +1,23 @@
+[
+  {
+    "name": "km-frontend",
+    "image": "nginx",
+    "cpu": 256,
+    "memory": 512,
+    "essential": true,
+    "portMappings": [
+      {
+        "containerPort": 80,
+        "hostPort": 80
+      }
+    ],
+    "logConfiguration": {
+      "logDriver": "awslogs",
+      "options": {
+        "awslogs-group": "${LOG_GROUP}",
+        "awslogs-region": "${REGION}",
+        "awslogs-stream-prefix": "km-frontend"
+      }
+    }
+  }
+]
\ No newline at end of file
diff --git a/terraform/aws/modules/compute/variables.tf b/terraform/aws/modules/compute/variables.tf
new file mode 100644
index 000000000..3b2ca2f87
--- /dev/null
+++ b/terraform/aws/modules/compute/variables.tf
@@ -0,0 +1,15 @@
+variable "environment" {
+  description = "the type of environment (dev,staging/prod)"
+}
+
+variable "default_tags" {
+  default     = {}
+  description = "default tags to resources"
+}
+
+variable "region" {}
+variable "elb_target_group_arn" {}
+variable "private_subnet" {}
+variable "public_subnet" {}
+variable "elb_sg" {}
+variable "elb_url" {}
diff --git a/terraform/aws/modules/network/main.tf b/terraform/aws/modules/network/main.tf
new file mode 100644
index 000000000..8510db588
--- /dev/null
+++ b/terraform/aws/modules/network/main.tf
@@ -0,0 +1,180 @@
+data "aws_availability_zones" "available" {}
+
+# Create a VPC to launch our instances into
+resource "aws_vpc" "km_vpc" {
+  cidr_block           = "10.0.0.0/16"
+  enable_dns_support   = true
+  enable_dns_hostnames = true
+
+  tags = merge(var.default_tags, {
+    Name = "km_vpc_${var.environment}"
+  })
+}
+
+# Create an internet gateway to give our subnet access to the outside world
+resource "aws_internet_gateway" "km_ig" {
+  vpc_id = aws_vpc.km_vpc.id
+
+  tags = merge(var.default_tags, {
+    Name = "km_ig_${var.environment}"
+  })
+}
+
+# Grant the VPC internet access on its main route table
+resource "aws_route" "km_route" {
+  route_table_id         = aws_vpc.km_vpc.main_route_table_id
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = aws_internet_gateway.km_ig.id
+}
+
+resource "aws_subnet" "km_private_subnet" {
+  count             = var.az_count
+  cidr_block        = cidrsubnet(aws_vpc.km_vpc.cidr_block, 8, count.index)
+  availability_zone = data.aws_availability_zones.available.names[count.index]
+  vpc_id            = aws_vpc.km_vpc.id
+
+  tags = merge(var.default_tags, {
+    Name = "km_private_subnet_${var.environment}"
+  })
+}
+
+# Create var.az_count public subnets, each in a different AZ
+resource "aws_subnet" "km_public_subnet" {
+  count                   = var.az_count
+  cidr_block              = cidrsubnet(aws_vpc.km_vpc.cidr_block, 8, var.az_count + count.index)
+  availability_zone       = data.aws_availability_zones.available.names[count.index]
+  vpc_id                  = aws_vpc.km_vpc.id
+  map_public_ip_on_launch = true
+
+  tags = merge(var.default_tags, {
+    Name = "km_public_subnet_${var.environment}"
+  })
+}
+
+# Create a NAT gateway with an EIP for each private subnet to get internet connectivity
+resource "aws_eip" "km_eip" {
+  count      = var.az_count
+  vpc        = true
+  depends_on = [aws_internet_gateway.km_ig]
+
+  tags = merge(var.default_tags, {
+    Name = "km_eip_${var.environment}"
+  })
+}
+
+resource "aws_nat_gateway" "km_nat_gateway" {
+  count         = var.az_count
+  subnet_id     = element(aws_subnet.km_public_subnet.*.id, count.index)
+  allocation_id = element(aws_eip.km_eip.*.id, count.index)
+
+  tags = merge(var.default_tags, {
+    Name = "km_nat_gateway_${var.environment}"
+  })
+}
+
+# Create a new route table for the private subnets
+# And make it route non-local traffic through the NAT gateway to the internet
+resource "aws_route_table" "km_route_table" {
+  count  = var.az_count
+  vpc_id = aws_vpc.km_vpc.id
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = element(aws_nat_gateway.km_nat_gateway.*.id, count.index)
+  }
+
+  tags = merge(var.default_tags, {
+    Name = "km_route_table_${var.environment}"
+  })
+}
+
+# Explicitely associate the newly created route tables to the private subnets (so they don't default to the main route table)
+resource "aws_route_table_association" "km_private_route_table_association" {
+  count          = var.az_count
+  subnet_id      = element(aws_subnet.km_private_subnet.*.id, count.index)
+  route_table_id = element(aws_route_table.km_route_table.*.id, count.index)
+}
+
+### Security
+
+# ALB Security group
+# This is the group you need to edit if you want to restrict access to your application
+resource "aws_security_group" "km_alb_sg" {
+  name        = "km_alb_sg_${var.environment}"
+  description = "controls access to the ALB"
+  vpc_id      = aws_vpc.km_vpc.id
+
+  ingress {
+    protocol    = "tcp"
+    from_port   = 443
+    to_port     = 443
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    protocol    = "tcp"
+    from_port   = 80
+    to_port     = 80
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge(var.default_tags, {})
+}
+
+# Traffic to the ECS Cluster should only come from the ALB
+resource "aws_security_group" "km_ecs_sg" {
+  name        = "km_ecs_sg"
+  description = "allow inbound access from the ALB only"
+  vpc_id      = aws_vpc.km_vpc.id
+
+  ingress {
+    protocol        = "tcp"
+    from_port       = "80"
+    to_port         = "80"
+    security_groups = [aws_security_group.km_alb_sg.id]
+  }
+
+  egress {
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge(var.default_tags, {
+    Name = "km_ecs_sg_${var.environment}"
+  })
+}
+
+resource "aws_lb" "km_lb" {
+  name            = "km-lb-${var.environment}"
+  subnets         = aws_subnet.km_public_subnet.*.id
+  security_groups = [aws_security_group.km_alb_sg.id]
+}
+
+resource "aws_lb_target_group" "km_lb_target" {
+  name        = "km-lb-target-group-${var.environment}"
+  port        = 80
+  protocol    = "HTTP"
+  vpc_id      = aws_vpc.km_vpc.id
+  target_type = "ip"
+  depends_on = [ aws_lb.km_lb ]
+}
+
+# Redirect all traffic from the ALB to the target group
+resource "aws_lb_listener" "km_frontend_listener" {
+  load_balancer_arn = aws_lb.km_lb.arn
+  port              = "80"
+  protocol          = "HTTP"
+  default_action {
+    target_group_arn = aws_lb_target_group.km_lb_target.arn
+    type             = "forward"
+  }
+}
\ No newline at end of file
diff --git a/terraform/aws/modules/network/output.tf b/terraform/aws/modules/network/output.tf
new file mode 100644
index 000000000..441f123bc
--- /dev/null
+++ b/terraform/aws/modules/network/output.tf
@@ -0,0 +1,23 @@
+output "private_subnet" {
+  value = aws_subnet.km_private_subnet.*.id
+}
+
+output "public_subnet" {
+  value = aws_subnet.km_private_subnet.*.id
+}
+
+output "vpc_id" {
+  value = aws_vpc.km_vpc.id
+}
+
+output "target_lb_group_arn" {
+  value = aws_lb_target_group.km_lb_target.arn
+}
+
+output "target_lb_security_group" {
+  value = aws_security_group.km_alb_sg.id
+}
+
+output "elb_url" {
+  value = "http://${aws_lb.km_lb.dns_name}"
+}
\ No newline at end of file
diff --git a/terraform/aws/modules/network/variables.tf b/terraform/aws/modules/network/variables.tf
new file mode 100644
index 000000000..5a67b6de7
--- /dev/null
+++ b/terraform/aws/modules/network/variables.tf
@@ -0,0 +1,12 @@
+variable "environment" {
+  description = "the type of environment (dev,staging/prod)"
+}
+
+variable "default_tags" {
+  default     = {}
+  description = "default tags to resources"
+}
+
+variable "az_count" {
+  default = 2
+}
\ No newline at end of file
diff --git a/terraform/aws/modules/storage/main.tf b/terraform/aws/modules/storage/main.tf
new file mode 100644
index 000000000..73a6d8f59
--- /dev/null
+++ b/terraform/aws/modules/storage/main.tf
@@ -0,0 +1,121 @@
+resource "aws_db_subnet_group" "km_rds_subnet_grp" {
+  name       = "km_rds_subnet_grp_${var.environment}"
+  subnet_ids = var.private_subnet
+
+  tags = merge(var.default_tags, {
+    Name = "km_rds_subnet_grp_${var.environment}"
+  })
+}
+
+resource "aws_security_group" "km_rds_sg" {
+  name   = "km_rds_sg"
+  vpc_id = var.vpc_id
+
+  tags = merge(var.default_tags, {
+    Name = "km_rds_sg_${var.environment}"
+  })
+
+  # HTTP access from anywhere
+  ingress {
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # outbound internet access
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_kms_key" "km_db_kms_key" {
+  description             = "KMS Key for DB instance ${var.environment}"
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+
+  tags = merge(var.default_tags, {
+    Name = "km_db_kms_key_${var.environment}"
+  })
+}
+
+resource "aws_db_instance" "km_db" {
+  name                      = "km_db_${var.environment}"
+  allocated_storage         = 20
+  engine                    = "postgres"
+  engine_version            = "10.6"
+  instance_class            = "db.t3.medium"
+  storage_type              = "gp2"
+  password                  = var.db_password
+  username                  = var.db_username
+  vpc_security_group_ids    = [aws_security_group.km_rds_sg.id]
+  db_subnet_group_name      = aws_db_subnet_group.km_rds_subnet_grp.id
+  identifier                = "km-db-${var.environment}"
+  storage_encrypted         = true
+  skip_final_snapshot       = true
+  final_snapshot_identifier = "km-db-${var.environment}-db-destroy-snapshot"
+  kms_key_id                = aws_kms_key.km_db_kms_key.arn
+  tags = merge(var.default_tags, {
+    Name = "km_db_${var.environment}"
+  })
+}
+
+resource "aws_ssm_parameter" "km_ssm_db_host" {
+  name        = "/km-${var.environment}/DB_HOST"
+  description = "Kai Monkey Database"
+  type        = "SecureString"
+  value       = aws_db_instance.km_db.endpoint
+
+  tags = merge(var.default_tags, {})
+}
+
+resource "aws_ssm_parameter" "km_ssm_db_password" {
+  name        = "/km-${var.environment}/DB_PASSWORD"
+  description = "Kai Monkey Database Password"
+  type        = "SecureString"
+  value       = aws_db_instance.km_db.password
+
+  tags = merge(var.default_tags, {})
+}
+
+resource "aws_ssm_parameter" "km_ssm_db_user" {
+  name        = "/km-${var.environment}/DB_USER"
+  description = "Kai Monkey Database Username"
+  type        = "SecureString"
+  value       = aws_db_instance.km_db.username
+
+  tags = merge(var.default_tags, {})
+}
+
+resource "aws_ssm_parameter" "km_ssm_db_name" {
+  name        = "/km-${var.environment}/DB_NAME"
+  description = "Kai Monkey Database Name"
+  type        = "SecureString"
+  value       = aws_db_instance.km_db.name
+
+  tags = merge(var.default_tags, {
+    environment = "${var.environment}"
+  })
+}
+
+resource "aws_s3_bucket" "km_blob_storage" {
+  bucket = "km-blob-storage-${var.environment}"
+  acl    = "private"
+  tags = merge(var.default_tags, {
+    name = "km_blob_storage_${var.environment}"
+  })
+}
+
+resource "aws_s3_bucket" "km_public_blob" {
+  bucket = "km-public-blob"
+}
+
+resource "aws_s3_bucket_public_access_block" "km_public_blob" {
+  bucket = aws_s3_bucket.km_public_blob.id
+
+  block_public_acls   = false
+  block_public_policy = false
+}
\ No newline at end of file
diff --git a/terraform/aws/modules/storage/output.tf b/terraform/aws/modules/storage/output.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/terraform/aws/modules/storage/variables.tf b/terraform/aws/modules/storage/variables.tf
new file mode 100644
index 000000000..303e61928
--- /dev/null
+++ b/terraform/aws/modules/storage/variables.tf
@@ -0,0 +1,16 @@
+variable "environment" {
+  description = "the type of environment (dev,staging/prod)"
+}
+
+variable "default_tags" {
+  default     = {}
+  description = "default tags to resources"
+}
+
+variable "private_subnet" {}
+
+variable "vpc_id" {}
+
+variable "db_username" {}
+
+variable "db_password" {}
diff --git a/terraform/aws/scenarios/ssrf-iam-breach/assets/ssrf_app/app.zip b/terraform/aws/scenarios/ssrf-iam-breach/assets/ssrf_app/app.zip
new file mode 100644
index 000000000..5bb5da100
Binary files /dev/null and b/terraform/aws/scenarios/ssrf-iam-breach/assets/ssrf_app/app.zip differ
diff --git a/terraform/aws/scenarios/ssrf-iam-breach/main.tf b/terraform/aws/scenarios/ssrf-iam-breach/main.tf
new file mode 100644
index 000000000..da437d5a0
--- /dev/null
+++ b/terraform/aws/scenarios/ssrf-iam-breach/main.tf
@@ -0,0 +1,424 @@
+
+
+#IAM Role
+resource "aws_iam_role" "web-app-instance-role" {
+  assume_role_policy = <<POLICY
+{
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      }
+    }
+  ],
+  "Version": "2012-10-17"
+}
+POLICY
+
+  description          = "Allows EC2 instances to call AWS services on your behalf."
+  max_session_duration = "3600"
+  name                 = "web-app-role"
+  path                 = "/"
+
+  tags = {
+    name = "demo-instance-1"
+  }
+}
+
+resource "aws_iam_role" "privileged-instance-role" {
+  assume_role_policy = <<POLICY
+{
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      }
+    }
+  ],
+  "Version": "2012-10-17"
+}
+POLICY
+
+  description          = "Allows EC2 instances to call AWS services on your behalf."
+  max_session_duration = "3600"
+  name                 = "admin-role-1018"
+  path                 = "/"
+
+  tags = {
+    name = "demo-instance-2"
+  }
+}
+
+#IAM Role policy
+resource "aws_iam_policy" "web-app-instance-policy" {
+  name        = "web-instance-policy"
+  description = "Provides full access to Amazon EC2 via the AWS Management Console"
+  policy      = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": ["ec2:*"],
+            "Effect": "Allow",
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": ["elasticloadbalancing:*"],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": ["cloudwatch:*"],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+              "iam:*"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "iam:CreateServiceLinkedRole",
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "iam:AWSServiceName": [
+                        "autoscaling.amazonaws.com",
+                        "ec2scheduled.amazonaws.com",
+                        "elasticloadbalancing.amazonaws.com",
+                        "spot.amazonaws.com",
+                        "spotfleet.amazonaws.com",
+                        "transitgateway.amazonaws.com"
+                    ]
+                }
+            }
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_iam_policy" "privileged-instance-policy" {
+  name        = "privileged-instance-policy"
+  description = "Provides full access to AWS services and resources."
+  policy      = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+        "*"
+      ],
+            "Resource": "*"
+        }
+    ]
+}
+POLICY
+}
+
+#IAM Role Policy Attachment
+resource "aws_iam_role_policy_attachment" "privileged-instance-attachment" {
+  policy_arn = aws_iam_policy.privileged-instance-policy.arn
+  role       = aws_iam_role.privileged-instance-role.name
+}
+
+resource "aws_iam_role_policy_attachment" "web-app-instance-attachment" {
+  policy_arn = aws_iam_policy.web-app-instance-policy.arn
+  role       = aws_iam_role.web-app-instance-role.name
+}
+
+#IAM Instance Profile
+resource "aws_iam_instance_profile" "web-app-instance-profile" {
+  name = "web-app-instance-profile"
+  path = "/"
+  role = aws_iam_role.web-app-instance-role.name
+}
+
+resource "aws_iam_instance_profile" "privileged-instance-profile" {
+  name = "privileged-instance-profile"
+  path = "/"
+  role = aws_iam_role.privileged-instance-role.name
+}
+
+resource "aws_vpc" "demo-vpc" {
+  assign_generated_ipv6_cidr_block = "false"
+  cidr_block                       = "10.10.0.0/16"
+  enable_classiclink               = "false"
+  enable_classiclink_dns_support   = "false"
+  enable_dns_hostnames             = "true"
+  enable_dns_support               = "true"
+  instance_tenancy                 = "default"
+
+  tags = {
+    Name = "demo-vpc"
+  }
+}
+
+#internet gateway
+resource "aws_internet_gateway" "demo-igw" {
+  tags = {
+    Name = "demo-igw"
+  }
+
+  vpc_id = aws_vpc.demo-vpc.id
+}
+
+#subnet
+resource "aws_subnet" "subnet-1" {
+  assign_ipv6_address_on_creation = "false"
+  cidr_block                      = "10.10.10.0/24"
+  map_public_ip_on_launch         = "false"
+
+  tags = {
+    Name = "public-subnet-01"
+  }
+
+  vpc_id = aws_vpc.demo-vpc.id
+}
+
+resource "aws_subnet" "subnet-2" {
+  assign_ipv6_address_on_creation = "false"
+  cidr_block                      = "10.10.20.0/24"
+  map_public_ip_on_launch         = "false"
+
+  tags = {
+    Name = "public-subnet-02"
+  }
+
+  vpc_id = aws_vpc.demo-vpc.id
+}
+
+#route table
+resource "aws_route_table" "demo-route-table" {
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.demo-igw.id
+  }
+
+  tags = {
+    Name = "acc-test-route-table"
+  }
+
+  vpc_id = aws_vpc.demo-vpc.id
+}
+
+#route table association
+resource "aws_route_table_association" "subnet-1-association" {
+  route_table_id = aws_route_table.demo-route-table.id
+  subnet_id      = aws_subnet.subnet-1.id
+}
+
+resource "aws_route_table_association" "subnet-2-association" {
+  route_table_id = aws_route_table.demo-route-table.id
+  subnet_id      = aws_subnet.subnet-2.id
+}
+
+#Security Groups
+resource "aws_security_group" "web-app-security-group" {
+  description = "Allow SSH connection"
+
+  egress {
+    cidr_blocks      = ["0.0.0.0/0"]
+    from_port        = 0
+    ipv6_cidr_blocks = ["::/0"]
+    protocol         = "-1"
+    self             = "false"
+    to_port          = 0
+  }
+
+  ingress {
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port   = 0
+    protocol    = "tcp"
+    self        = "false"
+    to_port     = 65535
+  }
+
+  ingress {
+    cidr_blocks      = ["0.0.0.0/0"]
+    from_port        = 22
+    ipv6_cidr_blocks = ["::/0"]
+    protocol         = "tcp"
+    self             = "false"
+    to_port          = 22
+  }
+
+  ingress {
+    cidr_blocks      = ["0.0.0.0/0"]
+    from_port        = 80
+    ipv6_cidr_blocks = ["::/0"]
+    protocol         = "tcp"
+    self             = "false"
+    to_port          = 80
+  }
+
+  ingress {
+    cidr_blocks      = ["0.0.0.0/0"]
+    from_port        = 8080
+    ipv6_cidr_blocks = ["::/0"]
+    protocol         = "tcp"
+    self             = "false"
+    to_port          = 8080
+  }
+
+  name   = "ssh-security-group"
+  vpc_id = aws_vpc.demo-vpc.id
+}
+
+#AWS Key pair
+resource "aws_key_pair" "cg-ec2-key-pair" {
+  key_name   = "demo-env"
+  public_key = tls_private_key.ssh_key.public_key_openssh
+}
+
+resource "tls_private_key" "ssh_key" {
+  algorithm = "RSA"
+  rsa_bits  = 2048
+}
+
+resource "local_file" "private_key" {
+  content  = tls_private_key.ssh_key.private_key_pem
+  filename = "accurics-generated-key.pem"
+}
+
+resource "aws_instance" "web-app-instance" {
+  ami                         = "ami-074251216af698218"
+  associate_public_ip_address = "true"
+
+  subnet_id = aws_subnet.subnet-1.id
+
+  vpc_security_group_ids = [aws_security_group.web-app-security-group.id]
+
+  iam_instance_profile = aws_iam_instance_profile.web-app-instance-profile.name
+
+  disable_api_termination = "false"
+  ebs_optimized           = "false"
+
+  enclave_options {
+    enabled = "false"
+  }
+
+  get_password_data  = "false"
+  hibernation        = "false"
+  instance_type      = "t2.micro"
+  ipv6_address_count = "0"
+  key_name           = aws_key_pair.cg-ec2-key-pair.key_name
+
+  metadata_options {
+    http_endpoint               = "enabled"
+    http_put_response_hop_limit = "1"
+    http_tokens                 = "optional"
+  }
+
+  monitoring = "false"
+  private_ip = "10.10.10.55"
+
+  root_block_device {
+    delete_on_termination = "true"
+    encrypted             = "false"
+    throughput            = "0"
+    volume_size           = "8"
+    volume_type           = "gp2"
+  }
+
+  source_dest_check = "true"
+
+  tags = {
+    Name = "web-app-instance"
+  }
+
+  tenancy = "default"
+
+  provisioner "file" {
+    source      = "./assets/ssrf_app/app.zip"
+    destination = "/home/ubuntu/app.zip"
+    connection {
+      type        = "ssh"
+      user        = "ubuntu"
+      private_key = tls_private_key.ssh_key.private_key_pem
+      host        = self.public_ip
+    }
+  }
+  user_data = <<-EOF
+        #!/bin/bash
+        apt-get update
+        curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash -
+        DEBIAN_FRONTEND=noninteractive apt-get -y install nodejs unzip
+        npm install http express needle command-line-args
+        cd /home/ubuntu
+        unzip app.zip -d ./app
+        cd app
+        sudo node ssrf-demo-app.js &
+        echo -e "\n* * * * * root node /home/ubuntu/app/ssrf-demo-app.js &\n* * * * * root sleep 10; node /home/ubuntu/app/ssrf-demo-app.js &\n* * * * * root sleep 20; node /home/ubuntu/app/ssrf-demo-app.js &\n* * * * * root sleep 30; node /home/ubuntu/app/ssrf-demo-app.js &\n* * * * * root sleep 40; node /home/ubuntu/app/ssrf-demo-app.js &\n* * * * * root sleep 50; node /home/ubuntu/app/ssrf-demo-app.js &\n" >> /etc/crontab
+        EOF
+
+  volume_tags = {
+    Name = "web-app-instance"
+  }
+
+}
+
+resource "aws_instance" "privileged-instance" {
+  ami                         = "ami-074251216af698218"
+  associate_public_ip_address = "true"
+
+  disable_api_termination = "false"
+  ebs_optimized           = "false"
+
+  enclave_options {
+    enabled = "false"
+  }
+
+  get_password_data    = "false"
+  hibernation          = "false"
+  iam_instance_profile = aws_iam_instance_profile.privileged-instance-profile.name
+  instance_type        = "t2.micro"
+  ipv6_address_count   = "0"
+  key_name             = aws_key_pair.cg-ec2-key-pair.key_name
+
+  metadata_options {
+    http_endpoint               = "enabled"
+    http_put_response_hop_limit = "1"
+    http_tokens                 = "optional"
+  }
+
+  monitoring = "false"
+  private_ip = "10.10.20.69"
+
+  root_block_device {
+    delete_on_termination = "true"
+    encrypted             = "false"
+    throughput            = "0"
+    volume_size           = "8"
+    volume_type           = "gp2"
+  }
+
+  source_dest_check = "true"
+  subnet_id         = aws_subnet.subnet-2.id
+
+  tags = {
+    Name = "instance-2"
+  }
+
+  tenancy = "default"
+
+  vpc_security_group_ids = [aws_security_group.web-app-security-group.id]
+
+  volume_tags = {
+    Name = "instance-2"
+  }
+
+}
+
+output "public_dns" {
+  description = "List of public DNS names assigned to the instances. For EC2-VPC, this is only available if you've enabled DNS hostnames for your VPC"
+  value       = aws_instance.web-app-instance.public_dns
+}
diff --git a/terraform/aws/scenarios/ssrf-iam-breach/provider.tf b/terraform/aws/scenarios/ssrf-iam-breach/provider.tf
new file mode 100644
index 000000000..71e582b3d
--- /dev/null
+++ b/terraform/aws/scenarios/ssrf-iam-breach/provider.tf
@@ -0,0 +1,4 @@
+
+provider "aws" {
+  region = "us-west-2"
+}
diff --git a/terraform/aws/scenarios/ssrf-iam-breach/variables.tf b/terraform/aws/scenarios/ssrf-iam-breach/variables.tf
new file mode 100644
index 000000000..7f2e914f4
--- /dev/null
+++ b/terraform/aws/scenarios/ssrf-iam-breach/variables.tf
@@ -0,0 +1,8 @@
+#SSH Public Key
+variable "ssh-public-key-for-ec2" {
+  default = "./demo-attack.pub"
+}
+#SSH Private Key
+variable "ssh-private-key-for-ec2" {
+  default = "./demo-attack"
+}
diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf
new file mode 100644
index 000000000..4548b5006
--- /dev/null
+++ b/terraform/aws/variables.tf
@@ -0,0 +1,21 @@
+variable "environment" {
+  default = "dev"
+  description = "the type of environment (dev,staging/prod)"
+}
+
+variable "region" {
+  default = "us-east-1"
+}
+
+variable "db_username" {
+  default = "kai_monkey_user_ob6RGj"
+}
+
+variable "db_password" {
+  default = "kHJ!4dusp7A#Xf21URhhZ1#"
+}
+
+variable "default_tags" {
+  default     = {}
+  description = "default tags to resources"
+}
\ No newline at end of file