-
Notifications
You must be signed in to change notification settings - Fork 5
/
README.yaml
367 lines (315 loc) · 12.9 KB
/
README.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
---
#
# This is the canonical configuration for the `README.md`
# Run `make readme` to rebuild the `README.md`
#
# Name of this project
name : Terraform AWS Secure Baseline
# License of this project
license: "APACHE"
# Canonical GitHub repo
github_repo: clouddrove/clouddrove/terraform-aws-secure-baseline/modules/
# Badges to display
badges:
- name: "Latest Release"
image: "https://img.shields.io/github/release/clouddrove/terraform-aws-secure-baseline.svg"
url: "https://github.com/clouddrove/terraform-aws-secure-baseline/releases/latest"
- name: "tfsec"
image: "https://github.com/clouddrove/terraform-aws-secure-baseline/actions/workflows/tfsec.yml/badge.svg"
url: "https://github.com/clouddrove/terraform-aws-secure-baseline/actions/workflows/tfsec.yml"
- name: "Licence"
image: "https://img.shields.io/badge/License-APACHE-blue.svg"
url: "LICENSE.md"
- name: "Changelog"
image: "https://img.shields.io/badge/Changelog-blue"
url: "CHANGELOG.md"
# description of this project
description: |-
Terraform module to create an Secure Basline, inclued module is alarm baseline, config baseline, and clouddtrail baseline.
# How to use this project
usage : |-
## Submodules:
There are independent submodules:
- [alarm](https://github.com/clouddrove/terraform-aws-secure-baseline/tree/master/modules/alarm) - o create alarms that automatically stop, terminate, reboot, or recover your Amazon EC2 instances.
- [analyzer](https://github.com/clouddrove/terraform-aws-secure-baseline/tree/master/modules/analyzer) - helps to identify potential resource-access risks by enabling you to identify any policies that grant access to an external principal.
- [cloudtrail](https://github.com/clouddrove/terraform-aws-secure-baseline/tree/master/modules/cloudtrail) - to enable operational and risk auditing, governance, and compliance of your AWS account.
- [config](https://github.com/clouddrove/terraform-aws-secure-baseline/tree/master/modules/config) - to record configuration changes to software within EC2 instances in your AWS account and also virtual machines (VMs).
- [ebs](https://github.com/clouddrove/terraform-aws-secure-baseline/tree/master/modules/ebs) - The EBS volumes that you create are always encrypted, either using the default KMS key or the KMS key that you specified when you created each volume.
- [guardduty](https://github.com/clouddrove/terraform-aws-secure-baseline/tree/master/modules/guardduty) - threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS Resources.
- [iam](https://github.com/clouddrove/terraform-aws-secure-baseline/tree/master/modules/iam) - web service that helps you securely control access to AWS resources.
- [inspector](https://github.com/clouddrove/terraform-aws-secure-baseline/tree/master/modules/inspector) - automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure
- [security-hub](https://github.com/clouddrove/terraform-aws-secure-baseline/tree/master/modules/security_hub) - provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices.
- [shield](https://github.com/clouddrove/terraform-aws-secure-baseline/tree/master/modules/shield) - managed distributed denial of service (DDoS) protection service that safeguards applications running on AWS.
### Alarm
Here is an example of how you can use this module in your inventory structure:
```hcl
module "alarm" {
source = "clouddrove/secure-baseline/aws//modules/alarm"
version = "1.4.0"
name = "alarm"
environment = "test"
label_order = ["name", "environment"]
enabled = true
unauthorized_api_calls = true
no_mfa_console_signin = true
root_usage = true
iam_changes = true
cloudtrail_cfg_changes = true
console_signin_failures = true
disable_or_delete_cmk = true
s3_bucket_policy_changes = true
security_group_changes = true
nacl_changes = true
network_gw_changes = true
route_table_changes = true
vpc_changes = true
alarm_namespace = "Alert_Alarm"
aws_config_changes_enabled = true
variables = {
SLACK_WEBHOOK = "" # Webhook for the slack notification
SLACK_CHANNEL = "" # Channel of the Slack where the notification will receive
}
}
```
### Analyzer
Here is an example of how you can use this module in your inventory structure:
```hcl
module "analyzer" {
source = "clouddrove/secure-baseline/aws//modules/analyzer"
version = "1.4.0"
name = "analyzer"
environment = "test"
label_order = ["name", "environment"]
enabled = true
## IAM Access Analyzer
type = "ACCOUNT"
variables = {
slack_webhook = "" # Webhook for the slack notification
slack_channel = "" # Channel of the Slack where the notification will receive
}
}
```
### Cloudtrail
Here is an example of how you can use this module in your inventory structure:
```hcl
module "Cloudtrail" {
source = "clouddrove/secure-baseline/aws//modules/cloudtrail"
version = "1.4.0"
name = "cloudtrail"
environment = "security"
label_order = ["name", "environment"]
# Cloudtrail S3 Bucket Configuration
create_bucket = true
bucket_versioning = true
logging = true
force_destroy = true
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
# Cloudtrail Configuration
enabled_cloudtrail = true
enable_cloudwatch = true
bucket_policy = true
is_multi_region_trail = true
kms_enabled = true
enable_logging = true
event_ignore_list = jsonencode([
"^Describe*",
"^Assume*",
"^List*",
"^Get*",
"^Decrypt*",
"^Lookup*",
"^BatchGet*",
"^CreateLogStream$",
"^RenewRole$",
"^REST.GET.OBJECT_LOCK_CONFIGURATION$",
"TestEventPattern",
"TestScheduleExpression",
"CreateNetworkInterface",
"ValidateTemplate"
])
event_alert_list = jsonencode([
"DetachRolePolicy",
"ConsoleLogin"
])
user_ignore_list = jsonencode([
"^awslambda_*",
"^aws-batch$",
"^bamboo*",
"^i-*",
"^[0-9]*$",
"^ecs-service-scheduler$",
"^AutoScaling$",
"^AWSCloudFormation$",
"^CloudTrailBot$",
"^SLRManagement$"
])
source_list = jsonencode([
"aws-sdk-go"
])
# Slack Alerts
slack_webhook = "" # Webhook for the slack notification
slack_channel = "" # Channel of the Slack where the notification will receive
}
```
### Config
Here is an example of how you can use this module in your inventory structure:
```hcl
module "config" {
source = "clouddrove/secure-baseline/aws//modules/config"
version = "1.4.0"
name = "config"
environment = "security"
label_order = ["name", "environment"]
config_s3_bucket_name = "config-bucketssss"
enabled = true
# roles
restricted_ports = true
restricted_ports_list = "{\"blockedPort1\": \"22\", \"blockedPort2\": \"3306\",\"blockedPort3\": \"6379\", \"blockedPort4\": \"5432\"}"
iam_mfa = true
unused_credentials = true
user_no_policies = true
no_policies_with_full_admin_access = true
acm_certificate_expiration_check = true
ec2_volume_inuse_check = true
ebs_snapshot_public_restorable = true
rds_instance_public_access_check = true
rds_snapshots_public_prohibited = true
guardduty_enabled_centralized = true
s3_bucket_public_write_prohibited = true
eip_attached = false
ec2_encrypted_volumes = true
iam_root_access_key = true
vpc_default_security_group_closed = false
s3_bucket_ssl_requests_only = false
multi_region_cloudtrail_enabled = true
instances_in_vpc = true
cloudwatch_log_group_encrypted = false
rds_storage_encrypted = true
iam_password_policy = false
password_require_uppercase = true
password_require_lowercase = true
password_require_symbols = true
password_require_numbers = true
password_max_age = 90
slack_enabled = false
variables = {
SLACK_WEBHOOK = "" # Webhook for the slack notification
SLACK_CHANNEL = "" # Channel of the Slack where the notification will receive
}
}
```
### EBS Default encryption
Here is an example of how you can use this module in your inventory structure:
```hcl
module "ebs-encryption" {
source = "clouddrove/secure-baseline/aws//modules/ebs"
version = "1.4.0"
enabled = true
enable_default_ebs_encryption = true
}
```
### GuardDuty
Here is an example of how you can use this module in your inventory structure:
```hcl
module "guardduty" {
source = "clouddrove/secure-baseline/aws//modules/guardduty"
version = "1.4.0"
name = "test-guardduty"
label_order = ["name"]
enabled = true
ipset_iplist = ["10.10.0.0/16"]
finding_publishing_frequency = "ONE_HOUR"
# S3
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
organization_auto_enable = false
# Slack Alerts
slack_enabled = false # Pass true to enable lambda
}
```
### IAM
Here is an example of how you can use this module in your inventory structure:
```hcl
module "iam" {
source = "clouddrove/secure-baseline/aws//modules/iam"
version = "1.4.0"
name = "iam-baseline"
environment = "test"
label_order = ["name", "environment"]
enabled = true
master_iam_role_name = "IAM-Master"
master_iam_role_policy_name = "IAM-master-Policy"
manager_iam_role_name = "IAM-manager"
manager_iam_role_policy_name = "IAM-Manager-Policy"
support_iam_role_name = "IAM-Policy"
support_iam_role_policy_name = "IAM-Support-Role"
support_iam_role_principal_arn = data.aws_caller_identity.current.arn
}
```
### Inspector
Here is an example of how you can use this module in your inventory structure:
```hcl
module "inspector" {
source = "clouddrove/secure-baseline/aws//modules/inspector"
version = "1.4.0"
name = "inspector"
environment = "security"
label_order = ["name", "environment"]
enabled = true
instance_tags = {
"Inspector" = true
}
duration = 300
lambda_enabled = true
schedule_expression = "cron(0/10 * ? * * *)"
handler = "index.handler"
runtime = "nodejs18.x"
statement_ids = ["AllowExecutionFromEvents"]
actions = ["lambda:InvokeFunction"]
principals = ["events.amazonaws.com"]
iam_actions = [
"inspector:StartAssessmentRun",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
}
```
### Security Hub
Here is an example of how you can use this module in your inventory structure:
```hcl
module "security-hub" {
source = "clouddrove/secure-baseline/aws//modules/security-hub"
version = "1.4.0"
security_hub_enabled = true
#standards
enabled_standards = [
"standards/aws-foundational-security-best-practices/v/1.0.0",
"ruleset/cis-aws-foundations-benchmark/v/1.2.0"
]
#products
enabled_products = [
"product/aws/guardduty",
"product/aws/inspector"
]
}
```
### Shield
Here is an example of how you can use this module in your inventory structure:
```hcl
module "shield" {
source = "clouddrove/secure-baseline/aws//modules/shield"
version = "1.4.0"
name = "shield"
environment = "security"
label_order = ["name", "environment"]
enabled = false
## AWS SHIELD
resource_arn = [] # ARN of the Resource that needs to be protect with Shield. e.g. cloudfront, ALB, EIP, Route53 etc.
}
```