51 lines
1.7 KiB
HCL
51 lines
1.7 KiB
HCL
module "iam-baseline" {
|
|
# iam password policy, baseline roles, access analyzer, cloudhealth role
|
|
source = "../../modules/security_identity_compliance/roles_iam_resources"
|
|
|
|
customer-name = var.customer-name
|
|
default-tags = local.default-tags
|
|
create-cloudhealth-resources = false
|
|
}
|
|
|
|
module "cloudtrail" {
|
|
# Create cloudtrail
|
|
source = "../../modules/security_identity_compliance/cloudtrail_cwlogs"
|
|
resource-prefix = local.resource-prefix
|
|
default-tags = local.default-tags
|
|
}
|
|
|
|
module "delete-default-vpcs" {
|
|
# delete default VPCs in all regions
|
|
source = "../../modules/networking/delete-default-vpcs"
|
|
}
|
|
|
|
module "enable-aws-config" {
|
|
# enable aws config in all regions and setup aggregation
|
|
source = "../../modules/security_identity_compliance/aws_config"
|
|
resource-prefix = local.resource-prefix
|
|
default-tags = local.default-tags
|
|
}
|
|
|
|
module "enable-guardduty" {
|
|
/* enable guardduty
|
|
If you are using AWS organisation, GD delegated admin should be configured
|
|
on the landing zone security account. This allows centralised management.
|
|
See https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html
|
|
*/
|
|
source = "../../modules/security_identity_compliance/guardduty"
|
|
default-tags = local.default-tags
|
|
}
|
|
|
|
module "enable-securityhub" {
|
|
/* enable security hub
|
|
If you are using AWS organisation, SH deleted admin should be configured
|
|
on the landing zone security account. This allows centralised management.
|
|
https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html
|
|
*/
|
|
source = "../../modules/security_identity_compliance/security_hub"
|
|
}
|
|
|
|
module "default-account-settings" {
|
|
# other default account settings
|
|
source = "../../modules/security_identity_compliance/other-default-settings"
|
|
} |