From 864692998ea7494b10161c95f80e2b3d32c62b08 Mon Sep 17 00:00:00 2001 From: xpk Date: Mon, 5 Sep 2022 13:58:22 +0800 Subject: [PATCH] UPD: added other account default settings --- examples/baseline-resources/README.md | 4 +++- examples/baseline-resources/main.tf | 5 +++++ .../other-default-settings/main.tf | 12 ++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 modules/security_identity_compliance/other-default-settings/main.tf diff --git a/examples/baseline-resources/README.md b/examples/baseline-resources/README.md index 473c29e..b5137ae 100644 --- a/examples/baseline-resources/README.md +++ b/examples/baseline-resources/README.md @@ -4,4 +4,6 @@ - create cloudtrail - enable aws config in all region - enable guardduty -- enable securityhub \ No newline at end of file +- enable securityhub +- disable s3 public access +- require EBS encryption \ No newline at end of file diff --git a/examples/baseline-resources/main.tf b/examples/baseline-resources/main.tf index 9db6c6a..03daade 100644 --- a/examples/baseline-resources/main.tf +++ b/examples/baseline-resources/main.tf @@ -35,4 +35,9 @@ module "enable-guardduty" { module "enable-securityhub" { # enable security hub source = "../../modules/security_identity_compliance/security_hub" +} + +module "default-account-settings" { + # other default account settings + source = "../../modules/security_identity_compliance/other-default-settings" } \ No newline at end of file diff --git a/modules/security_identity_compliance/other-default-settings/main.tf b/modules/security_identity_compliance/other-default-settings/main.tf new file mode 100644 index 0000000..dc43c0b --- /dev/null +++ b/modules/security_identity_compliance/other-default-settings/main.tf @@ -0,0 +1,12 @@ +resource "aws_s3_account_public_access_block" "default-s3-public-access-settings" { + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true + lifecycle { ignore_changes = all } +} + +resource "aws_ebs_encryption_by_default" "default-ebs-encryption-setting" { + enabled = true + lifecycle { ignore_changes = all } +} \ No newline at end of file