UPD: added other account default settings

examples/baseline-resources/README.md

@@ -4,4 +4,6 @@
 - create cloudtrail
 - enable aws config in all region
 - enable guardduty
-- enable securityhub
+- enable securityhub
+- disable s3 public access
+- require EBS encryption

examples/baseline-resources/main.tf

@@ -35,4 +35,9 @@ module "enable-guardduty" {
 module "enable-securityhub" {
   # enable security hub
   source = "../../modules/security_identity_compliance/security_hub"
+}
+
+module "default-account-settings" {
+  # other default account settings
+  source = "../../modules/security_identity_compliance/other-default-settings"
 }

modules/security_identity_compliance/other-default-settings/main.tf

@@ -0,0 +1,12 @@
+resource "aws_s3_account_public_access_block" "default-s3-public-access-settings" {
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+  lifecycle { ignore_changes = all }
+}
+
+resource "aws_ebs_encryption_by_default" "default-ebs-encryption-setting" {
+  enabled = true
+  lifecycle { ignore_changes = all }
+}