This module is archived and deprecated. Please use this instead https://github.com/nozaq/terraform-aws-secure-baseline
- Set up IAM Password Policy.
- Create separated IAM roles for defining privileges and assigning them to entities such as IAM users and groups.
- Enable CloudTrail in all regions and deliver events to CloudWatch Logs.
- CloudTrail logs are encrypted using AWS Key Management Service.
- All logs are stored in the S3 bucket with access logging enabled.
- Set up CloudWatch alarms to notify you when critical changes happen in your AWS account.
- Enable AWS Config in all regions to automatically take configuration snapshots.
- Enable SecurityHub and subscribe CIS benchmark standard.
- Enable VPC Flow Logs with the default VPC in all regions.
- Enable GuardDuty in all regions.
Alarm-baseline: Set up CloudWatch alarms to notify you when critical changes happen in your AWS account.
Name | Description | Type | Default | Required |
---|---|---|---|---|
cloudwatch_enabled | The boolean flag whether this module is enabled or not. No resources are created when set to false. | bool |
n/a | yes |
alarm_namespace | The namespace in which all alarms are set up. | string |
n/a | yes |
cloudtrail_log_group_name | The name of the CloudWatch Logs group to which CloudTrail events are delivered. | string |
n/a | yes |
sns_topic_name | The name of the SNS Topic which will be notified when any alarm is performed. | string |
n/a | yes |
tags | Map of tags to assign to aws secuirty model | map(string) |
{} |
no |
Name | Description | Type | Default | Required |
---|---|---|---|---|
cloudtrail_enabled | The boolean flag whether this module is enabled or not. No resources are created when set to false. | bool |
n/a | yes |
aws_account_id | The AWS Account ID number of the account. | any |
n/a | yes |
cloudtrail_name | The name of the trail. | string |
n/a | yes |
cloudtrail_sns_topic_name | The sns topic linked to the cloudtrail | string |
n/a | yes |
cloudwatch_logs_retention_in_days | Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | number |
n/a | yes |
cloud_trail_iam_role_name | The name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group. | string |
n/a | yes |
cloud_trail_iam_role_policy_name | The name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group. | string |
n/a | yes |
key_deletion_window_in_days | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. | number |
n/a | yes |
s3_bucket_name | The name of the S3 bucket which will store configuration snapshots. | any |
n/a | yes |
s3_key_prefix | The prefix for the specified S3 bucket. | string |
n/a | yes |
is_organization_trail | Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. | bool |
n/a | yes |
AWS Config-baseline: Enable AWS Config in all regions to automatically take configuration snapshots.
Name | Description | Type | Default | Required |
---|---|---|---|---|
aws_config_enabled | The boolean flag whether this module is enabled or not. No resources are created when set to false. | bool |
n/a | yes |
aws_config_iam_role_arn | The ARN of the IAM Role which AWS Config will use. | any |
n/a | yes |
aws_config_sns_topic_name | The name of the SNS Topic to be used to notify configuration changes. | string |
n/a | yes |
delivery_frequency | The frequency which AWS Config sends a snapshot into the S3 bucket. | string |
n/a | yes |
recorder_name | The name of the configuration recorder. | string |
n/a | yes |
delivery_channel_name | The name of the delivery channel. | string |
n/a | yes |
include_global_resource_types | Specifies whether AWS Config includes all supported types of global resources with the resources that it records. | bool |
n/a | yes |
Name | Description | Type | Default | Required |
---|---|---|---|---|
guard_duty_enabled | The boolean flag whether this module is enabled or not. No resources are created when set to false. | bool |
true |
no |
disable_email_notification | Boolean whether an email notification is sent to the accounts. | bool |
false |
no |
finding_publishing_frequency | Specifies the frequency of notifications sent for subsequent finding occurrences. | string |
"SIX_HOURS" |
no |
invitation_message | Message for invitation. | string |
"This is an automatic invitation message from guardduty-baseline module." |
no |
master_account_id | AWS account ID for master account. | string |
"" |
no |
member_accounts | A list of IDs and emails of AWS accounts which associated as member accounts. | list object( account_id = string , email = string |
[] |
no |
Name | Description | Type | Default | Required |
---|---|---|---|---|
master_iam_role_enabled | Indicate if Terraform will create/update/delete the manager IAM role. | bool |
true |
no |
master_iam_role_name | The name of the IAM Master role. | string |
"IAM-Master" |
no |
master_iam_role_permissions_boundary_arn | Permissions boundary arn to attach to the master IAM role. | string |
"" |
no |
master_iam_role_policy_json | Custom json to use for the role policy. The default allows management of users, groups, and roles. | string |
"" |
no |
master_iam_role_policy_name | The name of the IAM Master role policy. | string |
"IAM-Master-Policy" |
no |
manager_iam_role_enabled | Indicate if Terraform will create/update/delete the manager IAM role. | string |
"true" |
no |
manager_iam_role_name | The name of the IAM Manager role. | string |
"IAM-Manager" |
no |
manager_iam_role_permissions_boundary_arn | Permissions boundary arn to attach to the manager IAM role. | string |
"" |
no |
manager_iam_role_policy_json | Custom json to use for the role policy. The default allows the (dis)association of users and groups. | string |
"" |
no |
manager_iam_role_policy_name | The name of the IAM Manager role policy. | string |
"IAM-Manager-Policy" |
no |
support_iam_role_name | The name of the the support role. | string |
"IAM-Support" |
no |
support_iam_role_permissions_boundary_arn | Permissions boundary arn to attach to the support IAM role. | string |
"" |
no |
support_iam_role_policy_name | The name of the support role policy. | string |
"IAM-Support-Role" |
no |
support_iam_role_principal_arns | List of ARNs of the IAM principal elements by which the support role could be assumed. | list(string) |
[] |
no |
max_password_age | The number of days that an user password is valid. | number |
90 |
no |
minimum_password_length | Minimum length to require for user passwords. | number |
14 |
no |
password_reuse_prevention | The number of previous passwords that users are prevented from reusing. | number |
24 |
no |
require_lowercase_characters | Whether to require lowercase characters for user passwords. | bool |
true |
no |
require_numbers | Whether to require numbers for user passwords. | bool |
true |
no |
require_symbols | Whether to require symbols for user passwords. | bool |
true |
no |
require_uppercase_characters | Whether to require uppercase characters for user passwords. | bool |
true |
no |
allow_users_to_change_password | Whether to allow users to change their own password. | bool |
true |
no |
Name | Description | Type | Default | Required |
---|---|---|---|---|
secure_bucket_enabled | A boolean that indicates this module is enabled. Resources are not created if it is set to false. | bool |
true |
no |
secure_log_bucket_name | n/a | any |
n/a | yes |
lifecycle_glacier_transition_days | The number of days after object creation when the object is archived into Glacier. | number |
30 |
no |
force_destroy | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool |
false |
no |
SecurityHub and CIS benchmark standard always enabled.
Name | Description | Type | Default | Required |
---|---|---|---|---|
securityhub_pci_standard_enabled | A boolean that indicates PCI DSS standard is enabled. Resources are not created if it is set to false. | bool |
true |
no |
securityhub_aws_standard_enabled | A boolean that indicates AWS Foundational Security Best Practices standard is enabled. Resources are not created if it is set to false. | bool |
true |
no |
Name | Description | Type | Default | Required |
---|---|---|---|---|
vpc_logs_enabled | The boolean flag whether this module is enabled or not. No resources are created when set to false. | bool |
true |
no |
vpc_flow_logs_iam_role_arn | The ARN of the IAM Role which will be used by VPC Flow Logs. | string |
"" |
no |
vpc_log_group_name | The name of CloudWatch Logs group to which VPC Flow Logs are delivered. | string |
"" |
no |
vpc_log_retention_in_days | Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | string |
"" |
no |
Name | Description | Type | Default | Required |
---|---|---|---|---|
eip_attached_rule_enabled | AWS Config rule | bool |
true |
no |
iam_user_no_policies_check_rule_enabled | AWS Config rule | bool |
true |
no |
ec2_instance_managed_by_systems_manager_rule_enabled | AWS Config rule | bool |
true |
no |
default_security_group_closed_check_rule_enabled | AWS Config rule | bool |
true |
no |
sg_atatched_to_eni_rule_enabled | AWS Config rule | bool |
true |
no |
rds_multi_az_support | AWS Config rule | bool |
true |
no |
AWS Config Rule name | Description |
---|---|
eip_attached | A Config rule that checks whether all Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs). |
iam_user_no_policies_check | Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles. |
root_account_mfa_enabled | Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials. |
s3_bucket_ssl_requests_only | Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL)." |
encrypted-volumes | A Config rule that checks whether the EBS volumes that are in an attached state are encrypted. |
restricted-ssh | A Config rule that checks whether security groups in use do not allow restricted incoming SSH traffic. This rule applies only to IPv4. |
restricted-common-ports | A Config rule that checks whether security groups in use do not allow restricted incoming TCP traffic to the specified ports. This rule applies only to IPv4. |
ec2-volume-inuse-check | A Config rule that checks whether EBS volumes are attached to EC2 instances. Optionally checks if EBS volumes are marked for deletion when an instance is terminated. |
ebs-snapshot-public-restorable-check | A Config rule that checks whether Amazon Elastic Block Store snapshots are not publicly restorable. The rule is NON_COMPLIANT if one or more snapshots with the RestorableByUserIds field is set to all. |
ec2-stopped-instance | A Config rule that checks whether there are instances stopped for more than the allowed number of days. The instance is NON_COMPLIANT if the state of the ec2 instance has been stopped for longer than the allowed number of days. |
ec2-instance-managed-by-systems-manager | A Config rule that checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager. |
vpc-default-security-group-closed | A config rule that checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule returns NOT_APPLICABLE if the security group is not default. The rule is NON_COMPLIANT if the default |
ec2-security-group-attached-to-eni | A Config rule that checks that security groups are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or an elastic network interfaces (ENIs). The rule returns NON_COMPLIANT if the security group is not associated with an Amazon EC2 instance |
vpc-sg-open-only-to-authorized-ports | A Config rule that checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPCs) allows only specific inbound TCP or UDP traffic. The rule and any security group with inbound 0.0.0.0/0. is NON_COMPLIANT |
s3-bucket-public-read-prohibited | A Config rule that checks that your Amazon S3 buckets do not allow public read access. If an Amazon S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant. |
s3-bucket-public-write-prohibited | A Config rule that checks that your Amazon S3 buckets do not allow public write access. If an Amazon S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant. |
s3-bucket-server-side-encryption-enabled | A Config rule that checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption. |
rds-instance-public-access-check | A config rule that checks whether the Amazon Relational Database Service instances are not publicaly accessible. The rule is NON_COMPLIANT if the publiclyAccessible field is true in the instance configuration item. |
db-instance-backup-enabled | A config rule that checks whether RDS DB instances have backups enabled. Optionally, the rule checks the backup retention period and the backup window. |
rds-snapshots-public-prohibited | A Config rule that checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public. |
rds-multi-az-support | A Config rule that checks whether high availability is enabled for your RDS DB instances. (Note: This rule does not evaluate Amazon Aurora databases.) |
rds-storage-encrypted | A Config rule that checks whether storage encryption is enabled for your RDS DB instances. |
rds_vpc_public_subnet | A Config rule that checks that no RDS Instances are in Public Subnet. |
rds_snapshots | A Config rule that checks that no RDS Instances is having snapshots older than day. |
Generates report in CSV format into specified S3 bucket and sends SNS notification.
Name | Description | Type | Default | Required |
---|---|---|---|---|
iam_credentials_report_enabled | The boolean flag whether this module is enabled or not. No resources are created when set to false. | bool |
false |
no |
iam_credentials_sns_topic_arn | ARN of SNS Topic to be used to notify IAM credentials report result. | string |
"" |
yes |
iam_credentials_s3_bucket_name | The name of the S3 Bucket to be used to save IAM credentials report result. | string |
IamGenerateIamReport |
no |
iam_credentials_s3_file_name | The name of the file in S3 Bucket to be used to save IAM credentials report result. | string |
iam_credentials_report.csv |
no |
Generates non-compliant config rules report and sends SNS notification with details.
Name | Description | Type | Default | Required |
---|---|---|---|---|
config_rules_report_enabled | The boolean flag whether this module is enabled or not. No resources are created when set to false. | bool |
false |
no |
config_rules_sns_topic_arn | ARN of SNS Topic to be used to notify config rules report result. | string |
"" |
yes |
Custom config rules checking RDS via lambda functions.
Name | Description | Type | Default | Required |
---|---|---|---|---|
custom_lambda_vpc_\security_group_ids | The list of custom lambda VPC security group ids. | list(string) |
[] |
no |
custom_lambda_vpc_\private_subnets | The list of custom lambda VPC private subnets. | list(string) |
[] |
no |
No output.
-
Basic: Terraform module which includes
- AWS Config with rules
- CloudTrail
- CloudWatch
- SecurityHub
-
Complex: Terraform module which includes all security modules
Currently maintained by these contributors.
MIT License. See LICENSE for full details.