xpk/terraform.examples
SHA256
1
0
Fork 0
Code Pull Requests Activity

initial commit

Browse Source
This commit is contained in:
xpk
2026-02-13 15:44:24 +08:00
parent 66be8224f4
commit 09ce4c881a
570 changed files with 61807 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security_identity_compliance/aws_config/Cis14Level1.yaml
+601
View File
@@ -0,0 +1,601 @@
##################################################################################
#
# Conformance Pack:
# Operational Best Practices for CIS AWS Foundations Benchmark Level 1
#
# This conformance pack helps verify compliance with CIS AWS Foundations Benchmark Level 1 requirements.
#
# See Parameters section for names and descriptions of required parameters.
#
##################################################################################
Parameters:
AccessKeysRotatedParamMaxAccessKeyAge:
Default: '90'
Type: String
IamPasswordPolicyParamMaxPasswordAge:
Default: '90'
Type: String
IamPasswordPolicyParamMinimumPasswordLength:
Default: '14'
Type: String
IamPasswordPolicyParamPasswordReusePrevention:
Default: '24'
Type: String
IamPasswordPolicyParamRequireLowercaseCharacters:
Default: 'true'
Type: String
IamPasswordPolicyParamRequireNumbers:
Default: 'true'
Type: String
IamPasswordPolicyParamRequireSymbols:
Default: 'true'
Type: String
IamPasswordPolicyParamRequireUppercaseCharacters:
Default: 'true'
Type: String
IamPolicyInUseParamPolicyARN:
Default: arn:aws:iam::aws:policy/AWSSupportAccess
Type: String
IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge:
Default: '45'
Type: String
RestrictedIncomingTrafficParamBlockedPort3:
Default: '3389'
Type: String
S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls:
Default: 'True'
Type: String
S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy:
Default: 'True'
Type: String
S3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls:
Default: 'True'
Type: String
S3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets:
Default: 'True'
Type: String
S3BucketVersioningEnabledParamIsMfaDeleteEnabled:
Default: 'TRUE'
Type: String
Resources:
AccessKeysRotated:
Properties:
ConfigRuleName: access-keys-rotated
InputParameters:
maxAccessKeyAge:
Fn::If:
- accessKeysRotatedParamMaxAccessKeyAge
- Ref: AccessKeysRotatedParamMaxAccessKeyAge
- Ref: AWS::NoValue
Source:
Owner: AWS
SourceIdentifier: ACCESS_KEYS_ROTATED
Type: AWS::Config::ConfigRule
CloudTrailCloudWatchLogsEnabled:
Properties:
ConfigRuleName: cloud-trail-cloud-watch-logs-enabled
Source:
Owner: AWS
SourceIdentifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED
Type: AWS::Config::ConfigRule
Ec2EbsEncryptionByDefault:
Properties:
ConfigRuleName: ec2-ebs-encryption-by-default
Source:
Owner: AWS
SourceIdentifier: EC2_EBS_ENCRYPTION_BY_DEFAULT
Type: AWS::Config::ConfigRule
EncryptedVolumes:
Properties:
ConfigRuleName: encrypted-volumes
Scope:
ComplianceResourceTypes:
- AWS::EC2::Volume
Source:
Owner: AWS
SourceIdentifier: ENCRYPTED_VOLUMES
Type: AWS::Config::ConfigRule
IamNoInlinePolicyCheck:
Properties:
ConfigRuleName: iam-no-inline-policy-check
Scope:
ComplianceResourceTypes:
- AWS::IAM::User
- AWS::IAM::Role
- AWS::IAM::Group
Source:
Owner: AWS
SourceIdentifier: IAM_NO_INLINE_POLICY_CHECK
Type: AWS::Config::ConfigRule
IamPasswordPolicy:
Properties:
ConfigRuleName: iam-password-policy
InputParameters:
MaxPasswordAge:
Fn::If:
- iamPasswordPolicyParamMaxPasswordAge
- Ref: IamPasswordPolicyParamMaxPasswordAge
- Ref: AWS::NoValue
MinimumPasswordLength:
Fn::If:
- iamPasswordPolicyParamMinimumPasswordLength
- Ref: IamPasswordPolicyParamMinimumPasswordLength
- Ref: AWS::NoValue
PasswordReusePrevention:
Fn::If:
- iamPasswordPolicyParamPasswordReusePrevention
- Ref: IamPasswordPolicyParamPasswordReusePrevention
- Ref: AWS::NoValue
RequireLowercaseCharacters:
Fn::If:
- iamPasswordPolicyParamRequireLowercaseCharacters
- Ref: IamPasswordPolicyParamRequireLowercaseCharacters
- Ref: AWS::NoValue
RequireNumbers:
Fn::If:
- iamPasswordPolicyParamRequireNumbers
- Ref: IamPasswordPolicyParamRequireNumbers
- Ref: AWS::NoValue
RequireSymbols:
Fn::If:
- iamPasswordPolicyParamRequireSymbols
- Ref: IamPasswordPolicyParamRequireSymbols
- Ref: AWS::NoValue
RequireUppercaseCharacters:
Fn::If:
- iamPasswordPolicyParamRequireUppercaseCharacters
- Ref: IamPasswordPolicyParamRequireUppercaseCharacters
- Ref: AWS::NoValue
Source:
Owner: AWS
SourceIdentifier: IAM_PASSWORD_POLICY
Type: AWS::Config::ConfigRule
IamPolicyInUse:
Properties:
ConfigRuleName: iam-policy-in-use
InputParameters:
policyARN:
Fn::If:
- iamPolicyInUseParamPolicyARN
- Ref: IamPolicyInUseParamPolicyARN
- Ref: AWS::NoValue
Source:
Owner: AWS
SourceIdentifier: IAM_POLICY_IN_USE
Type: AWS::Config::ConfigRule
IamPolicyNoStatementsWithAdminAccess:
Properties:
ConfigRuleName: iam-policy-no-statements-with-admin-access
Scope:
ComplianceResourceTypes:
- AWS::IAM::Policy
Source:
Owner: AWS
SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
Type: AWS::Config::ConfigRule
IamRootAccessKeyCheck:
Properties:
ConfigRuleName: iam-root-access-key-check
Source:
Owner: AWS
SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK
Type: AWS::Config::ConfigRule
IamUserGroupMembershipCheck:
Properties:
ConfigRuleName: iam-user-group-membership-check
Scope:
ComplianceResourceTypes:
- AWS::IAM::User
Source:
Owner: AWS
SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK
Type: AWS::Config::ConfigRule
IamUserNoPoliciesCheck:
Properties:
ConfigRuleName: iam-user-no-policies-check
Scope:
ComplianceResourceTypes:
- AWS::IAM::User
Source:
Owner: AWS
SourceIdentifier: IAM_USER_NO_POLICIES_CHECK
Type: AWS::Config::ConfigRule
IamUserUnusedCredentialsCheck:
Properties:
ConfigRuleName: iam-user-unused-credentials-check
InputParameters:
maxCredentialUsageAge:
Fn::If:
- iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge
- Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge
- Ref: AWS::NoValue
Source:
Owner: AWS
SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
Type: AWS::Config::ConfigRule
IncomingSshDisabled:
Properties:
ConfigRuleName: restricted-ssh
Scope:
ComplianceResourceTypes:
- AWS::EC2::SecurityGroup
Source:
Owner: AWS
SourceIdentifier: INCOMING_SSH_DISABLED
Type: AWS::Config::ConfigRule
MfaEnabledForIamConsoleAccess:
Properties:
ConfigRuleName: mfa-enabled-for-iam-console-access
Source:
Owner: AWS
SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
Type: AWS::Config::ConfigRule
MultiRegionCloudTrailEnabled:
Properties:
ConfigRuleName: multi-region-cloudtrail-enabled
Source:
Owner: AWS
SourceIdentifier: MULTI_REGION_CLOUD_TRAIL_ENABLED
Type: AWS::Config::ConfigRule
RdsSnapshotEncrypted:
Properties:
ConfigRuleName: rds-snapshot-encrypted
Scope:
ComplianceResourceTypes:
- AWS::RDS::DBSnapshot
- AWS::RDS::DBClusterSnapshot
Source:
Owner: AWS
SourceIdentifier: RDS_SNAPSHOT_ENCRYPTED
Type: AWS::Config::ConfigRule
RdsStorageEncrypted:
Properties:
ConfigRuleName: rds-storage-encrypted
Scope:
ComplianceResourceTypes:
- AWS::RDS::DBInstance
Source:
Owner: AWS
SourceIdentifier: RDS_STORAGE_ENCRYPTED
Type: AWS::Config::ConfigRule
RestrictedIncomingTraffic:
Properties:
ConfigRuleName: restricted-common-ports
InputParameters:
blockedPort3:
Fn::If:
- restrictedIncomingTrafficParamBlockedPort3
- Ref: RestrictedIncomingTrafficParamBlockedPort3
- Ref: AWS::NoValue
Scope:
ComplianceResourceTypes:
- AWS::EC2::SecurityGroup
Source:
Owner: AWS
SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC
Type: AWS::Config::ConfigRule
RootAccountMfaEnabled:
Properties:
ConfigRuleName: root-account-mfa-enabled
Source:
Owner: AWS
SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
Type: AWS::Config::ConfigRule
S3AccountLevelPublicAccessBlocksPeriodic:
Properties:
ConfigRuleName: s3-account-level-public-access-blocks-periodic
InputParameters:
BlockPublicAcls:
Fn::If:
- s3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls
- Ref: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls
- Ref: AWS::NoValue
BlockPublicPolicy:
Fn::If:
- s3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy
- Ref: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy
- Ref: AWS::NoValue
IgnorePublicAcls:
Fn::If:
- s3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls
- Ref: S3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls
- Ref: AWS::NoValue
RestrictPublicBuckets:
Fn::If:
- s3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets
- Ref: S3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets
- Ref: AWS::NoValue
Source:
Owner: AWS
SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC
Type: AWS::Config::ConfigRule
S3BucketLevelPublicAccessProhibited:
Properties:
ConfigRuleName: s3-bucket-level-public-access-prohibited
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_LEVEL_PUBLIC_ACCESS_PROHIBITED
Type: AWS::Config::ConfigRule
S3BucketLoggingEnabled:
Properties:
ConfigRuleName: s3-bucket-logging-enabled
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_LOGGING_ENABLED
Type: AWS::Config::ConfigRule
S3BucketPublicReadProhibited:
Properties:
ConfigRuleName: s3-bucket-public-read-prohibited
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
Type: AWS::Config::ConfigRule
S3BucketPublicWriteProhibited:
Properties:
ConfigRuleName: s3-bucket-public-write-prohibited
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
Type: AWS::Config::ConfigRule
S3BucketVersioningEnabled:
Properties:
ConfigRuleName: s3-bucket-versioning-enabled
InputParameters:
isMfaDeleteEnabled:
Fn::If:
- s3BucketVersioningEnabledParamIsMfaDeleteEnabled
- Ref: S3BucketVersioningEnabledParamIsMfaDeleteEnabled
- Ref: AWS::NoValue
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED
Type: AWS::Config::ConfigRule
AccountContactDetailsConfigured:
Properties:
ConfigRuleName: account-contact-details-configured
Description: Ensure the contact email and telephone number for AWS accounts are current and map to more than one individual in your organization. Within the My Account section of the console ensure correct information is specified in the Contact Information section.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
AccountSecurityContactConfigured:
Properties:
ConfigRuleName: account-security-contact-configured
Description: Ensure the contact email and telephone number for the your organizations security team are current. Within the My Account section of the AWS Management Console ensure the correct information is specified in the Security section.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
AccountSecurityQuestionsConfigured:
Properties:
ConfigRuleName: account-security-questions-configured
Description: Ensure the security questions that can be used to authenticate individuals calling AWS customer service for support are configured. Within the My Account section of the AWS Management Console ensure three security challenge questions are configured.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
RootAccountRegularUse:
Properties:
ConfigRuleName: root-account-regular-use
Description: Ensure the use of the root account is avoided for everyday tasks. Within IAM, run a credential report to examine when the root user was last used.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
IAMUserConsoleAndAPIAccessAtCreation:
Properties:
ConfigRuleName: iam-user-console-and-api-access-at-creation
Description: Ensure access keys are not setup during the initial user setup for all IAM users that have a console password. For all IAM users with console access, compare the user 'Creation time` to the Access Key `Created` date.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
IAMUserSingleAccessKey:
Properties:
ConfigRuleName: iam-user-single-access-key
Description: Ensure there is only one active access key available for any single IAM user. For all IAM users check that there is only one active key used within the Security Credentials tab for each user within IAM.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
IAMExpiredCertificates:
Properties:
ConfigRuleName: iam-expired-certificates
Description: Ensure that all the expired SSL/TLS certificates stored in IAM are removed. From the command line with the installed AWS CLI run the 'aws iam list-server-certificates' command and determine if there are any expired server certificates.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
IAMAccessAnalyzerEnabled:
Properties:
ConfigRuleName: iam-access-analyzer-enabled
Description: Ensure that IAM Access analyzer is enabled. Within the IAM section of the console, select Access analyzer and ensure that the STATUS is set to Active.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
AlarmUnauthorizedAPIcalls:
Properties:
ConfigRuleName: alarm-unauthorized-api-calls
Description: Ensure a log metric filter and an alarm exists for unauthorized API calls.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
AlarmSignInWithoutMFA:
Properties:
ConfigRuleName: alarm-sign-in-without-mfa
Description: Ensure a log metric filter and an alarm exists for AWS Management Console sign-in without Multi-Factor Authentication (MFA).
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
AlarmRootAccountUse:
Properties:
ConfigRuleName: alarm-root-account-use
Description: Ensure a log metric filter and an alarm exists for usage of the root account.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
AlarmIAMpolicyChange:
Properties:
ConfigRuleName: alarm-iam-policy-change
Description: Ensure a log metric filter and an alarm exists for IAM policy changes.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
AlarmCloudtrailConfigChange:
Properties:
ConfigRuleName: alarm-cloudtrail-config-change
Description: Ensure a log metric filter and an alarm exists for AWS CloudTrail configuration changes.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
AlarmS3BucketPolicyChange:
Properties:
ConfigRuleName: alarm-s3-bucket-policy-change
Description: Ensure a log metric filter and an alarm exists for Amazon S3 bucket policy changes.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
AlarmVPCNetworkGatewayChange:
Properties:
ConfigRuleName: alarm-vpc-network-gateway-change
Description: Ensure a log metric filter and an alarm exists for changes to network gateways.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
AlarmVPCroutetableChange:
Properties:
ConfigRuleName: alarm-vpc-route-table-change
Description: Ensure a log metric filter and an alarm exists for route table changes.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
AlarmVPCChange:
Properties:
ConfigRuleName: alarm-vpc-change
Description: Ensure a log metric filter and an alarm exists for Amazon Virtual Private Cloud (VPC) changes.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
AlarmOrganizationsChange:
Properties:
ConfigRuleName: alarm-organizations-change
Description: Ensure a log metric filter and an alarm exists for AWS Organizations changes.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
VPCNetworkACLOpenAdminPorts:
Properties:
ConfigRuleName: vpc-networkacl-open-admin-ports
Description: Ensure no network ACLs allow public ingress to the remote server administration ports. Within the VPC section of the console, ensure there are network ACLs with a source of '0.0.0.0/0' with allowing ports or port ranges including remote server admin ports.
Source:
Owner: AWS
SourceIdentifier: AWS_CONFIG_PROCESS_CHECK
Type: AWS::Config::ConfigRule
Conditions:
accessKeysRotatedParamMaxAccessKeyAge:
Fn::Not:
- Fn::Equals:
- ''
- Ref: AccessKeysRotatedParamMaxAccessKeyAge
iamPasswordPolicyParamMaxPasswordAge:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamMaxPasswordAge
iamPasswordPolicyParamMinimumPasswordLength:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamMinimumPasswordLength
iamPasswordPolicyParamPasswordReusePrevention:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamPasswordReusePrevention
iamPasswordPolicyParamRequireLowercaseCharacters:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamRequireLowercaseCharacters
iamPasswordPolicyParamRequireNumbers:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamRequireNumbers
iamPasswordPolicyParamRequireSymbols:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamRequireSymbols
iamPasswordPolicyParamRequireUppercaseCharacters:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPasswordPolicyParamRequireUppercaseCharacters
iamPolicyInUseParamPolicyARN:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamPolicyInUseParamPolicyARN
iamUserUnusedCredentialsCheckParamMaxCredentialUsageAge:
Fn::Not:
- Fn::Equals:
- ''
- Ref: IamUserUnusedCredentialsCheckParamMaxCredentialUsageAge
restrictedIncomingTrafficParamBlockedPort3:
Fn::Not:
- Fn::Equals:
- ''
- Ref: RestrictedIncomingTrafficParamBlockedPort3
s3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls:
Fn::Not:
- Fn::Equals:
- ''
- Ref: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls
s3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy:
Fn::Not:
- Fn::Equals:
- ''
- Ref: S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy
s3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls:
Fn::Not:
- Fn::Equals:
- ''
- Ref: S3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls
s3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets:
Fn::Not:
- Fn::Equals:
- ''
- Ref: S3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets
s3BucketVersioningEnabledParamIsMfaDeleteEnabled:
Fn::Not:
- Fn::Equals:
- ''
- Ref: S3BucketVersioningEnabledParamIsMfaDeleteEnabled
modules/security_identity_compliance/aws_config/README.md
+25
View File
@@ -0,0 +1,25 @@
# Overview
This module performs the following tasks:
- Enable AWS config in all regions
- Deploy [CIS1.4 level 1 conformance pack](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html). Rules file Cis14Level1.yaml is downloaded from https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/Operational-Best-Practices-for-CIS-AWS-v1.4-Level1.yaml
- Set Config retention period
- Setup Config aggregator, aggregate Config in all regions into primary region
- Create s3 bucket for config use
## Inputs:
| Name | Description | Type | Default | Required |
|--------------------|-------------------------------------------------------------|------|---------|:-----:|
| application | name of application | string | none | yes |
| environment | capacity of environment (prd/dev/lab) | string | none | yes |
| customer-name | owner of aws resources | string | none | yes |
| project | name of project | string | none | yes |
| default-tags | tags to be added to resources | list | none | yes |
| aws-region-short | short name of aws region (e.g. apne1) | string | none | yes |
| primary-aws-region | name of primary region where global events will be recorded | string | none | yes |
# Notes
- It takes a while for AWS to process Config changes.
- [AWS managed config rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html) are automatically applied. Those rule may duplicate with Cis1.4.
modules/security_identity_compliance/aws_config/cis-rules.tf-no
+122
View File
@@ -0,0 +1,122 @@
// Config rules from asecure.cloud https://asecure.cloud/p/monitoring_cis_benchmark/
// Conformance pack has not been made available to terraform https://github.com/hashicorp/terraform-provider-aws/issues/11098
resource "aws_config_config_rule" "ConfigRule1" {
name = "mfa-enabled-for-iam-console-access"
description = "A Config rule that checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled."
source {
owner = "AWS"
source_identifier = "MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS"
}
scope {
compliance_resource_types = []
}
}
resource "aws_config_config_rule" "ConfigRule2" {
name = "iam-user-unused-credentials-check"
description = "A config rule that checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. Re-evaluating this rule within 4 hours of the first eva..."
input_parameters = "{\"maxCredentialUsageAge\":\"90\"}"
source {
owner = "AWS"
source_identifier = "IAM_USER_UNUSED_CREDENTIALS_CHECK"
}
scope {
compliance_resource_types = []
}
}
resource "aws_config_config_rule" "ConfigRule3" {
name = "access-keys-rotated"
description = "A config rule that checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days."
input_parameters = "{\"maxAccessKeyAge\":\"90\"}"
source {
owner = "AWS"
source_identifier = "ACCESS_KEYS_ROTATED"
}
scope {
compliance_resource_types = []
}
}
resource "aws_config_config_rule" "ConfigRule4" {
name = "iam-password-policy"
description = "A Config rule that checks whether the account password policy for IAM users meets the specified requirements."
input_parameters = "{\"RequireUppercaseCharacters\":\"true\",\"RequireLowercaseCharacters\":\"true\",\"RequireSymbols\":\"true\",\"RequireNumbers\":\"true\",\"MinimumPasswordLength\":\"14\",\"PasswordReusePrevention\":\"24\",\"MaxPasswordAge\":\"90\"}"
source {
owner = "AWS"
source_identifier = "IAM_PASSWORD_POLICY"
}
scope {
compliance_resource_types = []
}
}
resource "aws_config_config_rule" "ConfigRule5" {
name = "iam-root-access-key-check"
description = "A config rule that checks whether the root user access key is available. The rule is COMPLIANT if the user access key does not exist."
source {
owner = "AWS"
source_identifier = "IAM_ROOT_ACCESS_KEY_CHECK"
}
scope {
compliance_resource_types = []
}
}
resource "aws_config_config_rule" "ConfigRule6" {
name = "root-account-mfa-enabled"
description = "A Config rule that checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials."
source {
owner = "AWS"
source_identifier = "ROOT_ACCOUNT_MFA_ENABLED"
}
scope {
compliance_resource_types = []
}
}
resource "aws_config_config_rule" "ConfigRule7" {
name = "root-account-hardware-mfa-enabled"
description = "A config rule that checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. The rule is NON_COMPLIANT if any virtual MFA devices are permitted for signing in with root credent..."
source {
owner = "AWS"
source_identifier = "ROOT_ACCOUNT_HARDWARE_MFA_ENABLED"
}
scope {
compliance_resource_types = []
}
}
resource "aws_config_config_rule" "ConfigRule8" {
name = "iam-user-no-policies-check"
description = "A Config rule that checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles."
source {
owner = "AWS"
source_identifier = "IAM_USER_NO_POLICIES_CHECK"
}
scope {
compliance_resource_types = ["AWS::IAM::User"]
}
}
resource "aws_config_config_rule" "ConfigRule11" {
name = "iam-policy-no-statements-with-admin-access"
description = "A config rule that checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access. If any statement has 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*', the rule is NON_COMPLIANT."
source {
owner = "AWS"
source_identifier = "IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS"
}
scope {
compliance_resource_types = ["AWS::IAM::Policy"]
}
}
modules/security_identity_compliance/aws_config/main.tf
+154
View File
@@ -0,0 +1,154 @@
/*
AWS Config Service
If config is already enabled, import it with
terraform import aws_config_configuration_recorder.config-recorder default
*/
data aws_caller_identity this {}
data aws_regions all-regions {}
resource "aws_iam_service_linked_role" "config" {
aws_service_name = "config.amazonaws.com"
}
resource null_resource cli-resource-awsconfig {
for_each = data.aws_regions.all-regions.names
provisioner "local-exec" {
when = create
command = <<-EOD
aws configservice --region ${each.value} put-configuration-recorder --configuration-recorder name=default,roleARN="${aws_iam_service_linked_role.config.arn}" --recording-group allSupported=true,includeGlobalResourceTypes=false
aws configservice --region ${each.value} put-delivery-channel --delivery-channel name=default,s3BucketName=${module.config-bucket.bucket-name},configSnapshotDeliveryProperties={deliveryFrequency=Twelve_Hours}
aws configservice --region ${each.value} put-retention-configuration --retention-period-in-days ${var.config-retention-days}
aws configservice --region ${each.value} put-conformance-pack --conformance-pack-name Cis14Level1 --template-body file://Cis14Level1.yaml
aws configservice --region ${each.value} start-configuration-recorder --configuration-recorder-name default
if [ \"${each.value}\" == \"${var.primary-aws-region}\" ]; then
aws configservice --region ${each.value} put-configuration-recorder --configuration-recorder name=default,roleARN="${aws_iam_service_linked_role.config.arn}" --recording-group allSupported=true,includeGlobalResourceTypes=true
fi
EOD
}
// Destroy provisioner does not accept variables. Workaround is to delete recorder in all regions.
provisioner "local-exec" {
when = destroy
on_failure = continue
command = <<-EOD
aws ec2 describe-regions | jq -cr .Regions[].RegionName | while read r; do
aws configservice --region $r describe-configuration-recorders --output text | while read dummy; do
aws configservice --region $r stop-configuration-recorder --configuration-recorder-name default
aws configservice --region $r delete-delivery-channel --delivery-channel-name default
aws configservice --region $r delete-configuration-recorder --configuration-recorder-name default
done
done
EOD
}
}
resource "aws_config_configuration_aggregator" "config-aggregator" {
depends_on = [null_resource.cli-resource-awsconfig]
name = "ConfigAggregator"
account_aggregation_source {
account_ids = [data.aws_caller_identity.this.id]
all_regions = true
}
}
/*
resource "aws_config_configuration_recorder" "config-recorder" {
name = "${local.resource-prefix}-awsconfig"
role_arn = aws_iam_service_linked_role.config.arn
recording_group {
all_supported = true
include_global_resource_types = true
}
}
resource "aws_config_delivery_channel" "config-delivery-channel" {
name = "${local.resource-prefix}-configdeliverychannel"
s3_bucket_name = module.config-bucket.bucket-name
depends_on = [aws_config_configuration_recorder.config-recorder]
}
resource "aws_config_configuration_recorder_status" "main" {
name = aws_config_configuration_recorder.config-recorder.name
is_enabled = true
depends_on = [aws_config_delivery_channel.config-delivery-channel]
}
*/
######## Config Bucket - Policy ########
module config-bucket {
source = "../../storage/infra-s3-bucket"
bucket-name = "${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}"
add-random-suffix = false
bucket-policy-json = data.aws_iam_policy_document.config_bucket_policy.json
default-tags = var.default-tags
}
data "aws_iam_policy_document" "config_bucket_policy" {
statement {
sid = "AWSConfigBucketPermissionsCheck"
principals {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
actions = [
"s3:GetBucketAcl",
]
resources = [
"arn:aws:s3:::${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
]
}
statement {
sid = "AWSConfigBucketExistenceCheck"
principals {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
actions = [
"s3:ListBucket",
]
resources = [
"arn:aws:s3:::${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
]
}
statement {
sid = "AWSConfigBucketDelivery"
principals {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
actions = [
"s3:PutObject",
]
resources = [
"arn:aws:s3:::${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}/*",
]
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = [
"bucket-owner-full-control",
]
}
}
}
modules/security_identity_compliance/aws_config/provider.tf
+9
View File
@@ -0,0 +1,9 @@
terraform {
required_version = "~> 1.2.5"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.75.2"
}
}
}
modules/security_identity_compliance/aws_config/variables.tf
+9
View File
@@ -0,0 +1,9 @@
variable "default-tags" {}
variable resource-prefix {}
variable config-retention-days {
type = number
default = 365
}
variable primary-aws-region {}