Terraform module to create an Secure Basline, inclued module is alarm baseline, config baseline, and clouddtrail baseline.
We eat, drink, sleep and most importantly love DevOps. We are working towards strategies for standardizing architecture while ensuring security for the infrastructure. We are strong believer of the philosophy Bigger problems are always solved by breaking them into smaller manageable problems. Resonating with microservices architecture, it is considered best-practice to run database, cluster, storage in smaller connected yet manageable pieces within the infrastructure.
This module is basically combination of Terraform open source and includes automatation tests and examples. It also helps to create and improve your infrastructure with minimalistic code instead of maintaining the whole infrastructure code yourself.
We have fifty plus terraform modules. A few of them are comepleted and are available for open source usage while a few others are in progress.
This module has a few dependencies:
- Terraform 1.x.x
- Go
- github.com/stretchr/testify/assert
- github.com/gruntwork-io/terratest/modules/terraform
IMPORTANT: Since the master branch used in source varies based on new modifications, we suggest that you use the release versions here.
There are independent submodules:
- alarm - o create alarms that automatically stop, terminate, reboot, or recover your Amazon EC2 instances.
- analyzer - helps to identify potential resource-access risks by enabling you to identify any policies that grant access to an external principal.
- cloudtrail - to enable operational and risk auditing, governance, and compliance of your AWS account.
- config - to record configuration changes to software within EC2 instances in your AWS account and also virtual machines (VMs).
- ebs - The EBS volumes that you create are always encrypted, either using the default KMS key or the KMS key that you specified when you created each volume.
- guardduty - threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS Resources.
- iam - web service that helps you securely control access to AWS resources.
- inspector - automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure
- security-hub - provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices.
- shield - managed distributed denial of service (DDoS) protection service that safeguards applications running on AWS.
Here is an example of how you can use this module in your inventory structure:
module "alarm" {
source = "clouddrove/secure-baseline/aws//modules/alarm"
version = "1.4.0"
name = "alarm"
environment = "test"
label_order = ["name", "environment"]
enabled = true
unauthorized_api_calls = true
no_mfa_console_signin = true
root_usage = true
iam_changes = true
cloudtrail_cfg_changes = true
console_signin_failures = true
disable_or_delete_cmk = true
s3_bucket_policy_changes = true
security_group_changes = true
nacl_changes = true
network_gw_changes = true
route_table_changes = true
vpc_changes = true
alarm_namespace = "Alert_Alarm"
aws_config_changes_enabled = true
variables = {
SLACK_WEBHOOK = "" # Webhook for the slack notification
SLACK_CHANNEL = "" # Channel of the Slack where the notification will receive
}
}Here is an example of how you can use this module in your inventory structure:
module "analyzer" {
source = "clouddrove/secure-baseline/aws//modules/analyzer"
version = "1.4.0"
name = "analyzer"
environment = "test"
label_order = ["name", "environment"]
enabled = true
## IAM Access Analyzer
type = "ACCOUNT"
variables = {
slack_webhook = "" # Webhook for the slack notification
slack_channel = "" # Channel of the Slack where the notification will receive
}
}Here is an example of how you can use this module in your inventory structure:
module "Cloudtrail" {
source = "clouddrove/secure-baseline/aws//modules/cloudtrail"
version = "1.4.0"
name = "cloudtrail"
environment = "security"
label_order = ["name", "environment"]
# Cloudtrail S3 Bucket Configuration
create_bucket = true
bucket_versioning = true
logging = true
force_destroy = true
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
# Cloudtrail Configuration
enabled_cloudtrail = true
enable_cloudwatch = true
bucket_policy = true
is_multi_region_trail = true
kms_enabled = true
enable_logging = true
event_ignore_list = jsonencode([
"^Describe*",
"^Assume*",
"^List*",
"^Get*",
"^Decrypt*",
"^Lookup*",
"^BatchGet*",
"^CreateLogStream$",
"^RenewRole$",
"^REST.GET.OBJECT_LOCK_CONFIGURATION$",
"TestEventPattern",
"TestScheduleExpression",
"CreateNetworkInterface",
"ValidateTemplate"
])
event_alert_list = jsonencode([
"DetachRolePolicy",
"ConsoleLogin"
])
user_ignore_list = jsonencode([
"^awslambda_*",
"^aws-batch$",
"^bamboo*",
"^i-*",
"^[0-9]*$",
"^ecs-service-scheduler$",
"^AutoScaling$",
"^AWSCloudFormation$",
"^CloudTrailBot$",
"^SLRManagement$"
])
source_list = jsonencode([
"aws-sdk-go"
])
# Slack Alerts
slack_webhook = "" # Webhook for the slack notification
slack_channel = "" # Channel of the Slack where the notification will receive
}Here is an example of how you can use this module in your inventory structure:
module "config" {
source = "clouddrove/secure-baseline/aws//modules/config"
version = "1.4.0"
name = "config"
environment = "security"
label_order = ["name", "environment"]
config_s3_bucket_name = "config-bucketssss"
enabled = true
# roles
restricted_ports = true
restricted_ports_list = "{\"blockedPort1\": \"22\", \"blockedPort2\": \"3306\",\"blockedPort3\": \"6379\", \"blockedPort4\": \"5432\"}"
iam_mfa = true
unused_credentials = true
user_no_policies = true
no_policies_with_full_admin_access = true
acm_certificate_expiration_check = true
ec2_volume_inuse_check = true
ebs_snapshot_public_restorable = true
rds_instance_public_access_check = true
rds_snapshots_public_prohibited = true
guardduty_enabled_centralized = true
s3_bucket_public_write_prohibited = true
eip_attached = false
ec2_encrypted_volumes = true
iam_root_access_key = true
vpc_default_security_group_closed = false
s3_bucket_ssl_requests_only = false
multi_region_cloudtrail_enabled = true
instances_in_vpc = true
cloudwatch_log_group_encrypted = false
rds_storage_encrypted = true
iam_password_policy = false
password_require_uppercase = true
password_require_lowercase = true
password_require_symbols = true
password_require_numbers = true
password_max_age = 90
slack_enabled = false
variables = {
SLACK_WEBHOOK = "" # Webhook for the slack notification
SLACK_CHANNEL = "" # Channel of the Slack where the notification will receive
}
}Here is an example of how you can use this module in your inventory structure:
module "ebs-encryption" {
source = "clouddrove/secure-baseline/aws//modules/ebs"
version = "1.4.0"
enabled = true
enable_default_ebs_encryption = true
}Here is an example of how you can use this module in your inventory structure:
module "guardduty" {
source = "clouddrove/secure-baseline/aws//modules/guardduty"
version = "1.4.0"
name = "test-guardduty"
label_order = ["name"]
enabled = true
ipset_iplist = ["10.10.0.0/16"]
finding_publishing_frequency = "ONE_HOUR"
# S3
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
organization_auto_enable = false
# Slack Alerts
slack_enabled = false # Pass true to enable lambda
}Here is an example of how you can use this module in your inventory structure:
module "iam" {
source = "clouddrove/secure-baseline/aws//modules/iam"
version = "1.4.0"
name = "iam-baseline"
environment = "test"
label_order = ["name", "environment"]
enabled = true
master_iam_role_name = "IAM-Master"
master_iam_role_policy_name = "IAM-master-Policy"
manager_iam_role_name = "IAM-manager"
manager_iam_role_policy_name = "IAM-Manager-Policy"
support_iam_role_name = "IAM-Policy"
support_iam_role_policy_name = "IAM-Support-Role"
support_iam_role_principal_arn = data.aws_caller_identity.current.arn
}Here is an example of how you can use this module in your inventory structure:
module "inspector" {
source = "clouddrove/secure-baseline/aws//modules/inspector"
version = "1.4.0"
name = "inspector"
environment = "security"
label_order = ["name", "environment"]
enabled = true
instance_tags = {
"Inspector" = true
}
duration = 300
lambda_enabled = true
schedule_expression = "cron(0/10 * ? * * *)"
handler = "index.handler"
runtime = "nodejs18.x"
statement_ids = ["AllowExecutionFromEvents"]
actions = ["lambda:InvokeFunction"]
principals = ["events.amazonaws.com"]
iam_actions = [
"inspector:StartAssessmentRun",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
}Here is an example of how you can use this module in your inventory structure:
module "security-hub" {
source = "clouddrove/secure-baseline/aws//modules/security-hub"
version = "1.4.0"
security_hub_enabled = true
#standards
enabled_standards = [
"standards/aws-foundational-security-best-practices/v/1.0.0",
"ruleset/cis-aws-foundations-benchmark/v/1.2.0"
]
#products
enabled_products = [
"product/aws/guardduty",
"product/aws/inspector"
]
}Here is an example of how you can use this module in your inventory structure:
module "shield" {
source = "clouddrove/secure-baseline/aws//modules/shield"
version = "1.4.0"
name = "shield"
environment = "security"
label_order = ["name", "environment"]
enabled = false
## AWS SHIELD
resource_arn = [] # ARN of the Resource that needs to be protect with Shield. e.g. cloudfront, ALB, EIP, Route53 etc.
}If you come accross a bug or have any feedback, please log it in our issue tracker, or feel free to drop us an email at [email protected].
If you have found it worth your time, go ahead and give us a ★ on our GitHub!
At CloudDrove, we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering.
We are The Cloud Experts!
We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.