Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add kms_master_key_id to alarm baseline and config-baseline module #216

Merged
merged 5 commits into from
Sep 12, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 24 additions & 2 deletions config_baselines.tf
Original file line number Diff line number Diff line change
Expand Up @@ -63,11 +63,16 @@ data "aws_iam_policy_document" "recorder_publish_policy" {
}

statement {
actions = ["sns:Publish"]

actions = ["sns:Publish"]
resources = [for topic in local.config_topics : topic.arn if topic != null]
}

statement {
actions = ["kms:Decrypt", "kms:GenerateDataKey"]
resources = ["arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/${var.config_sns_topic_kms_master_key_id != null ? var.config_sns_topic_kms_master_key_id : ""}"]
}
}

resource "aws_iam_role_policy" "recorder_publish_policy" {
count = var.config_baseline_enabled ? 1 : 0
name = var.config_iam_role_policy_name
Expand Down Expand Up @@ -99,6 +104,7 @@ module "config_baseline_ap-northeast-1" {
s3_key_prefix = var.config_s3_bucket_key_prefix
delivery_frequency = var.config_delivery_frequency
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-northeast-1"
tags = var.tags
}
Expand All @@ -116,6 +122,7 @@ module "config_baseline_ap-northeast-2" {
s3_key_prefix = var.config_s3_bucket_key_prefix
delivery_frequency = var.config_delivery_frequency
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-northeast-2"
tags = var.tags
}
Expand All @@ -133,6 +140,7 @@ module "config_baseline_ap-northeast-3" {
s3_key_prefix = var.config_s3_bucket_key_prefix
delivery_frequency = var.config_delivery_frequency
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-northeast-3"
tags = var.tags
}
Expand All @@ -150,6 +158,7 @@ module "config_baseline_ap-south-1" {
s3_key_prefix = var.config_s3_bucket_key_prefix
delivery_frequency = var.config_delivery_frequency
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-south-1"
tags = var.tags
}
Expand All @@ -167,6 +176,7 @@ module "config_baseline_ap-southeast-1" {
s3_key_prefix = var.config_s3_bucket_key_prefix
delivery_frequency = var.config_delivery_frequency
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-southeast-1"
tags = var.tags
}
Expand All @@ -184,6 +194,7 @@ module "config_baseline_ap-southeast-2" {
s3_key_prefix = var.config_s3_bucket_key_prefix
delivery_frequency = var.config_delivery_frequency
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-southeast-2"
tags = var.tags
}
Expand All @@ -201,6 +212,7 @@ module "config_baseline_ca-central-1" {
s3_key_prefix = var.config_s3_bucket_key_prefix
delivery_frequency = var.config_delivery_frequency
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ca-central-1"
tags = var.tags
}
Expand All @@ -218,6 +230,7 @@ module "config_baseline_eu-central-1" {
s3_key_prefix = var.config_s3_bucket_key_prefix
delivery_frequency = var.config_delivery_frequency
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "eu-central-1"
tags = var.tags
}
Expand All @@ -235,6 +248,7 @@ module "config_baseline_eu-north-1" {
s3_key_prefix = var.config_s3_bucket_key_prefix
delivery_frequency = var.config_delivery_frequency
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "eu-north-1"
tags = var.tags
}
Expand All @@ -252,6 +266,7 @@ module "config_baseline_eu-west-1" {
s3_key_prefix = var.config_s3_bucket_key_prefix
delivery_frequency = var.config_delivery_frequency
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "eu-west-1"
tags = var.tags
}
Expand All @@ -269,6 +284,7 @@ module "config_baseline_eu-west-2" {
s3_key_prefix = var.config_s3_bucket_key_prefix
delivery_frequency = var.config_delivery_frequency
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "eu-west-2"
tags = var.tags
}
Expand All @@ -286,6 +302,7 @@ module "config_baseline_eu-west-3" {
s3_key_prefix = var.config_s3_bucket_key_prefix
delivery_frequency = var.config_delivery_frequency
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "eu-west-3"
tags = var.tags
}
Expand All @@ -303,6 +320,7 @@ module "config_baseline_sa-east-1" {
s3_key_prefix = var.config_s3_bucket_key_prefix
delivery_frequency = var.config_delivery_frequency
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "sa-east-1"
tags = var.tags
}
Expand All @@ -320,6 +338,7 @@ module "config_baseline_us-east-1" {
s3_key_prefix = var.config_s3_bucket_key_prefix
delivery_frequency = var.config_delivery_frequency
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "us-east-1"
tags = var.tags
}
Expand All @@ -337,6 +356,7 @@ module "config_baseline_us-east-2" {
s3_key_prefix = var.config_s3_bucket_key_prefix
delivery_frequency = var.config_delivery_frequency
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "us-east-2"
tags = var.tags
}
Expand All @@ -354,6 +374,7 @@ module "config_baseline_us-west-1" {
s3_key_prefix = var.config_s3_bucket_key_prefix
delivery_frequency = var.config_delivery_frequency
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "us-west-1"
tags = var.tags
}
Expand All @@ -371,6 +392,7 @@ module "config_baseline_us-west-2" {
s3_key_prefix = var.config_s3_bucket_key_prefix
delivery_frequency = var.config_delivery_frequency
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "us-west-2"
tags = var.tags
}
Expand Down
4 changes: 3 additions & 1 deletion main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ terraform {
}
}

data "aws_caller_identity" "current" {}

locals {
is_individual_account = var.account_type == "individual"
is_master_account = var.account_type == "master"
Expand Down Expand Up @@ -112,6 +114,7 @@ module "alarm_baseline" {
alarm_namespace = var.alarm_namespace
cloudtrail_log_group_name = local.is_cloudtrail_enabled ? module.cloudtrail_baseline.log_group : ""
sns_topic_name = var.alarm_sns_topic_name
sns_topic_kms_master_key_id = var.alarm_sns_topic_kms_master_key_id

tags = var.tags
}
Expand All @@ -128,4 +131,3 @@ module "s3_baseline" {
ignore_public_acls = var.s3_ignore_public_acls
restrict_public_buckets = var.s3_restrict_public_buckets
}

32 changes: 32 additions & 0 deletions modules/alarm-baseline/main.tf
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

# --------------------------------------------------------------------------------------------------
# The SNS topic to which CloudWatch alarms send events.
# --------------------------------------------------------------------------------------------------
Expand All @@ -7,9 +10,38 @@ resource "aws_sns_topic" "alarms" {

name = var.sns_topic_name

kms_master_key_id = var.sns_topic_kms_master_key_id

tags = var.tags
}

resource "aws_sns_topic_policy" "alarms" {
count = var.enabled ? 1 : 0
arn = aws_sns_topic.alarms[0].arn

policy = data.aws_iam_policy_document.alarms-sns-policy[0].json
}

data "aws_iam_policy_document" "alarms-sns-policy" {
count = var.enabled ? 1 : 0

statement {
actions = ["sns:Publish"]
resources = [aws_sns_topic.alarms[0].arn]

principals {
type = "Service"
identifiers = ["cloudwatch.amazonaws.com"]
}

condition {
test = "ArnLike"
variable = "AWS:SourceArn"
values = ["arn:aws:cloudwatch:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alarm:*"]
}
}
}

# --------------------------------------------------------------------------------------------------
# CloudWatch metrics and alarms defined in the CIS benchmark.
# --------------------------------------------------------------------------------------------------
Expand Down
4 changes: 4 additions & 0 deletions modules/alarm-baseline/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,10 @@ variable "sns_topic_name" {
default = "CISAlarm"
}

variable "sns_topic_kms_master_key_id" {
description = "To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption"
}

variable "tags" {
description = "Specifies object tags key and value. This applies to all resources created by this module."
default = {
Expand Down
32 changes: 32 additions & 0 deletions modules/config-baseline/main.tf
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

# --------------------------------------------------------------------------------------------------
# Set up AWS Config recorder and let it publish results and send notifications.
# --------------------------------------------------------------------------------------------------
Expand All @@ -7,9 +10,38 @@ resource "aws_sns_topic" "config" {

name = var.sns_topic_name

kms_master_key_id = var.sns_topic_kms_master_key_id

tags = var.tags
}

resource "aws_sns_topic_policy" "config" {
count = var.enabled ? 1 : 0
arn = aws_sns_topic.config[0].arn

policy = data.aws_iam_policy_document.config-sns-policy[0].json
}

data "aws_iam_policy_document" "config-sns-policy" {
count = var.enabled ? 1 : 0

statement {
actions = ["sns:Publish"]
resources = [aws_sns_topic.config[0].arn]

principals {
type = "Service"
identifiers = ["config.amazonaws.com"]
}

condition {
test = "ArnLike"
variable = "aws:SourceArn"
values = ["arn:aws:config:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"]
}
}
}

resource "aws_config_configuration_recorder" "recorder" {
count = var.enabled ? 1 : 0

Expand Down
4 changes: 4 additions & 0 deletions modules/config-baseline/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ variable "sns_topic_name" {
default = "ConfigChanges"
}

variable "sns_topic_kms_master_key_id" {
description = "To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption"
}

variable "delivery_frequency" {
description = "The frequency which AWS Config sends a snapshot into the S3 bucket."
default = "One_Hour"
Expand Down
11 changes: 11 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -269,6 +269,11 @@ variable "config_sns_topic_name" {
default = "ConfigChanges"
}

variable "config_sns_topic_kms_master_key_id" {
description = "To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption"
default = null
}

variable "config_aggregator_name" {
description = "The name of the organizational AWS Config Configuration Aggregator."
default = "organization-aggregator"
Expand Down Expand Up @@ -366,6 +371,12 @@ variable "alarm_sns_topic_name" {
description = "The name of the SNS Topic which will be notified when any alarm is performed."
default = "CISAlarm"
}

variable "alarm_sns_topic_kms_master_key_id" {
description = "To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption"
default = null
}

variable "unauthorized_api_calls_enabled" {
description = "The boolean flag whether the unauthorized_api_calls alarm is enabled or not. No resources are created when set to false."
default = true
Expand Down