terraform.aws-baseline-infra/modules/security_identity_compliance/aws_config/cis-rules.tf

// Config rules from asecure.cloud https://asecure.cloud/p/monitoring_cis_benchmark/
// Conformance pack has not been made available to terraform https://github.com/hashicorp/terraform-provider-aws/issues/11098

resource "aws_config_config_rule" "ConfigRule1" {
  name = "mfa-enabled-for-iam-console-access"
  description = "A Config rule that checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled."

  source {
    owner = "AWS"
    source_identifier = "MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS"
  }
  scope {
    compliance_resource_types = []
  }
}

resource "aws_config_config_rule" "ConfigRule2" {
  name = "iam-user-unused-credentials-check"
  description = "A config rule that checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. Re-evaluating this rule within 4 hours of the first eva..."
  input_parameters = "{\"maxCredentialUsageAge\":\"90\"}"

  source {
    owner = "AWS"
    source_identifier = "IAM_USER_UNUSED_CREDENTIALS_CHECK"
  }
  scope {
    compliance_resource_types = []
  }
}

resource "aws_config_config_rule" "ConfigRule3" {
  name = "access-keys-rotated"
  description = "A config rule that checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days."
  input_parameters = "{\"maxAccessKeyAge\":\"90\"}"

  source {
    owner = "AWS"
    source_identifier = "ACCESS_KEYS_ROTATED"
  }
  scope {
    compliance_resource_types = []
  }
}

resource "aws_config_config_rule" "ConfigRule4" {
  name = "iam-password-policy"
  description = "A Config rule that checks whether the account password policy for IAM users meets the specified requirements."
  input_parameters = "{\"RequireUppercaseCharacters\":\"true\",\"RequireLowercaseCharacters\":\"true\",\"RequireSymbols\":\"true\",\"RequireNumbers\":\"true\",\"MinimumPasswordLength\":\"14\",\"PasswordReusePrevention\":\"24\",\"MaxPasswordAge\":\"90\"}"

  source {
    owner = "AWS"
    source_identifier = "IAM_PASSWORD_POLICY"
  }
  scope {
    compliance_resource_types = []
  }
}

resource "aws_config_config_rule" "ConfigRule5" {
  name = "iam-root-access-key-check"
  description = "A config rule that checks whether the root user access key is available. The rule is COMPLIANT if the user access key does not exist."

  source {
    owner = "AWS"
    source_identifier = "IAM_ROOT_ACCESS_KEY_CHECK"
  }
  scope {
    compliance_resource_types = []
  }
}

resource "aws_config_config_rule" "ConfigRule6" {
  name = "root-account-mfa-enabled"
  description = "A Config rule that checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials."

  source {
    owner = "AWS"
    source_identifier = "ROOT_ACCOUNT_MFA_ENABLED"
  }
  scope {
    compliance_resource_types = []
  }
}

resource "aws_config_config_rule" "ConfigRule7" {
  name = "root-account-hardware-mfa-enabled"
  description = "A config rule that checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. The rule is NON_COMPLIANT if any virtual MFA devices are permitted for signing in with root credent..."

  source {
    owner = "AWS"
    source_identifier = "ROOT_ACCOUNT_HARDWARE_MFA_ENABLED"
  }
  scope {
    compliance_resource_types = []
  }
}

resource "aws_config_config_rule" "ConfigRule8" {
  name = "iam-user-no-policies-check"
  description = "A Config rule that checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles."

  source {
    owner = "AWS"
    source_identifier = "IAM_USER_NO_POLICIES_CHECK"
  }
  scope {
    compliance_resource_types = ["AWS::IAM::User"]
  }
}

resource "aws_config_config_rule" "ConfigRule11" {
  name = "iam-policy-no-statements-with-admin-access"
  description = "A config rule that checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access. If any statement has 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*', the rule is NON_COMPLIANT."

  source {
    owner = "AWS"
    source_identifier = "IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS"
  }
  scope {
    compliance_resource_types = ["AWS::IAM::Policy"]
  }
}
NEW: added config rules for CIS 2021-01-29 17:35:45 +08:00			`// Config rules from asecure.cloud https://asecure.cloud/p/monitoring_cis_benchmark/`
			`// Conformance pack has not been made available to terraform https://github.com/hashicorp/terraform-provider-aws/issues/11098`

			`resource "aws_config_config_rule" "ConfigRule1" {`
			`name = "mfa-enabled-for-iam-console-access"`
			`description = "A Config rule that checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled."`

			`source {`
			`owner = "AWS"`
			`source_identifier = "MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS"`
			`}`
			`scope {`
			`compliance_resource_types = []`
			`}`
			`}`

			`resource "aws_config_config_rule" "ConfigRule2" {`
			`name = "iam-user-unused-credentials-check"`
			`description = "A config rule that checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. Re-evaluating this rule within 4 hours of the first eva..."`
			`input_parameters = "{\"maxCredentialUsageAge\":\"90\"}"`

			`source {`
			`owner = "AWS"`
			`source_identifier = "IAM_USER_UNUSED_CREDENTIALS_CHECK"`
			`}`
			`scope {`
			`compliance_resource_types = []`
			`}`
			`}`

			`resource "aws_config_config_rule" "ConfigRule3" {`
			`name = "access-keys-rotated"`
			`description = "A config rule that checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days."`
			`input_parameters = "{\"maxAccessKeyAge\":\"90\"}"`

			`source {`
			`owner = "AWS"`
			`source_identifier = "ACCESS_KEYS_ROTATED"`
			`}`
			`scope {`
			`compliance_resource_types = []`
			`}`
			`}`

			`resource "aws_config_config_rule" "ConfigRule4" {`
			`name = "iam-password-policy"`
			`description = "A Config rule that checks whether the account password policy for IAM users meets the specified requirements."`
			`input_parameters = "{\"RequireUppercaseCharacters\":\"true\",\"RequireLowercaseCharacters\":\"true\",\"RequireSymbols\":\"true\",\"RequireNumbers\":\"true\",\"MinimumPasswordLength\":\"14\",\"PasswordReusePrevention\":\"24\",\"MaxPasswordAge\":\"90\"}"`

			`source {`
			`owner = "AWS"`
			`source_identifier = "IAM_PASSWORD_POLICY"`
			`}`
			`scope {`
			`compliance_resource_types = []`
			`}`
			`}`

			`resource "aws_config_config_rule" "ConfigRule5" {`
			`name = "iam-root-access-key-check"`
			`description = "A config rule that checks whether the root user access key is available. The rule is COMPLIANT if the user access key does not exist."`

			`source {`
			`owner = "AWS"`
			`source_identifier = "IAM_ROOT_ACCESS_KEY_CHECK"`
			`}`
			`scope {`
			`compliance_resource_types = []`
			`}`
			`}`

			`resource "aws_config_config_rule" "ConfigRule6" {`
			`name = "root-account-mfa-enabled"`
			`description = "A Config rule that checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials."`

			`source {`
			`owner = "AWS"`
			`source_identifier = "ROOT_ACCOUNT_MFA_ENABLED"`
			`}`
			`scope {`
			`compliance_resource_types = []`
			`}`
			`}`

			`resource "aws_config_config_rule" "ConfigRule7" {`
			`name = "root-account-hardware-mfa-enabled"`
			`description = "A config rule that checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. The rule is NON_COMPLIANT if any virtual MFA devices are permitted for signing in with root credent..."`

			`source {`
			`owner = "AWS"`
			`source_identifier = "ROOT_ACCOUNT_HARDWARE_MFA_ENABLED"`
			`}`
			`scope {`
			`compliance_resource_types = []`
			`}`
			`}`

			`resource "aws_config_config_rule" "ConfigRule8" {`
			`name = "iam-user-no-policies-check"`
			`description = "A Config rule that checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles."`

			`source {`
			`owner = "AWS"`
			`source_identifier = "IAM_USER_NO_POLICIES_CHECK"`
			`}`
			`scope {`
			`compliance_resource_types = ["AWS::IAM::User"]`
			`}`
			`}`

			`resource "aws_config_config_rule" "ConfigRule11" {`
			`name = "iam-policy-no-statements-with-admin-access"`
			`description = "A config rule that checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access. If any statement has 'Effect': 'Allow' with 'Action': '' over 'Resource': '', the rule is NON_COMPLIANT."`

			`source {`
			`owner = "AWS"`
			`source_identifier = "IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS"`
			`}`
			`scope {`
			`compliance_resource_types = ["AWS::IAM::Policy"]`
			`}`
			`}`