Awesome
Modernisation Platform Terraform Baselines Module
Terraform module for enabling and configuring the MoJ Security Guidance baseline for AWS accounts, alongside some extra reasonable security, identity and compliance services.
Enabled MoJ Security Guidance configurations
- Security email setting
- GuardDuty
- CloudTrail
- Config and Config rules
- Tagging
- Regions
- Identity and Access Management
- Encryption
- World Access
- SecurityHub
Other enabled configurations
- AWS Backup
- AWS IAM Access Analyzer
- AWS IAM password policy
- AWS IAM role for Support
- EBS encryption
- SecurityHub alarms
- VPC logging for default VPCs
- IMDSv2 by default
Usage
Using the whole module
module "baselines" {
source = "github.com/ministryofjustice/modernisation-platform-terraform-baselines"
providers = {
aws = aws
aws.replication-region = aws.eu-west-2 # Region to replicate S3 buckets into
aws.ap-northeast-1 = aws.ap-northeast-1
aws.ap-northeast-2 = aws.ap-northeast-2
aws.ap-south-1 = aws.ap-south-1
aws.ap-southeast-1 = aws.ap-southeast-1
aws.ap-southeast-2 = aws.ap-southeast-2
aws.ca-central-1 = aws.ca-central-1
aws.eu-central-1 = aws.eu-central-1
aws.eu-north-1 = aws.eu-north-1
aws.eu-west-1 = aws.eu-west-1
aws.eu-west-2 = aws.eu-west-2
aws.eu-west-3 = aws.eu-west-3
aws.sa-east-1 = aws.sa-east-1
aws.us-east-1 = aws.us-east-1
aws.us-east-2 = aws.us-east-2
aws.us-west-1 = aws.us-west-1
aws.us-west-2 = aws.us-west-2
}
# Enable IAM Access Analyzer in eu-west-2
enabled_access_analyzer_regions = ["eu-west-2"]
root_account_id = "123456789"
tags = {}
}
Using parts of the module
You can specify submodules from this directory to use individually, by setting the source with a double-slash (//). Note that this only uses the module in the calling region, unless you specify different module blocks with other Terraform providers. Each module has its own README.
module "ebs-encryption" {
source = "github.com/ministryofjustice/modernisation-platform-terraform-baselines//modules/ebs"
}
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| root_account_id | The AWS Organisations root account ID that this account should be part of | string | yes | |
| tags | Tags to apply to resources, where applicable | map | {} | no |
| enabled_access_analyzer_regions | Regions to enable IAM Access Analyzer in | list | [] | no |
| enabled_backup_regions | Regions to enable AWS Backup in | list | [] | no |
| enabled_config_regions | Regions to enable AWS Config in | list | [] | no |
| enabled_ebs_encryption_regions | Regions to enable EBS encryption in | list | [] | no |
| enabled_guardduty_regions | Regions to enable GuardDuty in | list | [] | no |
| enabled_securityhub_regions | Regions to enable SecurityHub in | list | [] | no |
| enabled_vpc_regions | Regions to enable default VPC configuration and VPC Flow Logs in | list | [] | no |
Outputs
None
Looking for issues?
If you're looking to raise an issue with this module, please create a new issue in the Modernisation Platform repository.