Skip to content

schubergphilis/terraform-aws-mcaf-account-baseline

Repository files navigation

terraform-aws-mcaf-account-baseline

Terraform module to manage baseline configuration for AWS accounts.

How to use

Basic configuration

module "account_baseline" {
  source = "github.com/schubergphilis/terraform-aws-mcaf-account-baseline?ref=VERSION"
}

AWS Config Rules

If you would like to authorise other accounts to aggregate AWS Config data, account IDs and regions can be passed to var.aws_config using the attributes aggregator_account_ids and aggregator_regions respectively.

Note Control Tower already authorizes the audit account to aggregate Config data from all other accounts in the organization, so there is no need to specify the audit account ID in the aggregator_account_ids list.

Example:

aws_config = {
  aggregator_account_ids = ["123456789012"]
  aggregator_regions     = ["eu-west-1"]
}

AWS Security Hub

This module enables the following standards by default:

  • AWS Foundational Security Best Practices v1.0.0
  • CIS AWS Foundations Benchmark v1.4.0
  • PCI DSS v3.2.1

You are able to control the enabled standards via var.aws_security_hub_standards_arns.

MCAF Service Quotas Manager integration

This module can deploy the IAM role required by the MCAF Service Quotas Manager module. The assuming_principal_identifier should be the ServiceQuotasManagerExecutionRole. This is by default arn:aws:iam::<account_id>:role/ServiceQuotasManagerExecutionRole-<region_name>.

Note

The Service Quotas Manager module should be deployed first before deploying this integration. Only existing IAM roles can be referenced as principals.

Requirements

Name Version
terraform >= 1.2.0
aws >= 4.0.0

Providers

Name Version
aws >= 4.0.0

Modules

Name Source Version
service_quota_manager_role github.com/schubergphilis/terraform-aws-mcaf-role v0.3.3

Resources

Name Type
aws_config_aggregate_authorization.default resource
aws_ebs_default_kms_key.default resource
aws_ebs_encryption_by_default.default resource
aws_iam_account_password_policy.default resource
aws_securityhub_standards_subscription.default resource
aws_region.current data source

Inputs

Name Description Type Default Required
account_password_policy AWS account password policy parameters
object({
allow_users_to_change = bool
max_age = number
minimum_length = number
require_lowercase_characters = bool
require_numbers = bool
require_symbols = bool
require_uppercase_characters = bool
reuse_prevention_history = number
})
{
"allow_users_to_change": true,
"max_age": 90,
"minimum_length": 14,
"require_lowercase_characters": true,
"require_numbers": true,
"require_symbols": true,
"require_uppercase_characters": true,
"reuse_prevention_history": 24
}
no
aws_config AWS Config settings
object({
aggregator_account_ids = list(string)
aggregator_regions = list(string)
})
null no
aws_ebs_encryption_by_default Set to true to enable AWS Elastic Block Store encryption by default bool true no
aws_ebs_encryption_custom_key Set to true and specify the aws_kms_key_arn to use in place of the AWS-managed default CMK bool false no
aws_kms_key_arn The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volumes string null no
aws_security_hub_standards_arns A list of the ARNs of the standards you want to enable in AWS Security Hub. If you do not provide a list the default standards are enabled list(string) null no
service_quotas_manager_role Create the role needed to integrate the terraform-aws-mcaf-service-quotas-manager module
object({
assuming_principal_identifier = string
path = optional(string, "/")
permissions_boundary = optional(string, null)
})
null no
tags Map of tags map(string) {} no

Outputs

No outputs.

About

Terraform module to setup a baseline configuration for AWS accounts

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages