Skip to content

A terraform module to make AWS account compliant with CIS Level 1 , CIS Level 2 and SOC 2 controls

License

Notifications You must be signed in to change notification settings

squareops/terraform-aws-security-automations

Repository files navigation

AWS Security Check

Welcome to the AWS Security Checks Module! This module is designed to perform security compliance checks on AWS accounts according to the CIS Level 1, CIS Level 2, and SOC 2 frameworks. It helps ensure that your AWS infrastructure aligns with these security standards.

Introduction

The AWS Security Checks Module is a powerful tool for automating the process of auditing and validating AWS accounts against common security benchmarks. It provides a structured framework for performing CIS Level 1, CIS Level 2, and SOC 2 compliance checks.

Important note

For acheiving 100% compliant for AWS Infrastructure we need to perform some manual checks which are listed in the respective directory of cis-levels.

For encrypting cloudwatch log group of cloudtrail please use this KMS key policy. Please change the account id and region.

{
    "Version": "2012-10-17",
    "Id": "allow-cloudwatch-logs-encryption",
    "Statement": [
        {
            "Sid": "AllowRootFullPermissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12345678:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "AllowCloudWatchLogsEncryption",
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.us-east-2.amazonaws.com"
            },
            "Action": [
                "kms:Encrypt*",
                "kms:Decrypt*",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Describe*"
            ],
            "Resource": "*"
        }
    ]
}

Features

  • Pre-configured checks for CIS Level 1, CIS Level 2, and SOC 2 security benchmarks.
  • Organized folder structure for easy navigation and maintenance.
  • Customizable configurations to adapt to different environments.
  • Automated and repeatable security assessment process.

Directory Structure

The module is organized into the following directory:

  • cis-level-1: Contains code for CIS Level 1 compliance checks.
  • cis-level-2: Contains code for CIS Level 2 compliance checks.
  • soc2: Contains code for SOC 2 compliance checks.
  • examples: Contains example scripts to call compliance checks based on the desired level.

Each folder contains configuration files specific to the corresponding security framework.

Getting Started

To get started with the AWS Security Checks Module, follow these steps:

  1. Clone the repository to your local machine: https://github.com/sq-ia/terraform-aws-infrasec
  2. Navigate to the desired framework folder (cis-level-1, cis-level-2, or soc2).
  3. Review the documentation for each check to understand its purpose and requirements.

Usage

The examples folder contains terraform code to call compliance checks based on the desired level:

  • To perform CIS Level 1, Level 2 and soc2 check input the value of variable check_level. Please refer the below example.
module "cis" {

  source                                = "squareops/security-automations/aws"
  version                               = "1.0.1"

  name                                  = local.name
  region                                = local.region
  email                                 = "skaf-demo@squareops.com"
  cron_expression                       = "cron(0 22 1,10,20,28 * ? 2023)"
  check_level                           = local.check_level
  s3_enabled                            = true
  config_enabled                        = true
  include_global_resource_types         = true
  cw_log_enabled                        = true
  alerting_enabled                      = true
  multiple_access_key_notification      = true
  multiple_access_key_deactivate        = false
  disable_unused_credentials            = false
  disable_unused_credentials_after_days = 90
  remove_ssl_tls_iam                    = false
  enable_guard_duty                     = true
  enable_security_hub                   = true
  enable_aws_macie                      = true
  mfa_iam_group_name                    = "mfa-group"                                       ## enter your IAM user group for mfa
  cloudwatch_logs_kms_key_arn           = "arn:aws:kms:us-east-1:123456:key/3116fc04-dbbd-" ## enter kms key arn for encrypting cloudwatch log group of cloud trail
  cloudwatch_log_group_retention_days   = 60
  s3_object_expiration_days             = 90
}

Requirements

Name Version
terraform > 1.0.0

Providers

Name Version
aws n/a

Modules

Name Source Version
cis-level-1 ./modules/cis-level-1 n/a
cis-level-2 ./modules/cis-level-2 n/a
soc2 ./modules/soc2 n/a

Resources

Name Type
aws_region.current data source

Inputs

Name Description Type Default Required
alarm_namespace Namespace for the CloudWatch Alarm Metric string "CISBenchmark" no
alerting_enabled Enable alerting bool true no
audit_log_bucket_custom_policy_json Override the custom policy for the S3 logging bucket (JSON format). string "" no
check_level List of CIS checks to deploy. list(any) [] no
cloudtrail_event_selector_type Types of events that will be aggregated in CloudTrail string "All" no
cloudtrail_kms_policy KMS policy for Cloudtrail Logs string "" no
cloudwatch_log_group_retention_days Number of days to retain logs in CloudWatch log groups for CloudTrail. number 30 no
cloudwatch_logs_kms_key_arn KMS key for CloudWatch Logs Encryption string "" no
config_enabled Set to true to enable AWS Config. bool true no
cron_expression Cron expression to trigger a Lambda function on a regular schedule. string "cron(0 22 1,10,20,28 * ? 2023)" no
cw_log_enabled Set it to true to aggregate logs on CloudWatch bool true no
disable_unused_credentials Disable unused IAM user credentials. bool false no
disable_unused_credentials_after_days Number of days after which unused IAM credentials will be disabled. number "90" no
email Email address for receiving notifications from Amazon SNS. string "" no
enable_aws_macie Enable AWS Macie for data discovery and protection. bool true no
enable_guard_duty Enable AWS GuardDuty for threat detection. bool true no
enable_security_hub Enable AWS Security Hub for centralized security monitoring. bool true no
iam_allow_users_to_change_password Set it to true to allow users to change their own password bool true no
iam_hard_expiry Set it true to enforce hard password expiration for all users. bool true no
iam_max_password_age Maximum password age in days before expiration. number 90 no
iam_minimum_password_length Minimum length requirement for user passwords. number 14 no
iam_password_reuse_prevention Prevent password reuse multiple times number 24 no
iam_require_lowercase_characters Require at least one lowercase letter in passwords bool true no
iam_require_numbers Require at least one number in passwords bool true no
iam_require_symbols Require at least one symbol in passwords bool true no
iam_require_uppercase_characters Require at least one uppercase letter in passwords bool true no
include_global_resource_types Set it to true to enable recording of global resources in AWS Config bool true no
mfa_iam_group_name Name of the IAM user group to which MFA user policies will be added. string "test-user-group" no
multiple_access_key_deactivate Deactivate newly created active access keys for IAM users. bool false no
multiple_access_key_notification Send email notifications for IAM users with multiple active access keys. bool true no
name Prefix for all resources (e.g., 'my-app') to identify them in the cloud environment. string "" no
region AWS region where resources will be provisioned. string "us-east-2" no
remove_ssl_tls_iam Remove expired SSL/TLS certificates from IAM. bool false no
s3_enabled Set to true to enable exporting CloudTrail logs to an S3 bucket. bool true no
s3_object_expiration_days Number of days after which object of s3 expires. number "90" no
tags Tags to be used in all the resources map(string)
{
"key": "AWS_CIS_Benchmark",
"value": "1.2.0"
}
no

Outputs

Name Description
access_log_bucket_arn S3 bucket for storing audit logs of config.
access_log_bucket_id S3 bucket for storing audit logs of config.
audit_bucket_arn S3 bucket for storing audit logs of config.
audit_bucket_id S3 bucket for storing audit logs of config.
sns_topic_arn SNS topic arn

Contribution & Issue Reporting

To report an issue with a project:

  1. Check the repository's issue tracker on GitHub
  2. Search to see if the issue has already been reported
  3. If you can't find an answer to your question in the documentation or issue tracker, you can ask a question by creating a new issue. Be sure to provide enough context and details so others can understand your problem.

License

Apache License, Version 2.0, January 2004 (http://www.apache.org/licenses/).

Support Us

To support a GitHub project by liking it, you can follow these steps:

  1. Visit the repository: Navigate to the GitHub repository.

  2. Click the "Star" button: On the repository page, you'll see a "Star" button in the upper right corner. Clicking on it will star the repository, indicating your support for the project.

  3. Optionally, you can also leave a comment on the repository or open an issue to give feedback or suggest changes.

Starring a repository on GitHub is a simple way to show your support and appreciation for the project. It also helps to increase the visibility of the project and make it more discoverable to others.

Who we are

We believe that the key to success in the digital age is the ability to deliver value quickly and reliably. That’s why we offer a comprehensive range of DevOps & Cloud services designed to help your organization optimize its systems & Processes for speed and agility.

  1. We are an AWS Advanced consulting partner which reflects our deep expertise in AWS Cloud and helping 100+ clients over the last 5 years.
  2. Expertise in Kubernetes and overall container solution helps companies expedite their journey by 10X.
  3. Infrastructure Automation is a key component to the success of our Clients and our Expertise helps deliver the same in the shortest time.
  4. DevSecOps as a service to implement security within the overall DevOps process and helping companies deploy securely and at speed.
  5. Platform engineering which supports scalable,Cost efficient infrastructure that supports rapid development, testing, and deployment.
  6. 24*7 SRE service to help you Monitor the state of your infrastructure and eradicate any issue within the SLA.

We provide support on all of our projects, no matter how small or large they may be.

To find more information about our company, visit squareops.com, follow us on Linkedin, or fill out a job application. If you have any questions or would like assistance with your cloud strategy and implementation, please don't hesitate to contact us.

About

A terraform module to make AWS account compliant with CIS Level 1 , CIS Level 2 and SOC 2 controls

Resources

License

Stars

Watchers

Forks

Packages

No packages published