NEW: guardduty and kms key rotation

2021-01-31 22:18:26 +08:00 · 2021-01-31 22:18:26 +08:00 · a804af15db
commit a804af15db
parent 30b6131af9
6 changed files with 54 additions and 0 deletions
--- a/layers/security_identity_compliance/security_services/guardduty.tf
+++ b/layers/security_identity_compliance/security_services/guardduty.tf
@ -0,0 +1,13 @@
+/*
+ Deploy aws guardduty service.
+*/
+
+module aws-guardduty-module {
+  source = "../../../modules/security_identity_compliance/guardduty"
+  application = var.application
+  environment = var.environment
+  customer-name = var.customer-name
+  project = var.project
+  aws-region-short = var.aws-region-short
+  default-tags = local.default-tags
+}
--- a/modules/security_identity_compliance/cloudtrail_cwlogs/ct-key.tf
+++ b/modules/security_identity_compliance/cloudtrail_cwlogs/ct-key.tf
@ -2,6 +2,7 @@ resource "aws_kms_key" "ctbucket-key" {
  deletion_window_in_days = 7
  tags = var.default-tags
  policy = data.aws_iam_policy_document.key-policy.json
+  enable_key_rotation = true
 }

 resource "aws_kms_alias" ctbucket-key-aliaas {
--- a/modules/security_identity_compliance/guardduty/README.md
+++ b/modules/security_identity_compliance/guardduty/README.md
@ -0,0 +1,17 @@
+# Overview
+This module performs the following tasks:
+
+- Enable AWS config
+- Create AWS config files for CIS benchmark
+- Create s3 bucket for config use
+
+## Inputs:
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:-----:|
+| application | name of application | string | none | yes |
+| environment | capacity of environment (prd/dev/lab) | string | none | yes | 
+| customer-name | owner of aws resources | string | none | yes |
+| project | name of project | string | none | yes |
+| default-tags | tags to be added to resources | list | none | yes | 
+| aws-region-short | short name of aws region (e.g. apne1) | string | none | yes |
+
--- a/modules/security_identity_compliance/guardduty/main.tf
+++ b/modules/security_identity_compliance/guardduty/main.tf
@ -0,0 +1,8 @@
+data aws_caller_identity this {}
+
+resource aws_guardduty_detector gd {
+  enable = true
+  finding_publishing_frequency = "ONE_HOUR"
+  tags = var.default-tags
+}
+
--- a/modules/security_identity_compliance/guardduty/outputs.tf
+++ b/modules/security_identity_compliance/guardduty/outputs.tf
@ -0,0 +1,3 @@
+output guardduty-arn {
+  value = aws_guardduty_detector.gd.arn
+}
--- a/modules/security_identity_compliance/guardduty/variables.tf
+++ b/modules/security_identity_compliance/guardduty/variables.tf
@ -0,0 +1,12 @@
+variable "customer-name" {}
+variable "environment" {}
+variable "project" {}
+variable "application" {}
+variable "aws-region-short" {}
+variable "default-tags" {}
+
+locals {
+  ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
+  resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
+}
+