Home

Awesome

terraform-aws-secure-baseline

Github Actions Releases

Terraform Module Registry

A terraform module to set up your AWS account with the reasonably secure configuration baseline. Most configurations are based on CIS Amazon Web Services Foundations v1.4.0 and AWS Foundational Security Best Practices v1.0.0.

See Benchmark Compliance to check which items in various benchmarks are covered.

Features

Identity and Access Management

Logging & Monitoring

Networking & Computing

Usage

data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

module "secure_baseline" {
  source = "nozaq/secure-baseline/aws"

  audit_log_bucket_name           = "YOUR_BUCKET_NAME"
  aws_account_id                  = data.aws_caller_identity.current.account_id
  region                          = data.aws_region.current.name
  support_iam_role_principal_arns = ["YOUR_IAM_USER"]

  providers = {
    aws                = aws
    aws.ap-northeast-1 = aws.ap-northeast-1
    aws.ap-northeast-2 = aws.ap-northeast-2
    aws.ap-northeast-3 = aws.ap-northeast-3
    aws.ap-south-1     = aws.ap-south-1
    aws.ap-southeast-1 = aws.ap-southeast-1
    aws.ap-southeast-2 = aws.ap-southeast-2
    aws.ca-central-1   = aws.ca-central-1
    aws.eu-central-1   = aws.eu-central-1
    aws.eu-north-1     = aws.eu-north-1
    aws.eu-west-1      = aws.eu-west-1
    aws.eu-west-2      = aws.eu-west-2
    aws.eu-west-3      = aws.eu-west-3
    aws.sa-east-1      = aws.sa-east-1
    aws.us-east-1      = aws.us-east-1
    aws.us-east-2      = aws.us-east-2
    aws.us-west-1      = aws.us-west-1
    aws.us-west-2      = aws.us-west-2
  }
}

Check the example to understand how these providers are defined. Note that you need to define a provider for each AWS region and pass them to the module. Currently this is the recommended way to handle multiple regions in one module. Detailed information can be found at Providers within Modules - Terraform Docs.

A new S3 bucket to store audit logs is automatically created by default, while the external S3 bucket can be specified. It is useful when you already have a centralized S3 bucket to store all logs. Please see external-bucket example for more detail.

Managing multiple accounts in AWS Organization

When you have multiple AWS accounts in your AWS Organization, secure-baseline module configures the separated environment for each AWS account. You can change this behavior to centrally manage security information and audit logs from all accounts in one master account. Check organization example for more detail.

Submodules

This module is composed of several submodules and each of which can be used independently. Modules in Package Sub-directories - Terraform describes how to source a submodule.

Compatibility

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

Requirements

NameVersion
<a name="requirement_terraform"></a> terraform>= 1.1.4
<a name="requirement_aws"></a> aws>= 4.3

Providers

NameVersion
<a name="provider_aws"></a> aws>= 4.3

Inputs

NameDescriptionTypeRequired
<a name="input_audit_log_bucket_name"></a> audit_log_bucket_nameThe name of the S3 bucket to store various audit logs.stringyes
<a name="input_aws_account_id"></a> aws_account_idThe AWS Account ID number of the account.stringyes
<a name="input_region"></a> regionThe AWS region in which global resources are set up.stringyes
<a name="input_support_iam_role_principal_arns"></a> support_iam_role_principal_arnsList of ARNs of the IAM principal elements by which the support role could be assumed.list(string)yes
<a name="input_account_type"></a> account_typeThe type of the AWS account. The possible values are individual, master and member . Specify master and member to set up centalized logging for multiple accounts in AWS Organization. Use individual otherwise.stringno
<a name="input_alarm_baseline_enabled"></a> alarm_baseline_enabledBoolean whether alarm-baseline is enabled.boolno
<a name="input_alarm_namespace"></a> alarm_namespaceThe namespace in which all alarms are set up.stringno
<a name="input_alarm_sns_topic_kms_master_key_id"></a> alarm_sns_topic_kms_master_key_idTo enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryptionstringno
<a name="input_alarm_sns_topic_name"></a> alarm_sns_topic_nameThe name of the SNS Topic which will be notified when any alarm is performed.stringno
<a name="input_allow_users_to_change_password"></a> allow_users_to_change_passwordWhether to allow users to change their own password.boolno
<a name="input_analyzer_baseline_enabled"></a> analyzer_baseline_enabledBoolean whether analyzer-baseline is enabled.boolno
<a name="input_analyzer_name"></a> analyzer_nameThe name for the IAM Access Analyzer resource to be created.stringno
<a name="input_audit_log_bucket_access_logs_name"></a> audit_log_bucket_access_logs_nameThe name of the S3 bucket to store various audit logs.stringno
<a name="input_audit_log_bucket_custom_policy_json"></a> audit_log_bucket_custom_policy_jsonOverride policy for the audit log bucket. Allows addition of extra policies.stringno
<a name="input_audit_log_bucket_force_destroy"></a> audit_log_bucket_force_destroyA boolean that indicates all objects should be deleted from the audit log bucket so that the bucket can be destroyed without error. These objects are not recoverable.boolno
<a name="input_audit_log_bucket_key_enabled"></a> audit_log_bucket_key_enabledWhether or not to use Amazon S3 Bucket Keys for encrypting the audit log bucket.boolno
<a name="input_audit_log_lifecycle_glacier_transition_days"></a> audit_log_lifecycle_glacier_transition_daysThe number of days after log creation when the log file is archived into Glacier. Setting to zero disables the transition.numberno
<a name="input_aws_config_changes_enabled"></a> aws_config_changes_enabledThe boolean flag whether the aws_config_changes alarm is enabled or not. No resources are created when set to false.boolno
<a name="input_cloudtrail_baseline_enabled"></a> cloudtrail_baseline_enabledBoolean whether cloudtrail-baseline is enabled.boolno
<a name="input_cloudtrail_cfg_changes_enabled"></a> cloudtrail_cfg_changes_enabledThe boolean flag whether the cloudtrail_cfg_changes alarm is enabled or not. No resources are created when set to false.boolno
<a name="input_cloudtrail_cloudwatch_logs_enabled"></a> cloudtrail_cloudwatch_logs_enabledSpecifies whether the trail is delivered to CloudWatch Logs.boolno
<a name="input_cloudtrail_cloudwatch_logs_group_name"></a> cloudtrail_cloudwatch_logs_group_nameThe name of CloudWatch Logs group to which CloudTrail events are delivered.stringno
<a name="input_cloudtrail_dynamodb_event_logging_tables"></a> cloudtrail_dynamodb_event_logging_tablesThe list of DynamoDB table ARNs on which to enable event logging.list(string)no
<a name="input_cloudtrail_iam_role_name"></a> cloudtrail_iam_role_nameThe name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group.stringno
<a name="input_cloudtrail_iam_role_policy_name"></a> cloudtrail_iam_role_policy_nameThe name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group.stringno
<a name="input_cloudtrail_key_deletion_window_in_days"></a> cloudtrail_key_deletion_window_in_daysDuration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.numberno
<a name="input_cloudtrail_lambda_invocation_logging_lambdas"></a> cloudtrail_lambda_invocation_logging_lambdasThe list of lambda ARNs on which to enable invocation logging.list(string)no
<a name="input_cloudtrail_name"></a> cloudtrail_nameThe name of the trail.stringno
<a name="input_cloudtrail_s3_key_prefix"></a> cloudtrail_s3_key_prefixThe prefix used when CloudTrail delivers events to the S3 bucket.stringno
<a name="input_cloudtrail_s3_object_level_logging_buckets"></a> cloudtrail_s3_object_level_logging_bucketsThe list of S3 bucket ARNs on which to enable object-level logging.list(string)no
<a name="input_cloudtrail_sns_topic_enabled"></a> cloudtrail_sns_topic_enabledSpecifies whether the trail is delivered to a SNS topic.boolno
<a name="input_cloudtrail_sns_topic_name"></a> cloudtrail_sns_topic_nameThe name of the SNS topic to link to the trail.stringno
<a name="input_cloudwatch_logs_retention_in_days"></a> cloudwatch_logs_retention_in_daysNumber of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely.numberno
<a name="input_config_aggregator_name"></a> config_aggregator_nameThe name of the organizational AWS Config Configuration Aggregator.stringno
<a name="input_config_aggregator_name_prefix"></a> config_aggregator_name_prefixThe prefix of the name for the IAM role attached to the organizational AWS Config Configuration Aggregator.stringno
<a name="input_config_baseline_enabled"></a> config_baseline_enabledBoolean whether config-baseline is enabled.boolno
<a name="input_config_delivery_frequency"></a> config_delivery_frequencyThe frequency which AWS Config sends a snapshot into the S3 bucket.stringno
<a name="input_config_global_resources_all_regions"></a> config_global_resources_all_regionsRecord global resources in all regions. If false, only default region will record global resources.boolno
<a name="input_config_iam_role_name"></a> config_iam_role_nameThe name of the IAM Role which AWS Config will use.stringno
<a name="input_config_iam_role_policy_name"></a> config_iam_role_policy_nameThe name of the IAM Role Policy which AWS Config will use.stringno
<a name="input_config_s3_bucket_key_prefix"></a> config_s3_bucket_key_prefixThe prefix used when writing AWS Config snapshots into the S3 bucket.stringno
<a name="input_config_sns_topic_kms_master_key_id"></a> config_sns_topic_kms_master_key_idTo enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryptionstringno
<a name="input_config_sns_topic_name"></a> config_sns_topic_nameThe name of the SNS Topic to be used to notify configuration changes.stringno
<a name="input_console_signin_failures_enabled"></a> console_signin_failures_enabledThe boolean flag whether the console_signin_failures alarm is enabled or not. No resources are created when set to false.boolno
<a name="input_create_password_policy"></a> create_password_policyDefine if the password policy should be created.boolno
<a name="input_create_support_role"></a> create_support_roleDefine if the support role should be created.boolno
<a name="input_disable_or_delete_cmk_enabled"></a> disable_or_delete_cmk_enabledThe boolean flag whether the disable_or_delete_cmk alarm is enabled or not. No resources are created when set to false.boolno
<a name="input_guardduty_disable_email_notification"></a> guardduty_disable_email_notificationBoolean whether an email notification is sent to the accounts.boolno
<a name="input_guardduty_enabled"></a> guardduty_enabledBoolean whether the guardduty-baseline module is enabled or disabledboolno
<a name="input_guardduty_finding_publishing_frequency"></a> guardduty_finding_publishing_frequencySpecifies the frequency of notifications sent for subsequent finding occurrences.stringno
<a name="input_guardduty_invitation_message"></a> guardduty_invitation_messageMessage for invitation.stringno
<a name="input_iam_baseline_enabled"></a> iam_baseline_enabledBoolean whether iam-baseline is enabled.boolno
<a name="input_iam_changes_enabled"></a> iam_changes_enabledThe boolean flag whether the iam_changes alarm is enabled or not. No resources are created when set to false.boolno
<a name="input_master_account_id"></a> master_account_idThe ID of the master AWS account to which the current AWS account is associated. Required if account_type is member.stringno
<a name="input_max_password_age"></a> max_password_ageThe number of days that an user password is valid.numberno
<a name="input_member_accounts"></a> member_accountsA list of IDs and emails of AWS accounts which associated as member accounts.<pre>list(object({<br> account_id = string<br> email = string<br> }))</pre>no
<a name="input_mfa_console_signin_allow_sso"></a> mfa_console_signin_allow_ssoThe boolean flag whether the no_mfa_console_signin alarm allows SSO auth to be ignored.boolno
<a name="input_minimum_password_length"></a> minimum_password_lengthMinimum length to require for user passwords.numberno
<a name="input_nacl_changes_enabled"></a> nacl_changes_enabledThe boolean flag whether the nacl_changes alarm is enabled or not. No resources are created when set to false.boolno
<a name="input_network_gw_changes_enabled"></a> network_gw_changes_enabledThe boolean flag whether the network_gw_changes alarm is enabled or not. No resources are created when set to false.boolno
<a name="input_no_mfa_console_signin_enabled"></a> no_mfa_console_signin_enabledThe boolean flag whether the no_mfa_console_signin alarm is enabled or not. No resources are created when set to false.boolno
<a name="input_organizations_changes_enabled"></a> organizations_changes_enabledThe boolean flag whether the organizations_changes alarm is enabled or not. No resources are created when set to false.boolno
<a name="input_password_reuse_prevention"></a> password_reuse_preventionThe number of previous passwords that users are prevented from reusing.numberno
<a name="input_permissions_boundary_arn"></a> permissions_boundary_arnThe permissions boundary ARN for all IAM Roles, provisioned by this modulestringno
<a name="input_require_lowercase_characters"></a> require_lowercase_charactersWhether to require lowercase characters for user passwords.boolno
<a name="input_require_numbers"></a> require_numbersWhether to require numbers for user passwords.boolno
<a name="input_require_symbols"></a> require_symbolsWhether to require symbols for user passwords.boolno
<a name="input_require_uppercase_characters"></a> require_uppercase_charactersWhether to require uppercase characters for user passwords.boolno
<a name="input_root_usage_enabled"></a> root_usage_enabledThe boolean flag whether the root_usage alarm is enabled or not. No resources are created when set to false.boolno
<a name="input_route_table_changes_enabled"></a> route_table_changes_enabledThe boolean flag whether the route_table_changes alarm is enabled or not. No resources are created when set to false.boolno
<a name="input_s3_baseline_enabled"></a> s3_baseline_enabledBoolean whether s3-baseline is enabled.boolno
<a name="input_s3_block_public_acls"></a> s3_block_public_aclsWhether Amazon S3 should block public ACLs for buckets in this account. Defaults to true.boolno
<a name="input_s3_block_public_policy"></a> s3_block_public_policyWhether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true.boolno
<a name="input_s3_bucket_policy_changes_enabled"></a> s3_bucket_policy_changes_enabledThe boolean flag whether the s3_bucket_policy_changes alarm is enabled or not. No resources are created when set to false.boolno
<a name="input_s3_ignore_public_acls"></a> s3_ignore_public_aclsWhether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true.boolno
<a name="input_s3_restrict_public_buckets"></a> s3_restrict_public_bucketsWhether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true.boolno
<a name="input_security_group_changes_enabled"></a> security_group_changes_enabledThe boolean flag whether the security_group_changes alarm is enabled or not. No resources are created when set to false.boolno
<a name="input_securityhub_enable_aws_foundational_standard"></a> securityhub_enable_aws_foundational_standardBoolean whether AWS Foundations standard is enabled.boolno
<a name="input_securityhub_enable_cis_standard"></a> securityhub_enable_cis_standardBoolean whether CIS standard is enabled.boolno
<a name="input_securityhub_enable_pci_dss_standard"></a> securityhub_enable_pci_dss_standardBoolean whether PCI DSS standard is enabled.boolno
<a name="input_securityhub_enable_product_arns"></a> securityhub_enable_product_arnsList of Security Hub product ARNs, <REGION> will be replaced. See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html for list.list(string)no
<a name="input_securityhub_enabled"></a> securityhub_enabledBoolean whether the securityhub-baseline module is enabled or disabledboolno
<a name="input_support_iam_role_name"></a> support_iam_role_nameThe name of the the support role.stringno
<a name="input_tags"></a> tagsSpecifies object tags key and value. This applies to all resources created by this module.map(string)no
<a name="input_target_regions"></a> target_regionsA list of regions to set up with this module.list(string)no
<a name="input_turn_off_organization_trail"></a> turn_off_organization_trailSpecifies whether the disable the organization trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account.boolno
<a name="input_unauthorized_api_calls_enabled"></a> unauthorized_api_calls_enabledThe boolean flag whether the unauthorized_api_calls alarm is enabled or not. No resources are created when set to false.boolno
<a name="input_use_external_audit_log_bucket"></a> use_external_audit_log_bucketA boolean that indicates whether the specific audit log bucket already exists. Create a new S3 bucket if it is set to false.boolno
<a name="input_vpc_changes_enabled"></a> vpc_changes_enabledThe boolean flag whether the vpc_changes alarm is enabled or not. No resources are created when set to false.boolno
<a name="input_vpc_enable"></a> vpc_enableBoolean whether the VPC baseline module should be enabledboolno
<a name="input_vpc_enable_flow_logs"></a> vpc_enable_flow_logsThe boolean flag whether to enable VPC Flow Logs in default VPCsboolno
<a name="input_vpc_flow_logs_destination_type"></a> vpc_flow_logs_destination_typeThe type of the logging destination. Valid values: cloud-watch-logs, s3stringno
<a name="input_vpc_flow_logs_log_group_name"></a> vpc_flow_logs_log_group_nameThe name of CloudWatch Logs group to which VPC Flow Logs are delivered.stringno
<a name="input_vpc_flow_logs_retention_in_days"></a> vpc_flow_logs_retention_in_daysNumber of days to retain logs if vpc_log_destination_type is cloud-watch-logs. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely.numberno
<a name="input_vpc_flow_logs_s3_arn"></a> vpc_flow_logs_s3_arnARN of the S3 bucket to which VPC Flow Logs are delivered if vpc_log_destination_type is s3.stringno
<a name="input_vpc_flow_logs_s3_key_prefix"></a> vpc_flow_logs_s3_key_prefixThe prefix used when VPC Flow Logs delivers logs to the S3 bucket.stringno
<a name="input_vpc_iam_role_name"></a> vpc_iam_role_nameThe name of the IAM Role which VPC Flow Logs will use.stringno
<a name="input_vpc_iam_role_policy_name"></a> vpc_iam_role_policy_nameThe name of the IAM Role Policy which VPC Flow Logs will use.stringno

Outputs

NameDescription
<a name="output_alarm_sns_topic"></a> alarm_sns_topicThe SNS topic to which CloudWatch Alarms will be sent.
<a name="output_audit_bucket"></a> audit_bucketThe S3 bucket used for storing audit logs.
<a name="output_cloudtrail"></a> cloudtrailThe trail for recording events in all regions.
<a name="output_cloudtrail_kms_key"></a> cloudtrail_kms_keyThe KMS key used for encrypting CloudTrail events.
<a name="output_cloudtrail_log_delivery_iam_role"></a> cloudtrail_log_delivery_iam_roleThe IAM role used for delivering CloudTrail events to CloudWatch Logs.
<a name="output_cloudtrail_log_group"></a> cloudtrail_log_groupThe CloudWatch Logs log group which stores CloudTrail events.
<a name="output_cloudtrail_sns_topic"></a> cloudtrail_sns_topicThe sns topic linked to the cloudtrail.
<a name="output_config_configuration_recorder"></a> config_configuration_recorderThe configuration recorder in each region.
<a name="output_config_iam_role"></a> config_iam_roleThe IAM role used for delivering AWS Config records to CloudWatch Logs.
<a name="output_config_sns_topic"></a> config_sns_topicThe SNS topic) that AWS Config delivers notifications to.
<a name="output_default_network_acl"></a> default_network_aclThe default network ACL.
<a name="output_default_route_table"></a> default_route_tableThe default route table.
<a name="output_default_security_group"></a> default_security_groupThe ID of the default security group.
<a name="output_default_vpc"></a> default_vpcThe default VPC.
<a name="output_guardduty_detector"></a> guardduty_detectorThe GuardDuty detector in each region.
<a name="output_support_iam_role"></a> support_iam_roleThe IAM role used for the support user.
<a name="output_vpc_flow_logs_group"></a> vpc_flow_logs_groupThe CloudWatch Logs log group which stores VPC Flow Logs in each region.
<a name="output_vpc_flow_logs_iam_role"></a> vpc_flow_logs_iam_roleThe IAM role used for delivering VPC Flow Logs to CloudWatch Logs.
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->