A terraform module to set up an AWS multi-account, multi-region organization with account/region security setting and security services.
Module is still a Work in Progress
- Designed to delegate management of all security services to dedicated administrator account
- Designed to send all logs to a dedicated log account
This module is composed of several submodules, all of which can be used independently.
| Name | Version |
|---|---|
| terraform | >= 1.1.4 |
| aws | >= 4.1.0 |
| time | >= 0.7.2 |
| Name | Version |
|---|---|
| aws | 4.2.0 |
| Name | Source | Version |
|---|---|---|
| baseline_ebs_eu-west-1 | ./modules/baseline_ebs | n/a |
| baseline_ebs_us-east-1 | ./modules/baseline_ebs | n/a |
| baseline_ebs_us-east-2 | ./modules/baseline_ebs | n/a |
| baseline_ecr_eu-west-1 | ./modules/baseline_ecr | n/a |
| baseline_ecr_us-east-1 | ./modules/baseline_ecr | n/a |
| baseline_ecr_us-east-2 | ./modules/baseline_ecr | n/a |
| baseline_iam | ./modules/baseline_iam | n/a |
| baseline_s3 | ./modules/baseline_s3 | n/a |
| cloudtrail | ./modules/cloudtrail | n/a |
| firewall_manager_us-east-1 | ./modules/firewall_manager | n/a |
| guardduty-eu-west-1 | ./modules/guardduty | n/a |
| guardduty-us-east-1 | ./modules/guardduty | n/a |
| guardduty-us-east-2 | ./modules/guardduty | n/a |
| iam_access_analyzer-eu-west-1 | ./modules/iam_access_analyzer | n/a |
| iam_access_analyzer-us-east-1 | ./modules/iam_access_analyzer | n/a |
| iam_access_analyzer-us-east-2 | ./modules/iam_access_analyzer | n/a |
| s3_bucket-eu-west-1 | ./modules/s3_bucket | n/a |
| s3_bucket-us-east-1 | ./modules/s3_bucket | n/a |
| s3_bucket-us-east-2 | ./modules/s3_bucket | n/a |
| scp | ./modules/scp | n/a |
| securityhub_eu-west-1 | ./modules/securityhub | n/a |
| securityhub_us-east-1 | ./modules/securityhub | n/a |
| securityhub_us-east-2 | ./modules/securityhub | n/a |
| Name | Type |
|---|---|
| aws_organizations_organization.self | resource |
| aws_organizations_organization.self | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_type | AWS account type (master, administrator, log, member) | string |
n/a | yes |
| bucket_custom_policy_json | Custom S3 bucket policy override JSON | string |
"" |
no |
| cloudtrail_enable_log_file_validation | Specifies whether log file integrity validation is enabled. Creates signed digest for validated contents of logs | bool |
true |
no |
| cloudtrail_enable_logging | Enable logging for the trail | bool |
true |
no |
| cloudtrail_include_global_service_events | Specifies whether the trail is publishing events from global services such as IAM to the log files | bool |
true |
no |
| cloudtrail_insight_selector | Specifies an insight selector for identifying unusual operational activity. See: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#insight_type details for this variable | list(object({ |
[ |
no |
| cloudtrail_is_multi_region_trail | Specifies whether the trail is created in the current region or in all regions | bool |
true |
no |
| cloudtrail_is_organization_trail | The trail is an AWS Organizations trail | bool |
true |
no |
| cloudtrail_name | CloudTrail trail name | string |
"org" |
no |
| cloudtrail_s3_bucket | CloudTrail S3 bucket | string |
null |
no |
| cloudtrail_s3_key_prefix | S3 key prefix for CloudTrail | string |
"cloudtrail" |
no |
| config_s3_bucket_key_prefix | S3 key prefix for Config | string |
"config" |
no |
| ecr_scan_type | ECR scanning type (BASIC or ENHANCED) | string |
"BASIC" |
no |
| ecr_scanning_rules | List of ECR scanning rules | list(map(string)) |
[ |
no |
| enable_cloudtrail | Enable AWS CloudTrail service | bool |
true |
no |
| enable_config | Enable AWS Config service | bool |
true |
no |
| enable_ebs_baseline | Boolean whether ebs-baseline is enabled. | bool |
true |
no |
| enable_ecr_baseline | Enable ECR image scanning | bool |
true |
no |
| enable_firewall_manager | Enable AWS Firewall Manager service | bool |
true |
no |
| enable_guardduty | Enable AWS GuardDuty service | bool |
true |
no |
| enable_iam_access_analyzer | Enable AWS IAM Access Analyzer | bool |
true |
no |
| enable_iam_baseline | Boolean whether iam-baseline is enabled. | bool |
true |
no |
| enable_s3_baseline | Enable S3 baseline? | bool |
true |
no |
| enable_s3_buckets | Enable S3 buckets? | bool |
false |
no |
| enable_scp | Manage organization SCP policies | bool |
true |
no |
| enable_securityhub | Enable AWS Security Hub service | bool |
true |
no |
| force_destroy | Allow destroy of S3 bucket with objects | bool |
false |
no |
| iam_allow_users_to_change_password | Whether to allow users to change their own password. | bool |
true |
no |
| iam_create_password_policy | Define if the password policy should be created. | bool |
true |
no |
| iam_max_password_age | The number of days that an user password is valid. | number |
0 |
no |
| iam_minimum_password_length | Minimum length to require for user passwords. | number |
14 |
no |
| iam_password_reuse_prevention | The number of previous passwords that users are prevented from reusing. | number |
24 |
no |
| iam_require_lowercase_characters | Whether to require lowercase characters for user passwords. | bool |
true |
no |
| iam_require_numbers | Whether to require numbers for user passwords. | bool |
true |
no |
| iam_require_symbols | Whether to require symbols for user passwords. | bool |
true |
no |
| iam_require_uppercase_characters | Whether to require uppercase characters for user passwords. | bool |
true |
no |
| s3_block_public_acls | Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true. | bool |
true |
no |
| s3_block_public_policy | Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true. | bool |
true |
no |
| s3_ignore_public_acls | Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true. | bool |
true |
no |
| s3_restrict_public_buckets | Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true. | bool |
true |
no |
| security_administrator_account_id | AWS Security Administrator Account ID | number |
n/a | yes |
| securityhub_enable_products | Subscribe Security Hub to Products | list(string) |
[] |
no |
| tags | Specifies object tags key and value. This applies to all resources created by this module. | map(any) |
{ |
no |
| target_regions | A list of regions to set up with this module. | list(string) |
[ |
no |
| vpc_flow_logs_s3_key_prefix | S3 key prefix for VPC Flow Logs | string |
"flow-logs" |
no |
| Name | Description |
|---|---|
| s3_bucket_arns | S3 Bucket ARNs |
| s3_bucket_names | S3 Bucket Names |
| s3_bucket_region_arn_map | Map of regions and S3 ARNs |
| s3_bucket_region_name_map | Map of regions and S3 names |
