A terraform module to set up your AWS account with the reasonably secure configuration baseline. Most configurations are based on CIS Amazon Web Services Foundations v1.2.0.
See Benchmark Compliance to check which items in CIS benchmark are covered.
Starting from v0.10.0, this module requires Terraform v0.12 or later. Please use v0.9.0 if you need to use Terraform v0.11 or ealier.
- Set up IAM Password Policy.
- Create separated IAM roles for defining privileges and assigning them to entities such as IAM users and groups.
- Create an IAM role for contacting AWS support for incident handling.
- Enable AWS Config rules to audit root account status.
- Enable CloudTrail in all regions and deliver events to CloudWatch Logs.
- CloudTrail logs are encrypted using AWS Key Management Service.
- All logs are stored in the S3 bucket with access logging enabled.
- Logs are automatically archived into Amazon Glacier after the given period(defaults to 90 days).
- Set up CloudWatch alarms to notify you when critical changes happen in your AWS account.
- Enable AWS Config in all regions to automatically take configuration snapshots.
- Enable AWS Config rules to audit unrestricted common ports in Security Group rules.
- Enable VPC Flow Logs with the default VPC in all regions.
- Enable GuardDuty in all regions.
Submodules This module is composed of several submodules and each of which can be used independently. Modules in Package Sub-directories - Terraform describes how to source a submodule.
cloudtrail cloudwatch_metric_alarm guardduty iam elb_logging vpc_flow config secure_s3
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
Please also consider contributing the dorks (githubtestdork.txt) that can reveal potentially sensitive information in github.