nozaq / Terraform Aws Secure Baseline
Licence: mit
Terraform module to set up your AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations and AWS Foundational Security Best Practices.
Stars: ✭ 596
Projects that are alternatives of or similar to Terraform Aws Secure Baseline
Terraform Modules
Reusable Terraform modules
Stars: ✭ 63 (-89.43%)
Mutual labels: aws, terraform, hcl, devops
Terraform Aws Couchbase
Reusable infrastructure modules for running Couchbase on AWS
Stars: ✭ 73 (-87.75%)
Mutual labels: aws, terraform, hcl, devops
Terratag
Terratag is a CLI tool that enables users of Terraform to automatically create and maintain tags across their entire set of AWS, Azure, and GCP resources
Stars: ✭ 385 (-35.4%)
Mutual labels: aws, terraform, hcl, devops
Prowler
Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains more than 200 controls covering CIS, ISO27001, GDPR, HIPAA, SOC2, ENS and other security frameworks.
Stars: ✭ 4,561 (+665.27%)
Mutual labels: aws, security-tools, security-hardening, hardening
Lynis
Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
Stars: ✭ 9,137 (+1433.05%)
Mutual labels: devops, security-tools, security-hardening, hardening
Terraform
Terraform automation for Cloud
Stars: ✭ 121 (-79.7%)
Mutual labels: aws, terraform, hcl, devops
Terrascan
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
Stars: ✭ 2,687 (+350.84%)
Mutual labels: aws, terraform, devops, security-tools
Ecs Pipeline
☁️ 🐳 ⚡️ 🚀 Create environment and deployment pipelines to ECS Fargate with CodePipeline, CodeBuild and Github using Terraform
Stars: ✭ 85 (-85.74%)
Mutual labels: aws, terraform, hcl, devops
Intro To Terraform
Sample code for the blog post series "A Comprehensive Guide to Terraform."
Stars: ✭ 550 (-7.72%)
Mutual labels: aws, terraform, hcl, devops
Vishwakarma
Terraform modules to create a self-hosting Kubernetes cluster on opinionated Cloud Platform.
Stars: ✭ 127 (-78.69%)
Mutual labels: aws, terraform, hcl, devops
Electriceye
Continuously monitor your AWS services for configurations that can lead to degradation of confidentiality, integrity or availability. All results will be sent to Security Hub for further aggregation and analysis.
Stars: ✭ 255 (-57.21%)
Mutual labels: aws, terraform, security-tools, security-hardening
Iam Policy Json To Terraform
Small tool to convert an IAM Policy in JSON format into a Terraform aws_iam_policy_document
Stars: ✭ 282 (-52.68%)
Mutual labels: aws, terraform, hcl
Infrastructure As Code Training
Materials for learning how to use infrastructure-as-code
Stars: ✭ 268 (-55.03%)
Mutual labels: aws, terraform, devops
Terraform Aws Gitlab Runner
Terraform module for AWS GitLab runners on ec2 (spot) instances
Stars: ✭ 292 (-51.01%)
Mutual labels: aws, terraform, hcl
Terraform Examples
Terraform samples for all the major clouds you can copy and paste. The future, co-created.
Stars: ✭ 256 (-57.05%)
Mutual labels: aws, terraform, hcl
Terraform Ecs Fargate
A Terraform template used for provisioning web application stacks on AWS ECS Fargate
Stars: ✭ 293 (-50.84%)
Mutual labels: aws, terraform, hcl
terraform-aws-secure-baseline
A terraform module to set up your AWS account with the reasonably secure configuration baseline. Most configurations are based on CIS Amazon Web Services Foundations v1.3.0 and AWS Foundational Security Best Practices v1.0.0.
See Benchmark Compliance to check which items in various benchmarks are covered.
Features
Identity and Access Management
- Set up IAM Password Policy.
- Create an IAM role for contacting AWS support for incident handling.
- Enable AWS Config rules to audit root account status.
- Enable IAM Access Analyzer in each region.
Logging & Monitoring
- Enable CloudTrail in all regions and deliver events to CloudWatch Logs.
- Object-level logging for all S3 buckets is enabled by default.
- CloudTrail logs are encrypted using AWS Key Management Service.
- All logs are stored in the S3 bucket with access logging enabled.
- Logs are automatically archived into Amazon Glacier after the given period(defaults to 90 days).
- Set up CloudWatch alarms to notify you when critical changes happen in your AWS account.
- Enable AWS Config in each regions to automatically take configuration snapshots.
- Enable SecurityHub and subscribe available standards.
- Enable GuardDuty in each regions.
Networking & Computing
- Remove all rules associated with default route tables, default network ACLs and default security groups in the default VPC in all regions.
- Enable AWS Config rules to audit unrestricted common ports in Security Group rules.
- Enable VPC Flow Logs with the default VPC in all regions.
- Enable default EBS encryption for newly created volumes.
Usage
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
module "secure_baseline" {
source = "nozaq/secure-baseline/aws"
audit_log_bucket_name = "YOUR_BUCKET_NAME"
aws_account_id = data.aws_caller_identity.current.account_id
region = data.aws_region.current.name
support_iam_role_principal_arns = ["YOUR_IAM_USER"]
providers = {
aws = aws
aws.ap-northeast-1 = aws.ap-northeast-1
aws.ap-northeast-2 = aws.ap-northeast-2
aws.ap-northeast-3 = aws.ap-northeast-3
aws.ap-south-1 = aws.ap-south-1
aws.ap-southeast-1 = aws.ap-southeast-1
aws.ap-southeast-2 = aws.ap-southeast-2
aws.ca-central-1 = aws.ca-central-1
aws.eu-central-1 = aws.eu-central-1
aws.eu-north-1 = aws.eu-north-1
aws.eu-west-1 = aws.eu-west-1
aws.eu-west-2 = aws.eu-west-2
aws.eu-west-3 = aws.eu-west-3
aws.sa-east-1 = aws.sa-east-1
aws.us-east-1 = aws.us-east-1
aws.us-east-2 = aws.us-east-2
aws.us-west-1 = aws.us-west-1
aws.us-west-2 = aws.us-west-2
}
}
Check the example to understand how these providers are defined. Note that you need to define a provider for each AWS region and pass them to the module. Currently this is the recommended way to handle multiple regions in one module. Detailed information can be found at Providers within Modules - Terraform Docs.
A new S3 bucket to store audit logs is automatically created by default, while the external S3 bucket can be specified. It is useful when you already have a centralized S3 bucket to store all logs. Please see external-bucket example for more detail.
Managing multiple accounts in AWS Organization
When you have multiple AWS accounts in your AWS Organization, secure-baseline module configures the separated environment for each AWS account. You can change this behavior to centrally manage security information and audit logs from all accounts in one master account.
Check organization example for more detail.
Submodules
This module is composed of several submodules and each of which can be used independently. Modules in Package Sub-directories - Terraform describes how to source a submodule.
- alarm-baseline
- analyzer-baseline
- cloudtrail-baseline
- config-baseline
- ebs-baseline
- guardduty-baseline
- iam-baseline
- secure-bucket
- securityhub-baseline
- vpc-baseline
Requirements
| Name | Version |
|---|---|
| terraform | >= 0.12 |
| aws | >= 3.0.0 |
Providers
| Name | Version |
|---|---|
| aws | >= 3.0.0 |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_type | The type of the AWS account. The possible values are individual, master and member . Specify master and member to set up centalized logging for multiple accounts in AWS Organization. Use individualotherwise.
|
string |
"individual" |
no |
| alarm_namespace | The namespace in which all alarms are set up. | string |
"CISBenchmark" |
no |
| alarm_sns_topic_name | The name of the SNS Topic which will be notified when any alarm is performed. | string |
"CISAlarm" |
no |
| allow_users_to_change_password | Whether to allow users to change their own password. | bool |
true |
no |
| analyzer_name | The name for the IAM Access Analyzer resource to be created. | string |
"default-analyer" |
no |
| audit_log_bucket_custom_policy_json | Override policy for the audit log bucket. Allows addition of extra policies. | string |
"{}" |
no |
| audit_log_bucket_force_destroy | A boolean that indicates all objects should be deleted from the audit log bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool |
false |
no |
| audit_log_bucket_name | The name of the S3 bucket to store various audit logs. | any |
n/a | yes |
| audit_log_lifecycle_glacier_transition_days | The number of days after log creation when the log file is archived into Glacier. | number |
90 |
no |
| aws_account_id | The AWS Account ID number of the account. | any |
n/a | yes |
| cloudtrail_cloudwatch_logs_enabled | Specifies whether the trail is delivered to CloudWatch Logs. | bool |
true |
no |
| cloudtrail_cloudwatch_logs_group_name | The name of CloudWatch Logs group to which CloudTrail events are delivered. | string |
"cloudtrail-multi-region" |
no |
| cloudtrail_iam_role_name | The name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group. | string |
"CloudTrail-CloudWatch-Delivery-Role" |
no |
| cloudtrail_iam_role_policy_name | The name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group. | string |
"CloudTrail-CloudWatch-Delivery-Policy" |
no |
| cloudtrail_key_deletion_window_in_days | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. | number |
10 |
no |
| cloudtrail_name | The name of the trail. | string |
"cloudtrail-multi-region" |
no |
| cloudtrail_s3_key_prefix | The prefix used when CloudTrail delivers events to the S3 bucket. | string |
"cloudtrail" |
no |
| cloudtrail_s3_object_level_logging_buckets | The list of S3 bucket ARNs on which to enable object-level logging. | list |
[ |
no |
| cloudtrail_sns_topic_enabled | Specifies whether the trail is delivered to a SNS topic. | bool |
true |
no |
| cloudtrail_sns_topic_name | The name of the SNS topic to link to the trail. | string |
"cloudtrail-multi-region-sns-topic" |
no |
| cloudwatch_logs_retention_in_days | Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | number |
365 |
no |
| config_aggregator_name | The name of the organizational AWS Config Configuration Aggregator. | string |
"organization-aggregator" |
no |
| config_aggregator_name_prefix | The prefix of the name for the IAM role attached to the organizational AWS Config Configuration Aggregator. | string |
"config-for-organization-role" |
no |
| config_delivery_frequency | The frequency which AWS Config sends a snapshot into the S3 bucket. | string |
"One_Hour" |
no |
| config_iam_role_name | The name of the IAM Role which AWS Config will use. | string |
"Config-Recorder" |
no |
| config_iam_role_policy_name | The name of the IAM Role Policy which AWS Config will use. | string |
"Config-Recorder-Policy" |
no |
| config_s3_bucket_key_prefix | The prefix used when writing AWS Config snapshots into the S3 bucket. | string |
"config" |
no |
| config_sns_topic_name | The name of the SNS Topic to be used to notify configuration changes. | string |
"ConfigChanges" |
no |
| create_manager_role | Define if the manager role should be created. | bool |
true |
no |
| create_master_role | Define if the master role should be created. | bool |
true |
no |
| create_password_policy | Define if the password policy should be created. | bool |
true |
no |
| create_support_role | Define if the support role should be created. | bool |
true |
no |
| guardduty_disable_email_notification | Boolean whether an email notification is sent to the accounts. | bool |
false |
no |
| guardduty_finding_publishing_frequency | Specifies the frequency of notifications sent for subsequent finding occurrences. | string |
"SIX_HOURS" |
no |
| guardduty_invitation_message | Message for invitation. | string |
"This is an automatic invitation message from guardduty-baseline module." |
no |
| manager_iam_role_name | The name of the IAM Manager role. | string |
"IAM-Manager" |
no |
| manager_iam_role_policy_name | The name of the IAM Manager role policy. | string |
"IAM-Manager-Policy" |
no |
| master_account_id | The ID of the master AWS account to which the current AWS account is associated. Required if account_type is member. |
string |
"" |
no |
| master_iam_role_name | The name of the IAM Master role. | string |
"IAM-Master" |
no |
| master_iam_role_policy_name | The name of the IAM Master role policy. | string |
"IAM-Master-Policy" |
no |
| max_password_age | The number of days that an user password is valid. | number |
90 |
no |
| member_accounts | A list of IDs and emails of AWS accounts which associated as member accounts. | list(object({ |
[] |
no |
| minimum_password_length | Minimum length to require for user passwords. | number |
14 |
no |
| password_reuse_prevention | The number of previous passwords that users are prevented from reusing. | number |
24 |
no |
| region | The AWS region in which global resources are set up. | any |
n/a | yes |
| require_lowercase_characters | Whether to require lowercase characters for user passwords. | bool |
true |
no |
| require_numbers | Whether to require numbers for user passwords. | bool |
true |
no |
| require_symbols | Whether to require symbols for user passwords. | bool |
true |
no |
| require_uppercase_characters | Whether to require uppercase characters for user passwords. | bool |
true |
no |
| securityhub_enable_aws_foundational_standard | Boolean whether AWS Foundations standard is enabled. | bool |
true |
no |
| securityhub_enable_cis_standard | Boolean whether CIS standard is enabled. | bool |
true |
no |
| securityhub_enable_pci_dss_standard | Boolean whether PCI DSS standard is enabled. | bool |
false |
no |
| support_iam_role_name | The name of the the support role. | string |
"IAM-Support" |
no |
| support_iam_role_policy_name | The name of the support role policy. | string |
"IAM-Support-Role" |
no |
| support_iam_role_principal_arns | List of ARNs of the IAM principal elements by which the support role could be assumed. | list(any) |
n/a | yes |
| tags | Specifies object tags key and value. This applies to all resources created by this module. | map |
{} |
no |
| target_regions | A list of regions to set up with this module. | list |
[ |
no |
| use_external_audit_log_bucket | A boolean that indicates whether the specific audit log bucket already exists. Create a new S3 bucket if it is set to false. | bool |
false |
no |
| vpc_enable_flow_logs | The boolean flag whether to enable VPC Flow Logs in default VPCs | bool |
true |
no |
| vpc_flow_logs_destination_type | The type of the logging destination. Valid values: cloud-watch-logs, s3 | string |
"cloud-watch-logs" |
no |
| vpc_flow_logs_log_group_name | The name of CloudWatch Logs group to which VPC Flow Logs are delivered. | string |
"default-vpc-flow-logs" |
no |
| vpc_flow_logs_retention_in_days | Number of days to retain logs if vpc_log_destination_type is cloud-watch-logs. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | number |
365 |
no |
| vpc_flow_logs_s3_arn | ARN of the S3 bucket to which VPC Flow Logs are delivered if vpc_log_destination_type is s3. | string |
"" |
no |
| vpc_flow_logs_s3_key_prefix | The prefix used when VPC Flow Logs delivers logs to the S3 bucket. | string |
"flow-logs" |
no |
| vpc_iam_role_name | The name of the IAM Role which VPC Flow Logs will use. | string |
"VPC-Flow-Logs-Publisher" |
no |
| vpc_iam_role_policy_name | The name of the IAM Role Policy which VPC Flow Logs will use. | string |
"VPC-Flow-Logs-Publish-Policy" |
no |
Outputs
| Name | Description |
|---|---|
| alarm_sns_topic | The SNS topic to which CloudWatch Alarms will be sent. |
| audit_bucket | The S3 bucket used for storing audit logs. |
| cloudtrail | The trail for recording events in all regions. |
| cloudtrail_kms_key | The KMS key used for encrypting CloudTrail events. |
| cloudtrail_log_delivery_iam_role | The IAM role used for delivering CloudTrail events to CloudWatch Logs. |
| cloudtrail_log_group | The CloudWatch Logs log group which stores CloudTrail events. |
| cloudtrail_sns_topic | The sns topic linked to the cloudtrail. |
| config_configuration_recorder | The configuration recorder in each region. |
| config_iam_role | The IAM role used for delivering AWS Config records to CloudWatch Logs. |
| config_sns_topic | The SNS topic that AWS Config delivers notifications to. |
| default_network_acl | The default network ACL. |
| default_route_table | The default route table. |
| default_security_group | The ID of the default security group. |
| default_vpc | The default VPC. |
| guardduty_detector | The GuardDuty detector in each region. |
| support_iam_role | The IAM role used for the support user. |
| vpc_flow_logs_group | The CloudWatch Logs log group which stores VPC Flow Logs in each region. |
| vpc_flow_logs_iam_role | The IAM role used for delivering VPC Flow Logs to CloudWatch Logs. |
Compatibility
- Starting from v0.20, this module requires Terraform Provider for AWS v3.0 or later. Please use v0.19 if you need to use v2.x or earlier.
- Starting from v0.10, this module requires Terraform v0.12 or later. Please use v0.9 if you need to use Terraform v0.11 or ealier.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].