{"id":34642494,"url":"https://github.com/nvision-x/security-infra-tf","last_synced_at":"2026-04-18T05:03:38.875Z","repository":{"id":327975742,"uuid":"1113741106","full_name":"Nvision-x/security-infra-tf","owner":"Nvision-x","description":"Terraform module for AWS security baseline - implements CIS AWS Foundations Benchmark 5.0.0  controls including Security Hub, CloudTrail, Config, IAM policies, and Access Analyzer","archived":false,"fork":false,"pushed_at":"2025-12-10T15:49:50.000Z","size":21,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-12-10T22:17:27.515Z","etag":null,"topics":["aws","aws-config","cis-benchmark","cloudtrail","compliance","iam","infrastructure-as-code","security","security-hub","terraform"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Nvision-x.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-10T11:57:10.000Z","updated_at":"2025-12-10T12:07:23.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Nvision-x/security-infra-tf","commit_stats":null,"previous_names":["nvision-x/security-infra-tf"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/Nvision-x/security-infra-tf","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Nvision-x%2Fsecurity-infra-tf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Nvision-x%2Fsecurity-infra-tf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Nvision-x%2Fsecurity-infra-tf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Nvision-x%2Fsecurity-infra-tf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Nvision-x","download_url":"https://codeload.github.com/Nvision-x/security-infra-tf/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Nvision-x%2Fsecurity-infra-tf/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31957158,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-18T00:39:45.007Z","status":"online","status_checked_at":"2026-04-18T02:00:07.018Z","response_time":103,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-config","cis-benchmark","cloudtrail","compliance","iam","infrastructure-as-code","security","security-hub","terraform"],"created_at":"2025-12-24T17:25:39.501Z","updated_at":"2026-04-18T05:03:38.867Z","avatar_url":"https://github.com/Nvision-x.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# security-infra-tf\n\nTerraform module for AWS Security Baseline implementing CIS AWS Foundations Benchmark 5.0.0 controls.\n\n## Controls Implemented\n\n| Control ID | Description | Resource |\n|------------|-------------|----------|\n| - | Security Hub with CIS 5.0.0 | `aws_securityhub_account`, `aws_securityhub_standards_subscription` |\n| - | AWS Config | `aws_config_configuration_recorder`, `aws_config_delivery_channel`, `aws_s3_bucket` |\n| CloudTrail.1 | Multi-region trail with management events | `aws_cloudtrail`, `aws_s3_bucket` |\n| S3.9 | S3 bucket access logging enabled | CloudTrail bucket logs to access logs bucket |\n| Account.1 | Security contact information | `aws_account_alternate_contact` |\n| IAM.15 | Password minimum length \u003e= 14 | `aws_iam_account_password_policy` |\n| IAM.16 | Password reuse prevention | `aws_iam_account_password_policy` |\n| IAM.18 | Support role for AWS Support | `aws_iam_role` with `AWSSupportAccess` |\n| IAM.28 | IAM Access Analyzer | `aws_accessanalyzer_analyzer` |\n| S3.5 | S3 buckets require SSL | Bucket policies with `aws:SecureTransport` condition |\n\n## Requirements\n\n| Name | Version |\n|------|---------|\n| terraform | \u003e= 1.0 |\n| aws | \u003e= 5.0 |\n\n## Usage\n\n```hcl\nmodule \"security_baseline\" {\n  source = \"git::https://github.com/your-org/security-infra-tf.git\"\n\n  # Security Contact (Account.1)\n  security_contact_name  = \"Security Team\"\n  security_contact_title = \"Security Operations\"\n  security_contact_email = \"security@example.com\"\n  security_contact_phone = \"+1-555-555-5555\"\n\n  # Support Role (IAM.18)\n  support_role_trusted_principals = [\n    \"arn:aws:iam::123456789012:root\"\n  ]\n\n  # Optional: Use existing CloudTrail bucket\n  # cloudtrail_existing_bucket_name = \"my-existing-cloudtrail-bucket\"\n\n  tags = {\n    Environment = \"production\"\n    ManagedBy   = \"terraform\"\n  }\n}\n```\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| tags | Tags to apply to all resources | `map(string)` | `{}` | no |\n| enable_security_hub | Enable AWS Security Hub with CIS 5.0.0 standard | `bool` | `true` | no |\n| enable_aws_config | Enable AWS Config | `bool` | `true` | no |\n| config_s3_bucket_name | S3 bucket name for AWS Config. If empty, auto-generates | `string` | `\"\"` | no |\n| config_s3_key_prefix | S3 key prefix for AWS Config delivery | `string` | `\"config\"` | no |\n| config_recording_frequency | Recording frequency (CONTINUOUS or DAILY) | `string` | `\"CONTINUOUS\"` | no |\n| enable_cloudtrail | Enable CloudTrail with multi-region trail | `bool` | `true` | no |\n| cloudtrail_name | Name of the CloudTrail trail | `string` | `\"security-trail\"` | no |\n| cloudtrail_existing_bucket_name | Name of existing S3 bucket for CloudTrail. If empty, creates new bucket | `string` | `\"\"` | no |\n| cloudtrail_existing_access_logs_bucket_name | Name of existing S3 bucket for access logs. If empty, creates new bucket | `string` | `\"\"` | no |\n| cloudtrail_s3_key_prefix | S3 key prefix for CloudTrail logs | `string` | `\"cloudtrail\"` | no |\n| enable_security_contact | Enable security contact configuration | `bool` | `true` | no |\n| security_contact_name | Full name of the security contact | `string` | `\"\"` | no |\n| security_contact_title | Job title of the security contact | `string` | `\"\"` | no |\n| security_contact_email | Email address of the security contact | `string` | `\"\"` | no |\n| security_contact_phone | Phone number of the security contact | `string` | `\"\"` | no |\n| enable_password_policy | Enable IAM password policy | `bool` | `true` | no |\n| password_minimum_length | Minimum password length (must be \u003e= 14) | `number` | `14` | no |\n| password_reuse_prevention | Number of previous passwords to prevent reuse | `number` | `24` | no |\n| enable_support_role | Enable AWS Support access role | `bool` | `true` | no |\n| support_role_name | Name of the AWS Support access role | `string` | `\"aws-support-access\"` | no |\n| support_role_trusted_principals | List of IAM principals that can assume the support role | `list(string)` | n/a | yes |\n| support_role_require_mfa | Require MFA when assuming the support role | `bool` | `true` | no |\n| enable_access_analyzer | Enable IAM Access Analyzer | `bool` | `true` | no |\n| access_analyzer_name | Name of the IAM Access Analyzer | `string` | `\"account-analyzer\"` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| security_hub_account_id | Security Hub account ID |\n| security_hub_cis_v5_subscription_arn | ARN of the CIS 5.0.0 standards subscription |\n| config_s3_bucket_name | Name of the S3 bucket for AWS Config |\n| config_s3_bucket_arn | ARN of the S3 bucket for AWS Config |\n| config_recorder_id | AWS Config recorder ID |\n| config_role_arn | ARN of the IAM role used by AWS Config |\n| cloudtrail_arn | ARN of the CloudTrail trail |\n| cloudtrail_id | Name of the CloudTrail trail |\n| cloudtrail_s3_bucket_name | Name of the S3 bucket for CloudTrail |\n| cloudtrail_s3_bucket_arn | ARN of the S3 bucket for CloudTrail (if created) |\n| cloudtrail_access_logs_bucket_name | Name of the access logs bucket |\n| cloudtrail_access_logs_bucket_arn | ARN of the access logs bucket |\n| password_policy_configured | Whether password policy is configured |\n| password_minimum_length | Configured minimum password length |\n| password_reuse_prevention | Number of passwords for reuse prevention |\n| support_role_arn | ARN of the AWS Support access role |\n| access_analyzer_arn | ARN of the IAM Access Analyzer |\n\n## S3 Buckets\n\nThe module creates the following S3 buckets:\n\n### AWS Config Bucket\n- Auto-generated name: `aws-config-{account_id}-{region}`\n- Versioning, encryption, public access blocked, SSL-only\n\n### CloudTrail Bucket\n- **Option 1**: Use existing bucket by setting `cloudtrail_existing_bucket_name`\n- **Option 2**: Auto-create bucket named `aws-cloudtrail-{account_id}-{region}`\n- If created: Versioning, encryption, public access blocked, SSL-only, access logging enabled\n\n### CloudTrail Access Logs Bucket (S3.9)\n- **Option 1**: Use existing bucket by setting `cloudtrail_existing_access_logs_bucket_name`\n- **Option 2**: Auto-create bucket named `nvisionx-cloudtrail-access-logs-{account_id}`\n- Stores access logs for the CloudTrail bucket\n- Required for Security Hub S3.9 compliance\n\n## CloudTrail Configuration\n\nThe CloudTrail trail is configured with:\n- Multi-region trail enabled\n- Global service events included\n- Log file validation enabled\n- Read and write management events captured\n\n## Notes\n\n- **IAM.2** (IAM users should not have IAM policies attached): This is a detective control checked by Security Hub. The module enables Security Hub which will report on non-compliant users.\n- **EC2.2**: Mentioned but not implemented as it requires Security Hub (included) for detection.\n- The password policy enforces CIS benchmark requirements with minimum length of 14 and reuse prevention of 24 passwords.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnvision-x%2Fsecurity-infra-tf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnvision-x%2Fsecurity-infra-tf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnvision-x%2Fsecurity-infra-tf/lists"}