NEW: added config rules for CIS

This commit is contained in:
xpk 2021-01-29 17:35:45 +08:00
parent ca4bd3b126
commit 30b6131af9
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
3 changed files with 127 additions and 5 deletions

View File

@ -2,6 +2,7 @@
This module performs the following tasks:
- Enable AWS config
- Create AWS config files for CIS benchmark
- Create s3 bucket for config use
## Inputs:

View File

@ -0,0 +1,122 @@
// Config rules from asecure.cloud https://asecure.cloud/p/monitoring_cis_benchmark/
// Conformance pack has not been made available to terraform https://github.com/hashicorp/terraform-provider-aws/issues/11098
resource "aws_config_config_rule" "ConfigRule1" {
name = "mfa-enabled-for-iam-console-access"
description = "A Config rule that checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled."
source {
owner = "AWS"
source_identifier = "MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS"
}
scope {
compliance_resource_types = []
}
}
resource "aws_config_config_rule" "ConfigRule2" {
name = "iam-user-unused-credentials-check"
description = "A config rule that checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. Re-evaluating this rule within 4 hours of the first eva..."
input_parameters = "{\"maxCredentialUsageAge\":\"90\"}"
source {
owner = "AWS"
source_identifier = "IAM_USER_UNUSED_CREDENTIALS_CHECK"
}
scope {
compliance_resource_types = []
}
}
resource "aws_config_config_rule" "ConfigRule3" {
name = "access-keys-rotated"
description = "A config rule that checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days."
input_parameters = "{\"maxAccessKeyAge\":\"90\"}"
source {
owner = "AWS"
source_identifier = "ACCESS_KEYS_ROTATED"
}
scope {
compliance_resource_types = []
}
}
resource "aws_config_config_rule" "ConfigRule4" {
name = "iam-password-policy"
description = "A Config rule that checks whether the account password policy for IAM users meets the specified requirements."
input_parameters = "{\"RequireUppercaseCharacters\":\"true\",\"RequireLowercaseCharacters\":\"true\",\"RequireSymbols\":\"true\",\"RequireNumbers\":\"true\",\"MinimumPasswordLength\":\"14\",\"PasswordReusePrevention\":\"24\",\"MaxPasswordAge\":\"90\"}"
source {
owner = "AWS"
source_identifier = "IAM_PASSWORD_POLICY"
}
scope {
compliance_resource_types = []
}
}
resource "aws_config_config_rule" "ConfigRule5" {
name = "iam-root-access-key-check"
description = "A config rule that checks whether the root user access key is available. The rule is COMPLIANT if the user access key does not exist."
source {
owner = "AWS"
source_identifier = "IAM_ROOT_ACCESS_KEY_CHECK"
}
scope {
compliance_resource_types = []
}
}
resource "aws_config_config_rule" "ConfigRule6" {
name = "root-account-mfa-enabled"
description = "A Config rule that checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials."
source {
owner = "AWS"
source_identifier = "ROOT_ACCOUNT_MFA_ENABLED"
}
scope {
compliance_resource_types = []
}
}
resource "aws_config_config_rule" "ConfigRule7" {
name = "root-account-hardware-mfa-enabled"
description = "A config rule that checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. The rule is NON_COMPLIANT if any virtual MFA devices are permitted for signing in with root credent..."
source {
owner = "AWS"
source_identifier = "ROOT_ACCOUNT_HARDWARE_MFA_ENABLED"
}
scope {
compliance_resource_types = []
}
}
resource "aws_config_config_rule" "ConfigRule8" {
name = "iam-user-no-policies-check"
description = "A Config rule that checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles."
source {
owner = "AWS"
source_identifier = "IAM_USER_NO_POLICIES_CHECK"
}
scope {
compliance_resource_types = ["AWS::IAM::User"]
}
}
resource "aws_config_config_rule" "ConfigRule11" {
name = "iam-policy-no-statements-with-admin-access"
description = "A config rule that checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access. If any statement has 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*', the rule is NON_COMPLIANT."
source {
owner = "AWS"
source_identifier = "IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS"
}
scope {
compliance_resource_types = ["AWS::IAM::Policy"]
}
}

View File

@ -1,7 +1,6 @@
# Overview
This module performs the following tasks:
- Create s3 bucket using default settings and AWS AES256 encryption
This module creates s3 bucket using default settings and AWS AES256 encryption
The bucket is meant for infrastructure use. Versioning is off and object expires in 90 days
## Inputs:
| Name | Description | Type | Default | Required |
@ -15,6 +14,6 @@ This module performs the following tasks:
| bucket-name | name or prefix of s3 bucket | string | none | yes |
| add-random-suffix | Whether to append a random string to bucket name | bool | false | no |
| bucket-policy-json | bucket policy | json | none | yes |
| enable-bucket-versioning | Whether to enable bucket versioning | book | false | yes |
| bucket-retain-days | Days before s3 objects are expired on s3 | number | 90 | yes |
| enable-bucket-versioning | Whether to enable bucket versioning | bool | false | no |
| bucket-retain-days | Days before s3 objects are expired on s3 | number | 90 | no |