UPD: added other account default settings

2022-09-05 13:58:22 +08:00 · 2022-09-05 13:58:22 +08:00 · 864692998e
commit 864692998e
parent d47e06df0c
3 changed files with 20 additions and 1 deletions
--- a/examples/baseline-resources/README.md
+++ b/examples/baseline-resources/README.md
@ -4,4 +4,6 @@
 - create cloudtrail
 - enable aws config in all region
 - enable guardduty
- enable securityhub
+- enable securityhub
+- disable s3 public access
+- require EBS encryption
--- a/examples/baseline-resources/main.tf
+++ b/examples/baseline-resources/main.tf
@ -35,4 +35,9 @@ module "enable-guardduty" {
 module "enable-securityhub" {
  # enable security hub
  source = "../../modules/security_identity_compliance/security_hub"
+}
+
+module "default-account-settings" {
+  # other default account settings
+  source = "../../modules/security_identity_compliance/other-default-settings"
 }
--- a/modules/security_identity_compliance/other-default-settings/main.tf
+++ b/modules/security_identity_compliance/other-default-settings/main.tf
@ -0,0 +1,12 @@
+resource "aws_s3_account_public_access_block" "default-s3-public-access-settings" {
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+  lifecycle { ignore_changes = all }
+}
+
+resource "aws_ebs_encryption_by_default" "default-ebs-encryption-setting" {
+  enabled = true
+  lifecycle { ignore_changes = all }
+}