diff --git a/examples/baseline-resources/README.md b/examples/baseline-resources/README.md
new file mode 100644
index 0000000..473c29e
--- /dev/null
+++ b/examples/baseline-resources/README.md
@@ -0,0 +1,7 @@
+# Root module for creating baseline resources including:
+- iam password policy
+- delete default VPCs in all region
+- create cloudtrail
+- enable aws config in all region
+- enable guardduty
+- enable securityhub
\ No newline at end of file
diff --git a/examples/baseline-resources/main.tf b/examples/baseline-resources/main.tf
new file mode 100644
index 0000000..9db6c6a
--- /dev/null
+++ b/examples/baseline-resources/main.tf
@@ -0,0 +1,38 @@
+module "iam-baseline" {
+  # iam password policy, baseline roles, access analyzer, cloudhealth role
+  source = "../../modules/security_identity_compliance/roles_iam_resources"
+
+  customer-name      = var.customer-name
+  default-tags       = local.default-tags
+  create-cloudhealth-resources = false
+}
+
+module "cloudtrail" {
+  # Create cloudtrail
+  source = "../../modules/security_identity_compliance/cloudtrail_cwlogs"
+  resource-prefix = local.resource-prefix
+  default-tags = local.default-tags
+}
+
+module "delete-default-vpcs" {
+  # delete default VPCs in all regions
+  source = "../../modules/networking/delete-default-vpcs"
+}
+
+module "enable-aws-config" {
+  # enable aws config in all regions
+  source = "../../modules/security_identity_compliance/aws_config"
+  resource-prefix = local.resource-prefix
+  default-tags  = local.default-tags
+}
+
+module "enable-guardduty" {
+  # enable guardduty
+  source = "../../modules/security_identity_compliance/guardduty"
+  default-tags = local.default-tags
+}
+
+module "enable-securityhub" {
+  # enable security hub
+  source = "../../modules/security_identity_compliance/security_hub"
+}
\ No newline at end of file
diff --git a/examples/baseline-resources/provider.tf b/examples/baseline-resources/provider.tf
new file mode 100644
index 0000000..1c21013
--- /dev/null
+++ b/examples/baseline-resources/provider.tf
@@ -0,0 +1,13 @@
+provider "aws" {
+  region = var.aws-region
+}
+
+terraform {
+  required_version = "~> 1.2.5"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.75.2"
+    }
+  }
+}
diff --git a/examples/baseline-resources/terraform.tfvars b/examples/baseline-resources/terraform.tfvars
new file mode 100644
index 0000000..af30f73
--- /dev/null
+++ b/examples/baseline-resources/terraform.tfvars
@@ -0,0 +1,5 @@
+aws-region        = "ap-southeast-1"
+customer-name     = "ken2026"
+environment       = "lab"
+project           = "terraform-dev"
+application       = "infra"
\ No newline at end of file
diff --git a/examples/baseline-resources/variables.tf b/examples/baseline-resources/variables.tf
new file mode 100644
index 0000000..dd204f1
--- /dev/null
+++ b/examples/baseline-resources/variables.tf
@@ -0,0 +1,19 @@
+variable "aws-region" {}
+variable "customer-name" {}
+variable "environment" {}
+variable "project" {}
+variable "application" {}
+
+locals {
+  default-tags = {
+    ServiceProvider = "RackspaceTechnology"
+    Environment = var.environment
+    Project = var.project
+    Application = var.application
+    TerraformMode = "managed"
+    TerraformDir = trimprefix(path.cwd, "/my/work/xpk-git/")
+    BuildDate = formatdate("YYYYMMDD", timestamp())
+  }
+  resource-prefix = "${var.environment}-substr(${var.aws-region},0,2)-${var.customer-name}-${var.project}"
+}
+
diff --git a/modules/networking/delete-default-vpcs/variables.tf b/modules/networking/delete-default-vpcs/variables.tf
deleted file mode 100644
index f6f41b6..0000000
--- a/modules/networking/delete-default-vpcs/variables.tf
+++ /dev/null
@@ -1 +0,0 @@
-variable region-name {}
\ No newline at end of file
diff --git a/modules/security_identity_compliance/aws_config/outputs.tf b/modules/security_identity_compliance/aws_config/outputs.tf
deleted file mode 100644
index e69de29..0000000
diff --git a/modules/security_identity_compliance/security_hub/main.tf b/modules/security_identity_compliance/security_hub/main.tf
new file mode 100644
index 0000000..7ae9192
--- /dev/null
+++ b/modules/security_identity_compliance/security_hub/main.tf
@@ -0,0 +1,13 @@
+data aws_region this-region {}
+
+resource "aws_securityhub_account" "sh-account" {}
+
+resource "aws_securityhub_standards_subscription" "cis" {
+  depends_on    = [aws_securityhub_account.sh-account]
+  standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
+}
+
+resource "aws_securityhub_standards_subscription" "aws" {
+  depends_on    = [aws_securityhub_account.sh-account]
+  standards_arn = "arn:aws:securityhub:${data.aws_region.this-region.name}::standards/aws-foundational-security-best-practices/v/1.0.0"
+}
\ No newline at end of file