Enterprise-grade AWS security defaults without enterprise complexity.
This repository provides a secure-by-default AWS baseline that startups can deploy quickly while avoiding common and dangerous misconfigurations.
Add this to your existing Terraform configuration:
module "security_baseline" {
source = "github.com/digikraaft/aws-secure-baseline"
environment = "prod"
logging_bucket_name = "my-company-security-logs"
enable_threat_detection = true # GuardDuty & Security Hub
}If you want to use this repository as your standalone security workspace:
- Clone the repo:
git clone https://github.com/digikraaft/aws-secure-baseline.git - Initialize:
terraform init - Customize: Create a
terraform.tfvarsfile:environment = "prod" logging_bucket_name = "my-company-security-logs"
- Apply:
terraform apply
- IAM Hardening: Strict password policies, least privilege defaults, and IAM Access Analyzer.
- S3 & EBS Guardrails: Account-level public access block and Environment-wide EBS encryption.
- Centralized Logging: CloudTrail enabled with KMS CMK encryption, integrity checks, and AWS Config resource tracking.
- Threat Detection: GuardDuty & Security Hub (Optional).
Some security items cannot (or should not) be fully automated. We provide checklists for:
- Root Account Lockdown (MFA, Access Key removal).
- Audit Checklist.
- Threat Modeling.
Important
GuardDuty & Security Hub are optional but strongly recommended for production. Note: These services incur small additional costs. For small startups, this usually ranges from $1-$10/month depending on log volume.
We intentionally balance automation with safety.
- Root MFA: Must be done manually to ensure the hardware/virtual token is securely held.
- IAM Users: We recommend using IAM Identity Center (SSO), so this baseline focuses on account-level policies rather than individual user creation.
Make the secure path the default path.