https://github.com/blackbird-cloud/terraform-aws-account-security
Terraform module to setup AWS account security
https://github.com/blackbird-cloud/terraform-aws-account-security
aws security terraform
Last synced: 2 months ago
JSON representation
Terraform module to setup AWS account security
- Host: GitHub
- URL: https://github.com/blackbird-cloud/terraform-aws-account-security
- Owner: blackbird-cloud
- License: apache-2.0
- Created: 2022-11-30T10:18:40.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2025-01-31T14:07:59.000Z (over 1 year ago)
- Last Synced: 2025-01-31T14:32:31.523Z (over 1 year ago)
- Topics: aws, security, terraform
- Language: HCL
- Homepage:
- Size: 35.2 KB
- Stars: 0
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >=1.0.9 |
| [aws](#requirement\_aws) | ~> 4 |
| [random](#requirement\_random) | 3.1.0 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | 4.13.0 |
| [random](#provider\_random) | 3.1.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| [all\_cis\_alarms](#module\_all\_cis\_alarms) | terraform-aws-modules/cloudwatch/aws//modules/cis-alarms | 3.2.0 |
| [chatbot\_config](#module\_chatbot\_config) | waveaccounting/chatbot-slack-configuration/aws | 1.1.0 |
| [eventbridge](#module\_eventbridge) | terraform-aws-modules/eventbridge/aws | 1.13.3 |
| [iam\_chatbot\_role](#module\_iam\_chatbot\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> 4 |
| [s3\_bucket\_cloudtrail](#module\_s3\_bucket\_cloudtrail) | terraform-aws-modules/s3-bucket/aws | 3.2.0 |
| [s3\_bucket\_config](#module\_s3\_bucket\_config) | terraform-aws-modules/s3-bucket/aws | 3.2.0 |
| [vpc\_flowlog\_bucket](#module\_vpc\_flowlog\_bucket) | terraform-aws-modules/s3-bucket/aws | 3.2.0 |
## Resources
| Name | Type |
|------|------|
| [aws_budgets_budget.budget](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/budgets_budget) | resource |
| [aws_cloudtrail.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource |
| [aws_cloudwatch_log_group.all_cis_alarms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_cloudwatch_log_group.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_config_configuration_recorder.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder) | resource |
| [aws_config_configuration_recorder_status.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder_status) | resource |
| [aws_config_conformance_pack.cis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_conformance_pack) | resource |
| [aws_config_conformance_pack.databases](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_conformance_pack) | resource |
| [aws_config_conformance_pack.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_conformance_pack) | resource |
| [aws_config_delivery_channel.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_delivery_channel) | resource |
| [aws_ebs_encryption_by_default.account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default) | resource |
| [aws_guardduty_detector.detector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector) | resource |
| [aws_iam_policy.config_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.ct-role-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy_attachment.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
| [aws_iam_role.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.ct-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.config_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_kms_key.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_kms_key.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_kms_key.cloudtrail_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_kms_key.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_kms_key.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_kms_key.health](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_kms_key.s3_bucket_config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_kms_key.securityhub](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_kms_key.vpc_flowlog_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_s3_account_public_access_block.account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_account_public_access_block) | resource |
| [aws_s3_bucket_policy.s3_bucket_cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_securityhub_account.account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_account) | resource |
| [aws_securityhub_standards_control.disable_root_account_hardware_mfa_aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_control) | resource |
| [aws_securityhub_standards_control.disable_root_account_hardware_mfa_cis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_control) | resource |
| [aws_securityhub_standards_control.disable_s3_bucket_access_logging_aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_control) | resource |
| [aws_securityhub_standards_control.disable_s3_bucket_event_notification_aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_control) | resource |
| [aws_securityhub_standards_subscription.best_practices](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource |
| [aws_securityhub_standards_subscription.cis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource |
| [aws_sns_topic.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
| [aws_sns_topic.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
| [aws_sns_topic.health](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
| [aws_sns_topic.securityhub](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/3.1.0/docs/resources/pet) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.cloudtrail_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cloudtrail_cloudwatch_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cloudtrail_cloudwatch_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cloudtrail_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cloudtrail_s3_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.config_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.config_sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.deny_insecure_transport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.kms_config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.require_latest_tls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.s3_aws_cloudtrial_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.vpc_flowlog_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [aws\_account\_name](#input\_aws\_account\_name) | AWS Account Name | `string` | n/a | yes |
| [aws\_region](#input\_aws\_region) | AWS Region, such as 'eu-central-1' | `string` | n/a | yes |
| [backup\_topic\_name](#input\_backup\_topic\_name) | SNS Topic name for Backup notifications | `string` | `"eventbridge-backup"` | no |
| [budget\_alert\_subscribers](#input\_budget\_alert\_subscribers) | List of email addresses with recipients for the billing alerts | `list(string)` | n/a | yes |
| [budget\_alert\_threshold](#input\_budget\_alert\_threshold) | Billing alert threshold in USD | `string` | n/a | yes |
| [chatbot\_channels](#input\_chatbot\_channels) | The configs of the chatbot for Slack. To get the ID, open Slack, right click on the channel name in the left pane, then choose Copy Link. The channel ID is the 9-character string at the end of the URL. For example, ABCBBLZZZ. The ID of the Slack workspace authorized with AWS Chatbot. To get the workspace ID, you must perform the initial authorization flow with Slack in the AWS Chatbot console. Then you can copy and paste the workspace ID from the console. Logging levels include ERROR, INFO, or NONE. |
list(object({
slack_channel_id = string
slack_workspace_id = string
sns_topic_arns = list(string)
logging_level = string
configuration_name = string
guardrail_policies = list(string)
})) | `null` | no |
| [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | Cloudwatch log group name prefix for CIS alarms | `string` | `"cis-alarms"` | no |
| [config\_topic\_name](#input\_config\_topic\_name) | SNS Topic name used for Config notifications | `string` | `"config-notifications"` | no |
| [health\_topic\_name](#input\_health\_topic\_name) | SNS Topic name for Health notifications | `string` | `"eventbridge-health"` | no |
| [s3\_logging](#input\_s3\_logging) | (Optional) S3 logging configuration target\_bucket target\_prefix | `map(string)` | `{}` | no |
| [securityhub\_findings\_filter](#input\_securityhub\_findings\_filter) | Additional filter for Security Hub findings (defaults to no filter) | `any` | {
"findings": {
"Compliance": {
"Status": [
"FAILED",
"WARNING"
]
},
"Severity": {
"Label": [
"MEDIUM",
"HIGH",
"CRITICAL"
]
}
}
} | no |
| [securityhub\_topic\_name](#input\_securityhub\_topic\_name) | SNS Topic name for Security Hub notifications | `string` | `"eventbridge-securityhub"` | no |
| [slack\_channel\_id](#input\_slack\_channel\_id) | Slack Channel ID for chatbot | `string` | n/a | yes |
| [slack\_workspace\_id](#input\_slack\_workspace\_id) | Slack Workspace ID for chatbot | `string` | n/a | yes |
| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
## Outputs
| Name | Description |
|------|-------------|
| [backup\_sns\_topic\_arn](#output\_backup\_sns\_topic\_arn) | SNS Backup topic ARN |
| [health\_sns\_topic\_arn](#output\_health\_sns\_topic\_arn) | SNS Health topic ARN |
| [securityhub\_sns\_topic\_arn](#output\_securityhub\_sns\_topic\_arn) | SNS Security Hub topic ARN |
| [vpc\_flowlog\_bucket](#output\_vpc\_flowlog\_bucket) | n/a |