This terraform module sets up AWS account with the secure baseline configuration based on Center for Internet Security (CIS) Amazon Web Services Foundations.
Submodules:
-
alarm-baseline - This modules set up CloudWatch alarms to notify when critical changes happen in AWS account. Those CloudWatch metrics and alarms are defined in the CIS benchmark.
- Unauthorised api call
- No Multi-factor authentication (MFA) console signin
- Root Usage
- Identity and Access Management (IAM) changes
- Cloudtrail configuration changes
- Console signin failures
- Disable or Delete Customer Master Keys (CMK)
- S3 Bucket policy changes
- AWS Config Changes
- Security Group Changes
- Network Access Control List (NACL) changes
- Network Gateways changes
- Route Table Changes
- Virtual Private Cloud (VPC) Changes
-
Terraform-aws-chatbot - An utility Module to create AWS Chatbot and its dependencies git::https://github.com/DNXLabs/terraform-aws-chatbot?ref=1.0.0
The following resources will be created:
- S3 bucket - S3 bucket which will store configuration snapshots
- Cloudwatch alarms
- Simple Notification Services (SNS) topic
- Identity and Access Management (IAM) role - This role lets you define a set of permissions. AWS Config assumes the role that you assign to it to write to your S3 bucket, publish to your SNS topic, and to make Describe or List API requests to get configuration details for your AWS resources.
In addition you have the option to :
-
Create an alarm namespace - The name that all alarms are setup
-
Cloudtrail logs group name
-
Set the frequency which AWS Config sends a snapshot into the S3 bucket
-
Speficy whether AWS config includes all supported types of global resources with the resources that it records
-
Enable or not the alarm baseline - It's a boolean flag that enables or not the cloudwatch alarm baseline. If false, no resources are created
-
Enable or not AWS chatbot - It's a boolean flag that creates or not aws chatbot and integrates to slack
- If enabled:
- Creates aws chatboot and integrate to slack
- Creates a Slack channel id to send budget notification using AWS Chatbot
- Creates a Slack workspace id to send budget notification using AWS Chatbot
- If enabled:
-
Enable or not the config baseline - It's a boolean that creates or not AWS Config
- If true:
- Creates AWS Config
- If true:
Name | Version |
---|---|
terraform | >= 0.12.0 |
Name | Version |
---|---|
aws | n/a |
Name | Description | Type | Default | Required |
---|---|---|---|---|
alarm_namespace | The namespace in which all alarms are set up. | string |
"CISBenchmark" |
no |
alarm_sns_topic_name | The name of the SNS Topic which will be notified when any alarm is performed. | string |
"CISAlarm" |
no |
cloudtrail_log_group_name | The name of Cloudtrail log group. | string |
"bubbletea-cloudtrail" |
no |
config_delivery_frequency | The frequency which AWS Config sends a snapshot into the S3 bucket. | string |
"One_Hour" |
no |
config_include_global_resource_types | Specifies whether AWS Config includes all supported types of global resources with the resources that it records. | bool |
true |
no |
config_s3_bucket_name | The name of the S3 bucket which will store configuration snapshots. | string |
"" |
no |
enable_alarm_baseline | The boolean flag whether this module is enabled or not. No resources are created when set to false. | string |
"false" |
no |
enable_chatbot_slack | If true, will create aws chatboot and integrate to slack | string |
"false" |
no |
enable_config_baseline | If true, will create aws config | string |
"false" |
no |
org_name | Name for this organization | any |
n/a | yes |
slack_channel_id | Sclack channel id to send budget notfication using AWS Chatbot | string |
"" |
no |
slack_workspace_id | Sclack workspace id to send budget notfication using AWS Chatbot | string |
"" |
no |
tags | Specifies object tags key and value. This applies to all resources created by this module. | map |
{ |
no |
Name | Description |
---|---|
alarm_sns_topic | The SNS topic to which CloudWatch Alarms will be sent. |
Module managed by DNX Solutions.
Apache 2 Licensed. See LICENSE for full details.