Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable config and security hub for eu-west-3 #904

Merged
merged 2 commits into from
May 9, 2024
Merged

Enable config and security hub for eu-west-3 #904

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8ee1c90
Enable config and security hub for eu-west-3
May 8, 2024
e3f7329
Ignore enable_default_standards changes
May 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions modules/securityhub/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,12 @@ data "aws_caller_identity" "current" {}
# Enable Security Hub
resource "aws_securityhub_account" "default" {
control_finding_generator = "STANDARD_CONTROL"
lifecycle {
ignore_changes = [
# When importing this can't be changed without destroying the resource
enable_default_standards,
]
}
}

# Subscribe to AWS Foundational Security Best Practices v1.0.0
Expand Down
3 changes: 3 additions & 0 deletions organisation-security/terraform/.terraform.lock.hcl
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

35 changes: 35 additions & 0 deletions organisation-security/terraform/config-aggregation.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,29 @@ module "config_aggregation_sns_eu_west_1" {
)
}

# Configure an SNS topic in organisation-security for aggregated Config alerts for eu-west-3
# Note this needs to be configured for each region, as AWS Config doesn't support
# cross-region delivery to an SNS topic.
module "config_aggregation_sns_eu_west_3" {
source = "../../modules/config-aggregation-sns"
providers = {
aws = aws.eu-west-3
}

# Specify account IDs that can send notifications to the topic
enrolled_account_ids = [
for account in local.enrolled_into_config :
account.id
]

# Tags to apply, where applicable
tags = merge(
local.tags_organisation_management, {
component = "Security"
}
)
}

# Multi-region, Multi-account aggregation (MRMAA)
## Create an IAM role with appropriate permissions for AWS Config in organisation-security (delegated administrator)
module "config_organisation_security_iam_role" {
Expand Down Expand Up @@ -109,6 +132,18 @@ module "config_organisation_security_eu_west_2" {
home_region = "eu-west-2"
}

module "config_organisation_security_eu_west_3" {
source = "../../modules/config"
providers = {
aws = aws.eu-west-3
}

s3_bucket_name = module.config_aggregation_bucket.s3_bucket_name
sns_topic_arn = module.config_aggregation_sns_eu_west_3.sns_topic_arn
iam_role_arn = module.config_organisation_security_iam_role.role_arn
home_region = "eu-west-3"
}

# Enable Multi-region, multi-account aggregation via AWS Organizations
module "config_aggregation" {
source = "../../modules/config-aggregation"
Expand Down
Loading