{"id":46337250,"url":"https://github.com/squareops/terraform-aws-security-automations","last_synced_at":"2026-03-04T19:05:30.900Z","repository":{"id":264182968,"uuid":"594322084","full_name":"squareops/terraform-aws-security-automations","owner":"squareops","description":"A terraform module to make AWS account compliant with CIS Level 1 , CIS Level 2 and SOC 2 controls ","archived":false,"fork":false,"pushed_at":"2024-11-22T13:05:27.000Z","size":165,"stargazers_count":1,"open_issues_count":0,"forks_count":2,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-13T09:54:01.005Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://squareops.com","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/squareops.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-28T07:05:47.000Z","updated_at":"2025-06-18T16:49:19.000Z","dependencies_parsed_at":"2024-11-22T21:20:24.718Z","dependency_job_id":null,"html_url":"https://github.com/squareops/terraform-aws-security-automations","commit_stats":null,"previous_names":["squareops/terraform-aws-security-automations"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/squareops/terraform-aws-security-automations","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/squareops%2Fterraform-aws-security-automations","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/squareops%2Fterraform-aws-security-automations/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/squareops%2Fterraform-aws-security-automations/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/squareops%2Fterraform-aws-security-automations/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/squareops","download_url":"https://codeload.github.com/squareops/terraform-aws-security-automations/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/squareops%2Fterraform-aws-security-automations/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30090041,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-04T18:31:08.343Z","status":"ssl_error","status_checked_at":"2026-03-04T18:31:07.708Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-03-04T19:05:30.214Z","updated_at":"2026-03-04T19:05:30.886Z","avatar_url":"https://github.com/squareops.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Security Check\n\nWelcome to the AWS Security Checks Module! This module is designed to perform security compliance checks on AWS accounts according to the CIS Level 1, CIS Level 2, and SOC 2 frameworks. It helps ensure that your AWS infrastructure aligns with these security standards.\n\n## Introduction\n\nThe AWS Security Checks Module is a powerful tool for automating the process of auditing and validating AWS accounts against common security benchmarks. It provides a structured framework for performing CIS Level 1, CIS Level 2, and SOC 2 compliance checks.\n\n## Important note\n\nFor acheiving 100% compliant for AWS Infrastructure we need to perform some manual checks which are listed in the respective directory of cis-levels.\n\nFor encrypting cloudwatch log group of cloudtrail please use this KMS key policy. Please change the account id and region.\n\n```\n{\n    \"Version\": \"2012-10-17\",\n    \"Id\": \"allow-cloudwatch-logs-encryption\",\n    \"Statement\": [\n        {\n            \"Sid\": \"AllowRootFullPermissions\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"AWS\": \"arn:aws:iam::12345678:root\"\n            },\n            \"Action\": \"kms:*\",\n            \"Resource\": \"*\"\n        },\n        {\n            \"Sid\": \"AllowCloudWatchLogsEncryption\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"Service\": \"logs.us-east-2.amazonaws.com\"\n            },\n            \"Action\": [\n                \"kms:Encrypt*\",\n                \"kms:Decrypt*\",\n                \"kms:ReEncrypt*\",\n                \"kms:GenerateDataKey*\",\n                \"kms:Describe*\"\n            ],\n            \"Resource\": \"*\"\n        }\n    ]\n}\n```\n## Features\n\n- Pre-configured checks for CIS Level 1, CIS Level 2, and SOC 2 security benchmarks.\n- Organized folder structure for easy navigation and maintenance.\n- Customizable configurations to adapt to different environments.\n- Automated and repeatable security assessment process.\n\n## Directory Structure\n\nThe module is organized into the following directory:\n\n- `cis-level-1`: Contains code for CIS Level 1 compliance checks.\n- `cis-level-2`: Contains code for CIS Level 2 compliance checks.\n- `soc2`: Contains code for SOC 2 compliance checks.\n- `examples`: Contains example scripts to call compliance checks based on the desired level.\n\nEach folder contains configuration files specific to the corresponding security framework.\n\n## Getting Started\n\nTo get started with the AWS Security Checks Module, follow these steps:\n\n1. Clone the repository to your local machine: `https://github.com/sq-ia/terraform-aws-infrasec`\n2. Navigate to the desired framework folder (`cis-level-1`, `cis-level-2`, or `soc2`).\n3. Review the documentation for each check to understand its purpose and requirements.\n\n## Usage\n\nThe `examples` folder contains terraform code to call compliance checks based on the desired level:\n\n- To perform CIS Level 1, Level 2 and soc2 check input the value of variable `check_level`. Please refer the below example.\n\n``` bash\n\nmodule \"cis\" {\n\n  source                                = \"squareops/security-automations/aws\"\n  version                               = \"1.0.1\"\n\n  name                                  = local.name\n  region                                = local.region\n  email                                 = \"skaf-demo@squareops.com\"\n  cron_expression                       = \"cron(0 22 1,10,20,28 * ? 2023)\"\n  check_level                           = local.check_level\n  s3_enabled                            = true\n  config_enabled                        = true\n  include_global_resource_types         = true\n  cw_log_enabled                        = true\n  alerting_enabled                      = true\n  multiple_access_key_notification      = true\n  multiple_access_key_deactivate        = false\n  disable_unused_credentials            = false\n  disable_unused_credentials_after_days = 90\n  remove_ssl_tls_iam                    = false\n  enable_guard_duty                     = true\n  enable_security_hub                   = true\n  enable_aws_macie                      = true\n  mfa_iam_group_name                    = \"mfa-group\"                                       ## enter your IAM user group for mfa\n  cloudwatch_logs_kms_key_arn           = \"arn:aws:kms:us-east-1:123456:key/3116fc04-dbbd-\" ## enter kms key arn for encrypting cloudwatch log group of cloud trail\n  cloudwatch_log_group_retention_days   = 60\n  s3_object_expiration_days             = 90\n}\n\n\n```\n\n\u003c!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e 1.0.0 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | n/a |\n\n## Modules\n\n| Name | Source | Version |\n|------|--------|---------|\n| \u003ca name=\"module_cis-level-1\"\u003e\u003c/a\u003e [cis-level-1](#module\\_cis-level-1) | ./modules/cis-level-1 | n/a |\n| \u003ca name=\"module_cis-level-2\"\u003e\u003c/a\u003e [cis-level-2](#module\\_cis-level-2) | ./modules/cis-level-2 | n/a |\n| \u003ca name=\"module_soc2\"\u003e\u003c/a\u003e [soc2](#module\\_soc2) | ./modules/soc2 | n/a |\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_alarm_namespace\"\u003e\u003c/a\u003e [alarm\\_namespace](#input\\_alarm\\_namespace) | Namespace for the CloudWatch Alarm Metric | `string` | `\"CISBenchmark\"` | no |\n| \u003ca name=\"input_alerting_enabled\"\u003e\u003c/a\u003e [alerting\\_enabled](#input\\_alerting\\_enabled) | Enable alerting | `bool` | `true` | no |\n| \u003ca name=\"input_audit_log_bucket_custom_policy_json\"\u003e\u003c/a\u003e [audit\\_log\\_bucket\\_custom\\_policy\\_json](#input\\_audit\\_log\\_bucket\\_custom\\_policy\\_json) | Override the custom policy for the S3 logging bucket (JSON format). | `string` | `\"\"` | no |\n| \u003ca name=\"input_check_level\"\u003e\u003c/a\u003e [check\\_level](#input\\_check\\_level) | List of CIS checks to deploy. | `list(any)` | `[]` | no |\n| \u003ca name=\"input_cloudtrail_event_selector_type\"\u003e\u003c/a\u003e [cloudtrail\\_event\\_selector\\_type](#input\\_cloudtrail\\_event\\_selector\\_type) | Types of events that will be aggregated in CloudTrail | `string` | `\"All\"` | no |\n| \u003ca name=\"input_cloudtrail_kms_policy\"\u003e\u003c/a\u003e [cloudtrail\\_kms\\_policy](#input\\_cloudtrail\\_kms\\_policy) | KMS policy for Cloudtrail Logs | `string` | `\"\"` | no |\n| \u003ca name=\"input_cloudwatch_log_group_retention_days\"\u003e\u003c/a\u003e [cloudwatch\\_log\\_group\\_retention\\_days](#input\\_cloudwatch\\_log\\_group\\_retention\\_days) | Number of days to retain logs in CloudWatch log groups for CloudTrail. | `number` | `30` | no |\n| \u003ca name=\"input_cloudwatch_logs_kms_key_arn\"\u003e\u003c/a\u003e [cloudwatch\\_logs\\_kms\\_key\\_arn](#input\\_cloudwatch\\_logs\\_kms\\_key\\_arn) | KMS key for CloudWatch Logs Encryption | `string` | `\"\"` | no |\n| \u003ca name=\"input_config_enabled\"\u003e\u003c/a\u003e [config\\_enabled](#input\\_config\\_enabled) | Set to true to enable AWS Config. | `bool` | `true` | no |\n| \u003ca name=\"input_cron_expression\"\u003e\u003c/a\u003e [cron\\_expression](#input\\_cron\\_expression) | Cron expression to trigger a Lambda function on a regular schedule. | `string` | `\"cron(0 22 1,10,20,28 * ? 2023)\"` | no |\n| \u003ca name=\"input_cw_log_enabled\"\u003e\u003c/a\u003e [cw\\_log\\_enabled](#input\\_cw\\_log\\_enabled) | Set it to true to aggregate logs on CloudWatch | `bool` | `true` | no |\n| \u003ca name=\"input_disable_unused_credentials\"\u003e\u003c/a\u003e [disable\\_unused\\_credentials](#input\\_disable\\_unused\\_credentials) | Disable unused IAM user credentials. | `bool` | `false` | no |\n| \u003ca name=\"input_disable_unused_credentials_after_days\"\u003e\u003c/a\u003e [disable\\_unused\\_credentials\\_after\\_days](#input\\_disable\\_unused\\_credentials\\_after\\_days) | Number of days after which unused IAM credentials will be disabled. | `number` | `\"90\"` | no |\n| \u003ca name=\"input_email\"\u003e\u003c/a\u003e [email](#input\\_email) | Email address for receiving notifications from Amazon SNS. | `string` | `\"\"` | no |\n| \u003ca name=\"input_enable_aws_macie\"\u003e\u003c/a\u003e [enable\\_aws\\_macie](#input\\_enable\\_aws\\_macie) | Enable AWS Macie for data discovery and protection. | `bool` | `true` | no |\n| \u003ca name=\"input_enable_guard_duty\"\u003e\u003c/a\u003e [enable\\_guard\\_duty](#input\\_enable\\_guard\\_duty) | Enable AWS GuardDuty for threat detection. | `bool` | `true` | no |\n| \u003ca name=\"input_enable_security_hub\"\u003e\u003c/a\u003e [enable\\_security\\_hub](#input\\_enable\\_security\\_hub) | Enable AWS Security Hub for centralized security monitoring. | `bool` | `true` | no |\n| \u003ca name=\"input_iam_allow_users_to_change_password\"\u003e\u003c/a\u003e [iam\\_allow\\_users\\_to\\_change\\_password](#input\\_iam\\_allow\\_users\\_to\\_change\\_password) | Set it to true to allow users to change their own password | `bool` | `true` | no |\n| \u003ca name=\"input_iam_hard_expiry\"\u003e\u003c/a\u003e [iam\\_hard\\_expiry](#input\\_iam\\_hard\\_expiry) | Set it true to enforce hard password expiration for all users. | `bool` | `true` | no |\n| \u003ca name=\"input_iam_max_password_age\"\u003e\u003c/a\u003e [iam\\_max\\_password\\_age](#input\\_iam\\_max\\_password\\_age) | Maximum password age in days before expiration. | `number` | `90` | no |\n| \u003ca name=\"input_iam_minimum_password_length\"\u003e\u003c/a\u003e [iam\\_minimum\\_password\\_length](#input\\_iam\\_minimum\\_password\\_length) | Minimum length requirement for user passwords. | `number` | `14` | no |\n| \u003ca name=\"input_iam_password_reuse_prevention\"\u003e\u003c/a\u003e [iam\\_password\\_reuse\\_prevention](#input\\_iam\\_password\\_reuse\\_prevention) | Prevent password reuse multiple times | `number` | `24` | no |\n| \u003ca name=\"input_iam_require_lowercase_characters\"\u003e\u003c/a\u003e [iam\\_require\\_lowercase\\_characters](#input\\_iam\\_require\\_lowercase\\_characters) | Require at least one lowercase letter in passwords | `bool` | `true` | no |\n| \u003ca name=\"input_iam_require_numbers\"\u003e\u003c/a\u003e [iam\\_require\\_numbers](#input\\_iam\\_require\\_numbers) | Require at least one number in passwords | `bool` | `true` | no |\n| \u003ca name=\"input_iam_require_symbols\"\u003e\u003c/a\u003e [iam\\_require\\_symbols](#input\\_iam\\_require\\_symbols) | Require at least one symbol in passwords | `bool` | `true` | no |\n| \u003ca name=\"input_iam_require_uppercase_characters\"\u003e\u003c/a\u003e [iam\\_require\\_uppercase\\_characters](#input\\_iam\\_require\\_uppercase\\_characters) | Require at least one uppercase letter in passwords | `bool` | `true` | no |\n| \u003ca name=\"input_include_global_resource_types\"\u003e\u003c/a\u003e [include\\_global\\_resource\\_types](#input\\_include\\_global\\_resource\\_types) | Set it to true to enable recording of global resources in AWS Config | `bool` | `true` | no |\n| \u003ca name=\"input_mfa_iam_group_name\"\u003e\u003c/a\u003e [mfa\\_iam\\_group\\_name](#input\\_mfa\\_iam\\_group\\_name) | Name of the IAM user group to which MFA user policies will be added. | `string` | `\"test-user-group\"` | no |\n| \u003ca name=\"input_multiple_access_key_deactivate\"\u003e\u003c/a\u003e [multiple\\_access\\_key\\_deactivate](#input\\_multiple\\_access\\_key\\_deactivate) | Deactivate newly created active access keys for IAM users. | `bool` | `false` | no |\n| \u003ca name=\"input_multiple_access_key_notification\"\u003e\u003c/a\u003e [multiple\\_access\\_key\\_notification](#input\\_multiple\\_access\\_key\\_notification) | Send email notifications for IAM users with multiple active access keys. | `bool` | `true` | no |\n| \u003ca name=\"input_name\"\u003e\u003c/a\u003e [name](#input\\_name) | Prefix for all resources (e.g., 'my-app') to identify them in the cloud environment. | `string` | `\"\"` | no |\n| \u003ca name=\"input_region\"\u003e\u003c/a\u003e [region](#input\\_region) | AWS region where resources will be provisioned. | `string` | `\"us-east-2\"` | no |\n| \u003ca name=\"input_remove_ssl_tls_iam\"\u003e\u003c/a\u003e [remove\\_ssl\\_tls\\_iam](#input\\_remove\\_ssl\\_tls\\_iam) | Remove expired SSL/TLS certificates from IAM. | `bool` | `false` | no |\n| \u003ca name=\"input_s3_enabled\"\u003e\u003c/a\u003e [s3\\_enabled](#input\\_s3\\_enabled) | Set to true to enable exporting CloudTrail logs to an S3 bucket. | `bool` | `true` | no |\n| \u003ca name=\"input_s3_object_expiration_days\"\u003e\u003c/a\u003e [s3\\_object\\_expiration\\_days](#input\\_s3\\_object\\_expiration\\_days) | Number of days after which object of s3 expires. | `number` | `\"90\"` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | Tags to be used in all the resources | `map(string)` | \u003cpre\u003e{\u003cbr\u003e  \"key\": \"AWS_CIS_Benchmark\",\u003cbr\u003e  \"value\": \"1.2.0\"\u003cbr\u003e}\u003c/pre\u003e | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_access_log_bucket_arn\"\u003e\u003c/a\u003e [access\\_log\\_bucket\\_arn](#output\\_access\\_log\\_bucket\\_arn) | S3 bucket for storing audit logs of config. |\n| \u003ca name=\"output_access_log_bucket_id\"\u003e\u003c/a\u003e [access\\_log\\_bucket\\_id](#output\\_access\\_log\\_bucket\\_id) | S3 bucket for storing audit logs of config. |\n| \u003ca name=\"output_audit_bucket_arn\"\u003e\u003c/a\u003e [audit\\_bucket\\_arn](#output\\_audit\\_bucket\\_arn) | S3 bucket for storing audit logs of config. |\n| \u003ca name=\"output_audit_bucket_id\"\u003e\u003c/a\u003e [audit\\_bucket\\_id](#output\\_audit\\_bucket\\_id) | S3 bucket for storing audit logs of config. |\n| \u003ca name=\"output_sns_topic_arn\"\u003e\u003c/a\u003e [sns\\_topic\\_arn](#output\\_sns\\_topic\\_arn) | SNS topic arn |\n\u003c!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n\n## Contribution \u0026 Issue Reporting\n\nTo report an issue with a project:\n\n  1. Check the repository's [issue tracker](https://github.com/sq-ia/terraform-aws-infrasec/issues) on GitHub\n  2. Search to see if the issue has already been reported\n  3. If you can't find an answer to your question in the documentation or issue tracker, you can ask a question by creating a new issue. Be sure to provide enough context and details so others can understand your problem.\n\n## License\n\nApache License, Version 2.0, January 2004 (http://www.apache.org/licenses/).\n\n## Support Us\n\nTo support a GitHub project by liking it, you can follow these steps:\n\n  1. Visit the repository: Navigate to the [GitHub repository](https://github.com/sq-ia/terraform-aws-infrasec).\n\n  2. Click the \"Star\" button: On the repository page, you'll see a \"Star\" button in the upper right corner. Clicking on it will star the repository, indicating your support for the project.\n\n  3. Optionally, you can also leave a comment on the repository or open an issue to give feedback or suggest changes.\n\nStarring a repository on GitHub is a simple way to show your support and appreciation for the project. It also helps to increase the visibility of the project and make it more discoverable to others.\n\n## Who we are\n\nWe believe that the key to success in the digital age is the ability to deliver value quickly and reliably. That’s why we offer a comprehensive range of DevOps \u0026 Cloud services designed to help your organization optimize its systems \u0026 Processes for speed and agility.\n\n  1. We are an AWS Advanced consulting partner which reflects our deep expertise in AWS Cloud and helping 100+ clients over the last 5 years.\n  2. Expertise in Kubernetes and overall container solution helps companies expedite their journey by 10X.\n  3. Infrastructure Automation is a key component to the success of our Clients and our Expertise helps deliver the same in the shortest time.\n  4. DevSecOps as a service to implement security within the overall DevOps process and helping companies deploy securely and at speed.\n  5. Platform engineering which supports scalable,Cost efficient infrastructure that supports rapid development, testing, and deployment.\n  6. 24*7 SRE service to help you Monitor the state of your infrastructure and eradicate any issue within the SLA.\n\nWe provide [support](https://squareops.com/contact-us/) on all of our projects, no matter how small or large they may be.\n\nTo find more information about our company, visit [squareops.com](https://squareops.com/), follow us on [Linkedin](https://www.linkedin.com/company/squareops-technologies-pvt-ltd/), or fill out a [job application](https://squareops.com/careers/). If you have any questions or would like assistance with your cloud strategy and implementation, please don't hesitate to [contact us](https://squareops.com/contact-us/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsquareops%2Fterraform-aws-security-automations","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsquareops%2Fterraform-aws-security-automations","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsquareops%2Fterraform-aws-security-automations/lists"}