Improve README files

Author: snemetz

README.md

@@ -14,13 +14,13 @@ with account/region security setting and security services.
 
 ## Submodules
 
-This module is composed of several submodules and each of which can be used independently.
+This module is composed of several submodules, all of which can be used independently.
 
 - [submodules](./modules/)
 
 ## Examples
 
-- [examples](./examples)
+- [examples](./examples/)
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements

modules/README.md

@@ -1,7 +1,8 @@
+# submodules
 
 All modules are designed to work in a multi-account organization and to delegate administration to an administrator account (if supported by AWS)
 
-AWS resources that have account or regional security settings
+## AWS resources that have account or regional security settings
 
 | Resource/Service | Supported | Setting |
 | :--------------- | :--: | :---- |
@@ -11,14 +12,14 @@ AWS resources that have account or regional security settings
 | [iam](./baseline_iam)      | yes  | password policy |
 | [s3](./baseline_s3)        | yes  | public access |
 
-AWS services required by Security Hub
+## AWS services required by [Security Hub](./securityhub)
 
 | Resource/Service | Supported | Setting |
 | :--------------- | :--: | :---- |
 | [config](./config)        | | setup |
 | [s3 buckets](./s3_bucket) | | |
 
-AWS services that integrate with Security Hub
+## AWS services that integrate with [Security Hub](./securityhub)
 
 | Service           | Supported |
 | :---------------- | :-------: |

modules/baseline_ebs/README.md

@@ -2,7 +2,7 @@
 
 ## Features
 
-- Enable EBS encryption by default.
+- Enable EBS encryption by default
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements

modules/baseline_iam/README.md

@@ -3,7 +3,6 @@
 ## Features
 
 - Set up IAM Password Policy.
-- Create default IAM roles for managing AWS account.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements

modules/baseline_s3/README.md

@@ -2,7 +2,7 @@
 
 ## Features
 
-- Enable S3 account-level Public Access Block configuration.
+- Enable S3 account-level Public Access Block configuration
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements

modules/cloudtrail/README.md

@@ -1,5 +1,9 @@
 # AWS CloudTrail
 
+## Features
+
+- Enable CloudTrail regions and deliver events to S3
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 

modules/config/README.md

@@ -1,5 +1,9 @@
 # AWS Config
 
+## Features
+
+- Enable AWS Config
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 

modules/config/main.tf

@@ -123,6 +123,7 @@ resource "aws_config_configuration_aggregator" "organization" {
 
 ### SNS
 # Flesh out. Look at cloudposse/sns-topic/aws"
+#tfsec:ignore:aws-sns-enable-topic-encryption
 resource "aws_sns_topic" "config" {
   #checkov:skip=CKV_AWS_26:Allow unencrypted SNS for now
   count             = var.enable ? 1 : 0

modules/guardduty/README.md

@@ -1,5 +1,9 @@
 # AWS GuardDuty
 
+## Features
+
+- Enable GuardDuty
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 

modules/iam_access_analyzer/README.md

@@ -1,5 +1,9 @@
 # AWS Access Analyzer
 
+## Features
+
+- Enable IAM Access Analyzer
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 

modules/s3_bucket/README.md

@@ -1,4 +1,8 @@
-# Create secure S3 bucket in one region for AWS services
+# s3_bucket
+
+## Features
+
+- Create secure S3 bucket for AWS services
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements

modules/securityhub/README.md

@@ -1,5 +1,12 @@
 # AWS Security Hub
 
+## Features
+
+- Enable Security Hub
+- Delegate management to administrator account
+- Subscribe to standards
+- Subscribe to 3rd party products (optional)
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements