diff --git a/modules/security_identity_compliance/aws_config/README.md b/modules/security_identity_compliance/aws_config/README.md index b3ea62c..1fea08d 100644 --- a/modules/security_identity_compliance/aws_config/README.md +++ b/modules/security_identity_compliance/aws_config/README.md @@ -2,6 +2,7 @@ This module performs the following tasks: - Enable AWS config +- Create AWS config files for CIS benchmark - Create s3 bucket for config use ## Inputs: diff --git a/modules/security_identity_compliance/aws_config/cis-rules.tf b/modules/security_identity_compliance/aws_config/cis-rules.tf new file mode 100644 index 0000000..6a8eacd --- /dev/null +++ b/modules/security_identity_compliance/aws_config/cis-rules.tf @@ -0,0 +1,122 @@ +// Config rules from asecure.cloud https://asecure.cloud/p/monitoring_cis_benchmark/ +// Conformance pack has not been made available to terraform https://github.com/hashicorp/terraform-provider-aws/issues/11098 + +resource "aws_config_config_rule" "ConfigRule1" { + name = "mfa-enabled-for-iam-console-access" + description = "A Config rule that checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled." + + source { + owner = "AWS" + source_identifier = "MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS" + } + scope { + compliance_resource_types = [] + } +} + +resource "aws_config_config_rule" "ConfigRule2" { + name = "iam-user-unused-credentials-check" + description = "A config rule that checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. Re-evaluating this rule within 4 hours of the first eva..." + input_parameters = "{\"maxCredentialUsageAge\":\"90\"}" + + source { + owner = "AWS" + source_identifier = "IAM_USER_UNUSED_CREDENTIALS_CHECK" + } + scope { + compliance_resource_types = [] + } +} + +resource "aws_config_config_rule" "ConfigRule3" { + name = "access-keys-rotated" + description = "A config rule that checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days." + input_parameters = "{\"maxAccessKeyAge\":\"90\"}" + + source { + owner = "AWS" + source_identifier = "ACCESS_KEYS_ROTATED" + } + scope { + compliance_resource_types = [] + } +} + +resource "aws_config_config_rule" "ConfigRule4" { + name = "iam-password-policy" + description = "A Config rule that checks whether the account password policy for IAM users meets the specified requirements." + input_parameters = "{\"RequireUppercaseCharacters\":\"true\",\"RequireLowercaseCharacters\":\"true\",\"RequireSymbols\":\"true\",\"RequireNumbers\":\"true\",\"MinimumPasswordLength\":\"14\",\"PasswordReusePrevention\":\"24\",\"MaxPasswordAge\":\"90\"}" + + source { + owner = "AWS" + source_identifier = "IAM_PASSWORD_POLICY" + } + scope { + compliance_resource_types = [] + } +} + +resource "aws_config_config_rule" "ConfigRule5" { + name = "iam-root-access-key-check" + description = "A config rule that checks whether the root user access key is available. The rule is COMPLIANT if the user access key does not exist." + + source { + owner = "AWS" + source_identifier = "IAM_ROOT_ACCESS_KEY_CHECK" + } + scope { + compliance_resource_types = [] + } +} + +resource "aws_config_config_rule" "ConfigRule6" { + name = "root-account-mfa-enabled" + description = "A Config rule that checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials." + + source { + owner = "AWS" + source_identifier = "ROOT_ACCOUNT_MFA_ENABLED" + } + scope { + compliance_resource_types = [] + } +} + +resource "aws_config_config_rule" "ConfigRule7" { + name = "root-account-hardware-mfa-enabled" + description = "A config rule that checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. The rule is NON_COMPLIANT if any virtual MFA devices are permitted for signing in with root credent..." + + source { + owner = "AWS" + source_identifier = "ROOT_ACCOUNT_HARDWARE_MFA_ENABLED" + } + scope { + compliance_resource_types = [] + } +} + +resource "aws_config_config_rule" "ConfigRule8" { + name = "iam-user-no-policies-check" + description = "A Config rule that checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles." + + source { + owner = "AWS" + source_identifier = "IAM_USER_NO_POLICIES_CHECK" + } + scope { + compliance_resource_types = ["AWS::IAM::User"] + } +} + +resource "aws_config_config_rule" "ConfigRule11" { + name = "iam-policy-no-statements-with-admin-access" + description = "A config rule that checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access. If any statement has 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*', the rule is NON_COMPLIANT." + + source { + owner = "AWS" + source_identifier = "IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS" + } + scope { + compliance_resource_types = ["AWS::IAM::Policy"] + } +} \ No newline at end of file diff --git a/modules/storage/infra-s3-bucket/README.md b/modules/storage/infra-s3-bucket/README.md index a4cfe02..70880ed 100644 --- a/modules/storage/infra-s3-bucket/README.md +++ b/modules/storage/infra-s3-bucket/README.md @@ -1,7 +1,6 @@ # Overview -This module performs the following tasks: - -- Create s3 bucket using default settings and AWS AES256 encryption +This module creates s3 bucket using default settings and AWS AES256 encryption +The bucket is meant for infrastructure use. Versioning is off and object expires in 90 days ## Inputs: | Name | Description | Type | Default | Required | @@ -15,6 +14,6 @@ This module performs the following tasks: | bucket-name | name or prefix of s3 bucket | string | none | yes | | add-random-suffix | Whether to append a random string to bucket name | bool | false | no | | bucket-policy-json | bucket policy | json | none | yes | -| enable-bucket-versioning | Whether to enable bucket versioning | book | false | yes | -| bucket-retain-days | Days before s3 objects are expired on s3 | number | 90 | yes | +| enable-bucket-versioning | Whether to enable bucket versioning | bool | false | no | +| bucket-retain-days | Days before s3 objects are expired on s3 | number | 90 | no |