terraform-aws-mcaf-account-baseline

Terraform module to manage baseline configuration for AWS accounts.

How to use

Basic configuration

module "account_baseline" {
  source = "github.com/schubergphilis/terraform-aws-mcaf-account-baseline?ref=VERSION"
}

AWS Config Rules

If you would like to authorise other accounts to aggregate AWS Config data, account IDs and regions can be passed to var.aws_config using the attributes aggregator_account_ids and aggregator_regions respectively.

Note Control Tower already authorizes the audit account to aggregate Config data from all other accounts in the organization, so there is no need to specify the audit account ID in the aggregator_account_ids list.

Example:

aws_config = {
  aggregator_account_ids = ["123456789012"]
  aggregator_regions     = ["eu-west-1"]
}

AWS Security Hub

This module enables the following standards by default:

• AWS Foundational Security Best Practices v1.0.0
• CIS AWS Foundations Benchmark v1.4.0
• PCI DSS v3.2.1

You are able to control the enabled standards via var.aws_security_hub_standards_arns.

MCAF Service Quotas Manager integration

This module can deploy the IAM role required by the MCAF Service Quotas Manager module. The assuming_principal_identifier should be the ServiceQuotasManagerExecutionRole. This is by default arn:aws:iam::<account_id>:role/ServiceQuotasManagerExecutionRole-<region_name>.

Note

The Service Quotas Manager module should be deployed first before deploying this integration. Only existing IAM roles can be referenced as principals.

Requirements

Name	Version
terraform	>= 1.2.0
aws	>= 4.0.0

Providers

Name	Version
aws	>= 4.0.0

Modules

Name	Source	Version
service_quota_manager_role	github.com/schubergphilis/terraform-aws-mcaf-role	v0.3.3

Resources

Name	Type
aws_config_aggregate_authorization.default	resource
aws_ebs_default_kms_key.default	resource
aws_ebs_encryption_by_default.default	resource
aws_iam_account_password_policy.default	resource
aws_securityhub_standards_subscription.default	resource
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
account_password_policy	AWS account password policy parameters	object({ allow_users_to_change = bool max_age = number minimum_length = number require_lowercase_characters = bool require_numbers = bool require_symbols = bool require_uppercase_characters = bool reuse_prevention_history = number })	{ "allow_users_to_change": true, "max_age": 90, "minimum_length": 14, "require_lowercase_characters": true, "require_numbers": true, "require_symbols": true, "require_uppercase_characters": true, "reuse_prevention_history": 24 }	no
aws_config	AWS Config settings	object({ aggregator_account_ids = list(string) aggregator_regions = list(string) })	null	no
aws_ebs_encryption_by_default	Set to true to enable AWS Elastic Block Store encryption by default	bool	true	no
aws_ebs_encryption_custom_key	Set to true and specify the aws_kms_key_arn to use in place of the AWS-managed default CMK	bool	false	no
aws_kms_key_arn	The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volumes	string	null	no
aws_security_hub_standards_arns	A list of the ARNs of the standards you want to enable in AWS Security Hub. If you do not provide a list the default standards are enabled	list(string)	null	no
service_quotas_manager_role	Create the role needed to integrate the terraform-aws-mcaf-service-quotas-manager module	object({ assuming_principal_identifier = string path = optional(string, "/") permissions_boundary = optional(string, null) })	null	no
tags	Map of tags	map(string)	{}	no

Outputs

No outputs.