DOC: updated readme

2022-09-05 14:58:03 +08:00 · 2022-09-05 14:58:03 +08:00 · 4181b5488f
commit 4181b5488f
parent b5d64b0af4
2 changed files with 15 additions and 4 deletions
--- a/examples/baseline-resources/README.md
+++ b/examples/baseline-resources/README.md
@ -6,4 +6,7 @@
 - enable guardduty
 - enable securityhub
 - disable s3 public access
- require EBS encryption
+- require EBS encryption
+
+## If AWS organisation is in use
+If you are using AWS organisation, setup delegated admin for guardduty and securityhub. This allows centralised management.
--- a/examples/baseline-resources/main.tf
+++ b/examples/baseline-resources/main.tf
@ -20,20 +20,28 @@ module "delete-default-vpcs" {
 }

 module "enable-aws-config" {
-  # enable aws config in all regions
+  # enable aws config in all regions and setup aggregation
  source = "../../modules/security_identity_compliance/aws_config"
  resource-prefix = local.resource-prefix
  default-tags  = local.default-tags
 }

 module "enable-guardduty" {
-  # enable guardduty
+  /* enable guardduty
+  If you are using AWS organisation, GD delegated admin should be configured
+  on the landing zone security account. This allows centralised management.
+  See https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html
+  */
  source = "../../modules/security_identity_compliance/guardduty"
  default-tags = local.default-tags
 }

 module "enable-securityhub" {
-  # enable security hub
+  /* enable security hub
+  If you are using AWS organisation, SH deleted admin should be configured
+  on the landing zone security account. This allows centralised management.
+  https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html
+  */
  source = "../../modules/security_identity_compliance/security_hub"
 }