Account Baseline Security with Control Tower Integration
A CIS compliant security baseline for AWS Landing Zone for configuring the security account (the one where all your IAM users and IAM groups are defined), as part of a Control Tower integration. This module fills in features NOT supported by Control Tower, including setting up Amazon Guard Duty, Macie, IAM users, IAM groups, IAM password policy, and more.
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S CONTROL-TOWER-SECURITY-ACCOUNT-BASELINE MODULE
# ------------------------------------------------------------------------------------------------------
module "control_tower_security_account_baseline" {
source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-security-account-baseline?ref=v0.8.1"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The AWS Account ID the template should be operated on. This avoids
# misconfiguration errors caused by environment variables.
aws_account_id = <string>
# The AWS Region to use as the global config recorder.
aws_region = <string>
# Creates resources in the specified regions. The best practice is to enable
# EBS Encryption in all enabled regions in your AWS account. This variable
# must NOT be set to null or empty. Otherwise, we won't know which regions to
# use and authenticate to, and may use some not enabled in your AWS account
# (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS
# account, you can use the AWS CLI: aws ec2 describe-regions.
ebs_opt_in_regions = <list(string)>
# Creates resources in the specified regions. The best practice is to enable
# GuardDuty in all enabled regions in your AWS account. This variable must NOT
# be set to null or empty. Otherwise, we won't know which regions to use and
# authenticate to, and may use some not enabled in your AWS account (e.g.,
# GovCloud, China, etc). To get the list of regions enabled in your AWS
# account, you can use the AWS CLI: aws ec2 describe-regions.
guardduty_opt_in_regions = <list(string)>
# Creates resources in the specified regions. The best practice is to enable
# IAM Access Analyzer in all enabled regions in your AWS account. This
# variable must NOT be set to null or empty. Otherwise, we won't know which
# regions to use and authenticate to, and may use some not enabled in your AWS
# account (e.g., GovCloud, China, etc). To get the list of regions enabled in
# your AWS account, you can use the AWS CLI: aws ec2 describe-regions.
iam_access_analyzer_opt_in_regions = <list(string)>
# Creates resources in the specified regions. This variable must NOT be set to
# null or empty. Otherwise, we won't know which regions to use and
# authenticate to, and may use some not enabled in your AWS account (e.g.,
# GovCloud, China, etc). To get the list of regions enabled in your AWS
# account, you can use the AWS CLI: aws ec2 describe-regions.
kms_cmk_opt_in_regions = <list(string)>
# Creates resources in the specified regions. The best practice is to enable
# Amazon Macie in all enabled regions in your AWS account. This variable must
# NOT be set to null or empty. Otherwise, we won't know which regions to use
# and authenticate to, and may use some not enabled in your AWS account (e.g.,
# GovCloud, China, etc). To get the list of regions enabled in your AWS
# account, you can use the AWS CLI: aws ec2 describe-regions.
macie_opt_in_regions = <list(string)>
# The name used to prefix all resources
name_prefix = <string>
# AWS Account to join this account's SecurityHub to. Must have already
# received an invite from this account.
security_hub_associate_to_admin_account_id = <string>
# Creates resources in the specified regions. The best practice is to enable
# AWS Security Hub in all enabled regions in your AWS account. This variable
# must NOT be set to null or empty. Otherwise, we won't know which regions to
# use and authenticate to, and may use some not enabled in your AWS account
# (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS
# account, you can use the AWS CLI: aws ec2 describe-regions.
security_hub_opt_in_regions = <list(string)>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# A list of IAM ARNs from other AWS accounts that will be allowed to assume
# the auto deploy IAM role that has the permissions in
# var.auto_deploy_permissions.
allow_auto_deploy_from_other_account_arns = []
# A list of IAM ARNs from other AWS accounts that will be allowed full (read
# and write) access to the billing info for this account.
allow_billing_access_from_other_account_arns = []
# A list of IAM ARNs from other AWS accounts that will be allowed full (read
# and write) access to the services in this account specified in
# var.dev_permitted_services.
allow_dev_access_from_other_account_arns = []
# A list of IAM ARNs from other AWS accounts that will be allowed read access
# to the logs in CloudTrail, AWS Config, and CloudWatch for this account. If
# var.cloudtrail_kms_key_arn is set, will also grant decrypt permissions for
# the KMS CMK.
allow_logs_access_from_other_account_arns = []
# A list of IAM ARNs from other AWS accounts that will be allowed read-only
# access to this account.
allow_read_only_access_from_other_account_arns = []
# A list of IAM ARNs from other AWS accounts that will be allowed read access
# to IAM groups and publish SSH keys. This is used for ssh-grunt.
allow_ssh_grunt_access_from_other_account_arns = []
# A list of IAM ARNs from other AWS accounts that will be allowed access to
# AWS support for this account.
allow_support_access_from_other_account_arns = []
# A list of IAM permissions (e.g. ec2:*) which will be granted for automated
# deployment.
auto_deploy_permissions = []
# Namespace all Lambda resources created by this module with this name.
cleanup_expired_certs_lambda_namespace = "cleanup-expired-iam-certs"
# The name to use for the custom CloudWatch metric. Only used if
# var.report_cloudwatch_metric is set to true.
cleanup_expired_certs_report_cloudwatch_metric_name = "cleanup-expired-iam-certs-count"
# The namespace to use for the custom CloudWatch metric. Only used if
# var.report_cloudwatch_metric is set to true.
cleanup_expired_certs_report_cloudwatch_metric_namespace = "custom/cis"
# An expression that defines how often to run the Lambda function to clean up
# expired IAM certs. For example, cron(0 20 * * ? *) or rate(5 minutes).
cleanup_expired_certs_schedule_expression = "rate(1 hour)"
# Namespace all Lambda scheduling resources created by this module with this
# name.
cleanup_expired_certs_schedule_namespace = "cleanup-expired-iam-certs-scheduled"
# The ID of the your management (root) AWS account where Control Tower is
# enabled. Only used if create_control_tower_execution_role is set to true.
control_tower_management_account_id = null
# Set to true to create the Control Tower Execution IAM role. This role gives
# Control Tower permissions to manage this account. If you create an account
# using Control Tower, it will create this role automatically, but if you are
# enrolling an existing account in Control Tower, you MUST set this variable
# to true to create this IAM role. If set to true, you MUST also set the
# control_tower_management_account_id input variable.
create_control_tower_execution_role = false
# Set to true to create an S3 bucket of name macie_bucket_name for storing
# sensitive data discovery results. Set to false to assume the bucket already
# exists. NOTE: Whether you choose to create the bucket yourself, or have it
# automatically created by Terraform, you will need to manually configure this
# bucket to store sensitive data discovery results in AWS Console.
create_macie_bucket = false
# The name of the IAM group that will grant access to all external AWS
# accounts in var.iam_groups_for_cross_account_access.
cross_account_access_all_group_name = "access-all-external-accounts"
# A map of tags to apply to the IAM roles.
cross_account_iam_role_tags = {}
# A list of AWS services for which the developers from the accounts in
# var.allow_dev_access_from_other_account_arns will receive full permissions.
# See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to
# grant developers access only to EC2 and Amazon Machine Learning, use the
# value ["ec2","machinelearning"]. Do NOT add iam to the list of services, or
# that will grant Developers de facto admin access.
dev_permitted_services = []
# The name of the KMS CMK to use by default for encrypting EBS volumes, if
# var.ebs_enable_encryption and var.ebs_use_existing_kms_keys are enabled. The
# name must match a name given the var.kms_customer_master_keys variable.
ebs_kms_key_name = ""
# If set to true, the KMS Customer Managed Keys (CMK) with the name in
# var.ebs_kms_key_name will be set as the default for EBS encryption. When
# false (default), the AWS-managed aws/ebs key will be used.
ebs_use_existing_kms_keys = false
# When true, enable the Encrypted Volumes check in AWS Config. This check
# identifies EBS volumes that are not encrypted. This check is useful for
# identifying and encrypting EBS volumes, which can help reduce the risk of
# unauthorized access to your AWS resources.
enable_encrypted_volumes = false
# When true, create an Open ID Connect Provider that GitHub actions can use to
# assume IAM roles in the account. Refer to
# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
# for more information.
enable_github_actions_access = false
# When true, enable the IAM Password Policy check in AWS Config. This check
# identifies IAM users whose password policy does not meet the specified
# requirements. This check is useful for identifying and enforcing a password
# policy for IAM users, which can help reduce the risk of unauthorized access
# to your AWS resources.
enable_iam_password_policy = false
# When true, enable the IAM User Unused Credentials check in AWS Config. This
# check identifies IAM users who have not used their credentials for a
# specified number of days. This check is useful for identifying and removing
# unused IAM users, which can help reduce the risk of unauthorized access to
# your AWS resources. Note that this is required for the
# `revoke_unused_iam_credentials` module, which is provisioned here and is the
# only reason this is set to true. The current recommended way to handle
# propagating Config rules in AWS is to use Control Tower Controls.
enable_iam_user_unused_credentials_check = true
# When true, enable the Insecure Security Group Rules check in AWS Config.
# This check identifies security groups that allow unrestricted inbound
# traffic. This check is useful for identifying and removing insecure security
# group rules, which can help reduce the risk of unauthorized access to your
# AWS resources.
enable_insecure_sg_rules = false
# When true, enable the RDS Storage Encrypted check in AWS Config. This check
# identifies RDS instances that are not encrypted. This check is useful for
# identifying and encrypting RDS instances, which can help reduce the risk of
# unauthorized access to your AWS resources.
enable_rds_storage_encrypted = false
# When true, enable the Root Account MFA check in AWS Config. This check
# identifies the AWS account root user that does not have multi-factor
# authentication (MFA) enabled. This check is useful for identifying and
# enabling MFA for the root account, which can help reduce the risk of
# unauthorized access to your AWS resources.
enable_root_account_mfa = false
# When true, enable the S3 Bucket Public Read Prohibited check in AWS Config.
# This check identifies S3 buckets that allow public read access. This check
# is useful for identifying and removing public read access from S3 buckets,
# which can help reduce the risk of unauthorized access to your AWS resources.
enable_s3_bucket_public_read_prohibited = false
# When true, enable the S3 Bucket Public Write Prohibited check in AWS Config.
# This check identifies S3 buckets that allow public write access. This check
# is useful for identifying and removing public write access from S3 buckets,
# which can help reduce the risk of unauthorized access to your AWS resources.
enable_s3_bucket_public_write_prohibited = false
# If set to true, when you run 'terraform destroy', delete all objects from
# the bucket macie_bucket_name so that the bucket can be destroyed without
# error. Warning: these objects are not recoverable so only use this if you're
# absolutely sure you want to permanently delete everything!
force_destroy_macie_bucket = false
# When destroying this user, destroy even if it has non-Terraform-managed IAM
# access keys, login profile, or MFA devices. Without force_destroy a user
# with non-Terraform-managed access keys and login profile will fail to be
# destroyed.
force_destroy_users = false
# When set, use the statically provided hardcoded list of thumbprints rather
# than looking it up dynamically. This is useful if you want to trade
# relibaility of the OpenID Connect Provider across certificate renewals with
# a static list that is obtained using a trustworthy mechanism to mitigate
# potential damage from a domain hijacking attack on GitHub domains.
github_actions_openid_connect_provider_thumbprint_list = null
# Name of the Cloudwatch event rules.
guardduty_cloudwatch_event_rule_name = "guardduty-finding-events"
# Map of detector features to enable, where the key is the name of the feature
# the value is the feature configuration. When AWS Organizations delegated
# admin account is used, use var.organization_configuration_features instead.
# See
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector_feature
guardduty_detector_features = {}
# Specifies the frequency of notifications sent for subsequent finding
# occurrences. If the detector is a GuardDuty member account, the value is
# determined by the GuardDuty master account and cannot be modified, otherwise
# defaults to SIX_HOURS. For standalone and GuardDuty master accounts, it must
# be configured in Terraform to enable drift detection. Valid values for
# standalone and master accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS.
guardduty_finding_publishing_frequency = null
# If true, an IAM Policy that grants access to the key will be honored. If
# false, only the ARNs listed in var.kms_key_user_iam_arns will have access to
# the key and any IAM Policy grants will be ignored. (true or false)
guardduty_findings_allow_kms_access_with_iam = true
# The AWS regions that are allowed to write to the GuardDuty findings S3
# bucket. This is needed to configure the bucket and CMK policy to allow
# writes from manually-enabled regions. See
# https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html#guardduty_exportfindings-s3-policies
guardduty_findings_allowed_regions = []
# Whether or not to enable automatic annual rotation of the KMS key. Defaults
# to true.
guardduty_findings_enable_key_rotation = true
# A list of external AWS accounts that should be given write access for
# GuardDuty findings to this S3 bucket. This is useful when aggregating
# findings for multiple AWS accounts in one common S3 bucket.
guardduty_findings_external_aws_account_ids_with_write_access = []
# If set to true, when you run 'terraform destroy', delete all objects from
# the bucket so that the bucket can be destroyed without error. Warning: these
# objects are not recoverable so only use this if you're absolutely sure you
# want to permanently delete everything!
guardduty_findings_force_destroy = false
# All GuardDuty findings will be encrypted with a KMS Key (a Customer Master
# Key). The IAM Users specified in this list will have rights to change who
# can access the data.
guardduty_findings_kms_key_administrator_iam_arns = []
# If set to true, that means the KMS key you're using already exists, and does
# not need to be created.
guardduty_findings_kms_key_already_exists = false
# The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty
# enforces findings to be encrypted. Only used if
# guardduty_publish_findings_to_s3 is true.
guardduty_findings_kms_key_arn = null
# Additional service principals beyond GuardDuty that should have access to
# the KMS key used to encrypt the logs.
guardduty_findings_kms_key_service_principals = []
# All GuardDuty findings will be encrypted with a KMS Key (a Customer Master
# Key). The IAM Users specified in this list will have read-only access to the
# data.
guardduty_findings_kms_key_user_iam_arns = []
# After this number of days, findings should be transitioned from S3 to
# Glacier. Enter 0 to never archive findings.
guardduty_findings_num_days_after_which_archive_findings_data = 30
# After this number of days, log files should be deleted from S3. Enter 0 to
# never delete log data.
guardduty_findings_num_days_after_which_delete_findings_data = 365
# Additional IAM policies to apply to this S3 bucket. You can use this to
# grant read/write access. This should be a map, where each key is a unique
# statement ID (SID), and each value is an object that contains the parameters
# defined in the comment above.
guardduty_findings_s3_bucket_additional_policy_statements = {}
# The S3 bucket ARN to which the findings get exported.
guardduty_findings_s3_bucket_arn = null
# The name of the S3 Bucket where GuardDuty findings will be stored.
guardduty_findings_s3_bucket_name = null
# Optional prefix directory to create in the bucket. Must contain a trailing
# '/'. If you use a prefix for S3 findings publishing, you must pre-create the
# prefix in the findings bucket. See
# https://github.com/hashicorp/terraform-provider-aws/issues/16750.
guardduty_findings_s3_bucket_prefix = null
# Enable MFA delete for either 'Change the versioning state of your bucket' or
# 'Permanently delete an object version'. This setting only applies to the
# bucket used to storage GuardDuty findings. This cannot be used to toggle
# this setting but is available to allow managed buckets to reflect the state
# in AWS. For instructions on how to enable MFA Delete, check out the README
# from the terraform-aws-security/private-s3-bucket module.
guardduty_findings_s3_mfa_delete = false
# The bucket prefix without trailing '/' under which the findings get
# exported. The prefix is optional and will be
# AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided.
guardduty_findings_s3_prefix = null
# Whether to create a bucket for GuardDuty findings. If set to true, you must
# provide the var.guardduty_findings_s3_bucket_name.
guardduty_findings_should_create_bucket = false
# Specifies a name for the created SNS topics where findings are published.
# publish_findings_to_sns must be set to true.
guardduty_findings_sns_topic_name = "guardduty-findings"
# Tags to apply to the GuardDuty findings resources (S3 bucket and CMK).
guardduty_findings_tags = {}
# The invitation message to send to the member accounts.
guardduty_invitation_message = "Please accept GuardDuty invitation."
# Map of member accounts to add to GuardDuty where key is the AWS account
# number. Use to add Organization accounts to delegated admin account or
# invite member accounts by invite.
guardduty_member_accounts = {}
# Publish GuardDuty findings to an S3 bucket.
guardduty_publish_findings_to_s3 = false
# Send GuardDuty findings to SNS topics specified by findings_sns_topic_name.
guardduty_publish_findings_to_sns = false
# The name of the IAM Access Analyzer module
iam_access_analyzer_name = "baseline_root-iam_access_analyzer"
# A list of AWS services for which the developers IAM Group will receive full
# permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For
# example, to grant developers access only to EC2 and Amazon Machine Learning,
# use the value ["ec2","machinelearning"].
iam_group_developers_permitted_services = []
# The prefix of the S3 Bucket Name to which an individual IAM User will have
# full access. For example, if the prefix is acme.user-, then IAM User
# john.doe will have access to S3 Bucket acme.user-john.doe.
iam_group_developers_s3_bucket_prefix = "acme.user-"
# The name to be used for the IAM Group that grants read/write access to all
# billing features in AWS.
iam_group_name_billing = "billing"
# The name to be used for the IAM Group that grants IAM Users a reasonable set
# of permissions for developers.
iam_group_name_developers = "developers"
# The name to be used for the IAM Group that grants IAM administrative access.
# Effectively grants administrator access.
iam_group_name_iam_admin = "iam-admin"
# The name to be used for the IAM Group that grants IAM Users the permissions
# to manage their own IAM User account.
iam_group_name_iam_user_self_mgmt = "iam-user-self-mgmt"
# The name to be used for the IAM Group that grants read access to CloudTrail,
# AWS Config, and CloudWatch in AWS.
iam_group_name_logs = "logs"
# The name to be used for the IAM Group that grants read-only access to all
# AWS resources.
iam_group_name_read_only = "read-only"
# The name of the IAM Group that allows access to AWS Support.
iam_group_name_support = "support"
# The name to be used for the IAM Group that grants IAM Users the permissions
# to use existing IAM Roles when launching AWS Resources. This does NOT grant
# the permission to create new IAM Roles.
iam_group_name_use_existing_iam_roles = "use-existing-iam-roles"
# The list of names to be used for the IAM Group that enables its members to
# SSH as a sudo user into any server configured with the ssh-grunt Gruntwork
# module. Pass in multiple to configure multiple different IAM groups to
# control different groupings of access at the server level. Pass in empty
# list to disable creation of the IAM groups.
iam_group_names_ssh_grunt_sudo_users = ["ssh-grunt-sudo-users"]
# The name to be used for the IAM Group that enables its members to SSH as a
# non-sudo user into any server configured with the ssh-grunt Gruntwork
# module. Pass in multiple to configure multiple different IAM groups to
# control different groupings of access at the server level. Pass in empty
# list to disable creation of the IAM groups.
iam_group_names_ssh_grunt_users = ["ssh-grunt-users"]
# This variable is used to create groups that allow allow IAM users to assume
# roles in your other AWS accounts. It should be a list of maps, where each
# map has the keys group_name and iam_role_arn. For each entry in the list, we
# will create an IAM group that allows users to assume the given IAM role in
# the other AWS account. This allows you to define all your IAM users in one
# account (e.g. the users account) and to grant them access to certain IAM
# roles in other accounts (e.g. the stage, prod, audit accounts).
iam_groups_for_cross_account_access = []
# Password expiration requires administrator reset.
iam_password_policy_hard_expiry = true
# Number of days before password expiration.
iam_password_policy_max_password_age = 0
# Password minimum length. To be compliant with CIS recommendation 1.8, the
# minimum password length is 14 characters.
iam_password_policy_minimum_password_length = 14
# The name to be used for the IAM Policy that grants IAM administrative
# access.
iam_policy_iam_admin = "iam-admin"
# The name to be used for the IAM Policy that grants IAM Users the permissions
# to manage their own IAM User account.
iam_policy_iam_user_self_mgmt = "iam-user-self-mgmt"
# Include this value as a prefix in the name of every IAM role created by this
# module. This is useful to prepend, for example, '<account-name>-' to every
# IAM role name: e.g., allow-full-access-from-other-accounts becomes
# stage-allow-full-access-from-other-accounts.
iam_role_name_prefix = ""
# A map of tags to apply to all KMS Keys to be created. In this map variable,
# the key is the tag name and the value is the tag value.
kms_cmk_global_tags = {}
# You can use this variable to create account-level KMS Customer Master Keys
# (CMKs) for encrypting and decrypting data. This variable should be a map
# where the keys are the names of the CMK and the values are an object that
# defines the configuration for that CMK. See the comment below for the
# configuration options you can set for each key.
kms_customer_master_keys = {}
# The map of names of KMS grants to the region where the key resides in. There
# should be a one to one mapping between entries in this map and the entries
# of the kms_grants map. This is used to workaround a terraform limitation
# where the for_each value can not depend on resources.
kms_grant_regions = {}
# Create the specified KMS grants to allow entities to use the KMS key without
# modifying the KMS policy or IAM. This is necessary to allow AWS services
# (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of
# grant name to grant properties. The name must be unique per account.
kms_grants = {}
# Specifies the status for the account. To enable Amazon Macie and start all
# Macie activities for the account, set this value to ENABLED. Valid values
# are ENABLED or PAUSED.
macie_account_status = "ENABLED"
# AWS Account to join this account's Amazon Macie to. Must have already
# received an invite from this account.
macie_administrator_account_id = ""
# The name of the S3 bucket for storing sensitive data discovery results. Only
# used if create_macie_bucket is true. If omitted, Terraform will assign a
# random, unique name.
macie_bucket_name = null
# S3 buckets that Macie should analyze. This should be a map, where each key
# is a region, and each value is a list of buckets in that region that should
# be analyzed. Unfortunately, due to the limitations in the Terraform AWS
# provider, there is no way to automatically select all buckets in a region,
# therefore an explicit list of buckets to analyze must be maintained in this
# variable. For more information, see
# https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/blob/master/modules/security/macie/core-concepts.md#buckets-to-analyze.
macie_buckets_to_analyze = {}
# A map from region to ID (ARN, alias ARN, AWS ID) of a customer managed KMS
# Key to use for encrypting Macie log data. Only used if
# var.macie_create_logs_kms_key is set to false.
macie_cloudwatch_log_group_kms_key_id = null
# The number of days to retain log events in the log group for Macie. Refer to
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#retention_in_days
# for all the valid values. When null, the log events are retained forever.
macie_cloudwatch_log_group_retention_in_days = null
# Tags to apply on the Macie CloudWatch Log Group, encoded as a map where the
# keys are tag keys and values are tag values.
macie_cloudwatch_log_group_tags = null
# Set to true to create a KMS key to encrypt sensitive data discovery results.
# NOTE: Whether you choose to create the key yourself, or have it
# automatically created by Terraform, you will need to manually configure this
# key to encrypt sensitive data discovery results in AWS Console.
macie_create_discovery_results_kms_key = false
# Set to true to create a KMS key to encrypt Macie log entries. If false, log
# entries will not be encrypted unless a key is provided with
# var.macie_cloudwatch_log_group_kms_key_id.
macie_create_logs_kms_key = false
# The number of days to keep around the KMS Customer managed Key for
# encrypting sensitive discovery results after it has been marked for
# deletion.
macie_discovery_results_kms_key_deletion_window_in_days = 30
# The name of the KMS key to encrypt sensitive data discovery results.
# Required if create_kms_key is set to true, otherwise ignored.
macie_discovery_results_kms_key_name = null
# A list of IAM user ARNs with access to the KMS key above. Required if
# create_kms_key is set to true, otherwise ignored.
macie_discovery_results_kms_key_users = null
# Map of AWS Accounts to add as members to this account's Amazon Macie
# configuration. The keys in this map should each be a unique value (e.g., the
# account name) and the values should be objects that contain the account ID
# and Email.
macie_external_member_accounts = {}
# Specifies how often to publish updates to policy findings for the account.
# Valid values are FIFTEEN_MINUTES, ONE_HOUR or SIX_HOURS.
macie_finding_publishing_frequency = "FIFTEEN_MINUTES"
# A custom name for the job. If omitted, Terraform will assign a random,
# unique name.
macie_job_name = null
# The number of days to keep the KMS Customer managed Key for Macie Los around
# after it has been marked for deletion.
macie_logs_kms_key_deletion_window_in_days = 30
# The name of the KMS key to encrypt Macie logs. Required if
# macie_create_logs_kms_key is set to true, otherwise ignored.
macie_logs_kms_key_name = null
# The primary region where the kms key for encrypting Macie logs should be
# created. When set, the KMS key will be created in this region and then
# replicated to all opted in regions. On the other hand, when null, a
# different KMS key will be created in all opted in regions.
macie_logs_kms_key_primary_region = null
# A list of IAM user ARNs with access to the KMS key above. Required if
# macie_create_logs_kms_key is set to true, otherwise ignored.
macie_logs_kms_key_users = null
# When true, precreate the CloudWatch Log Group to use for the Macie Data
# Discovery job. This is useful if you wish to customize the CloudWatch Log
# Group with various settings such as retention periods and KMS encryption.
# When false, AWS Macie will automatically create a basic log group to use.
macie_should_create_cloudwatch_log_group = true
# The maximum allowable session duration, in seconds, for the credentials you
# get when assuming the IAM roles created by this module. This variable
# applies to all IAM roles created by this module that are intended for people
# to use, such as allow-read-only-access-from-other-accounts. For IAM roles
# that are intended for machine users, such as
# allow-auto-deploy-from-other-accounts, see
# var.max_session_duration_machine_users.
max_session_duration_human_users = 43200
# The maximum allowable session duration, in seconds, for the credentials you
# get when assuming the IAM roles created by this module. This variable
# applies to all IAM roles created by this module that are intended for
# machine users, such as allow-auto-deploy-from-other-accounts. For IAM roles
# that are intended for human users, such as
# allow-read-only-access-from-other-accounts, see
# var.max_session_duration_human_users.
max_session_duration_machine_users = 3600
# Map of organization configuration features to enable, where key is the
# feature name and value is feature configuration. See
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature
organization_configuration_features = {}
# Force the user to reset their password on initial login. Only used for users
# with create_login_profile set to true.
password_reset_required = true
# The amount of reserved concurrent executions for this lambda function or -1
# if unreserved. Note that this defaults to 1 to ensure that we only have one
# instance of this process running at a time. Since the process depends on
# querying expired IAM certificates, it can lead to errors if more than one of
# these are running at a time.
reserved_concurrent_executions = 1
# The AWS region (e.g., us-east-1) where all the findings will be aggregated.
# If null, no region will be designated as an aggregate region and findings
# will only be visible to the region where it was reported. NOTE: this can
# only be implemented on the SecurityHub administrator account.
security_hub_aggregate_region = null
# When true, enable the CIS benchmark v1.4 ruleset for automatic checks in
# SecurityHub. Set this to false if you are using Steampipe instead.
security_hub_enable_cis_1_4_check = true
# When true, enable the CIS benchmark v1.2 ruleset for automatic checks in
# SecurityHub. If you also want to disable the CIS benchmark v1.4 check, then
# var.security_hub_enable_cis_1_4_check should also be set to false. Set this
# to false if you are using Steampipe instead.
security_hub_enable_cis_check = true
# List of AWS Accounts (ID and Email) to add as members to this account's
# SecurityHub configuration.
security_hub_external_member_accounts = {}
# Adjust the logging level of the script to sync SecurityHub member accounts.
# Valid values: debug, info, warn, error
security_hub_loglevel = "info"
# List of product integration IDs to enable on SecurityHub. Refer to
# https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html#argument-reference
# for valid values.
security_hub_product_integrations = []
# Create service-linked roles for this set of services. You should pass in the
# URLs of the services, but without the protocol (e.g., http://) in front:
# e.g., use elasticbeanstalk.amazonaws.com for Elastic Beanstalk or
# es.amazonaws.com for Amazon Elasticsearch. Service-linked roles are
# predefined by the service, can typically only be assumed by that service,
# and include all the permissions that the service requires to call other AWS
# services on your behalf. You can typically only create one such role per AWS
# account, which is why this parameter exists in the account baseline. See
# https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
# for the list of services that support service-linked roles.
service_linked_roles = []
# Should we create the IAM Group for auto-deploy? Allows automated deployment
# by granting the permissions specified in var.auto_deploy_permissions. (true
# or false)
should_create_iam_group_auto_deploy = false
# Should we create the IAM Group for billing? Allows read-write access to
# billing features only. (true or false)
should_create_iam_group_billing = false
# Should we create the IAM Group for access to all external AWS accounts?
should_create_iam_group_cross_account_access_all = true
# Should we create the IAM Group for developers? The permissions of that group
# are specified via var.iam_group_developers_permitted_services. (true or
# false)
should_create_iam_group_developers = false
# Should we create the IAM Group for logs? Allows read access to CloudTrail,
# AWS Config, and CloudWatch. If var.cloudtrail_kms_key_arn is set, will also
# give decrypt access to a KMS CMK. (true or false)
should_create_iam_group_logs = false
# Should we create the IAM Group for read-only? Allows read-only access to all
# AWS resources. (true or false)
should_create_iam_group_read_only = false
# Should we create the IAM Group for use-existing-iam-roles? Allow launching
# AWS resources with existing IAM Roles, but no ability to create new IAM
# Roles. (true or false)
should_create_iam_group_use_existing_iam_roles = false
# Should we create the IAM Group for iam-user-self-mgmt? Allows IAM users to
# manage their own account, but not other users. (true or false)
should_create_iam_group_user_self_mgmt = false
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
# resource for findings. As such, it is important to avoid inline policies
# when targeting compliance with various security standards.
use_managed_iam_policies = true
# A map of users to create. The keys are the user names and the values are an
# object with the optional keys 'groups' (a list of IAM groups to add the user
# to), 'tags' (a map of tags to apply to the user), 'pgp_key' (either a
# base-64 encoded PGP public key, or a keybase username in the form
# keybase:username, used to encrypt the user's credentials; required if
# create_login_profile or create_access_keys is true), 'create_login_profile'
# (if set to true, create a password to login to the AWS Web Console),
# 'create_access_keys' (if set to true, create access keys for the user),
# 'path' (the path), and 'permissions_boundary' (the ARN of the policy that is
# used to set the permissions boundary for the user).
users = {}
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S CONTROL-TOWER-SECURITY-ACCOUNT-BASELINE MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-security-account-baseline?ref=v0.8.1"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The AWS Account ID the template should be operated on. This avoids
# misconfiguration errors caused by environment variables.
aws_account_id = <string>
# The AWS Region to use as the global config recorder.
aws_region = <string>
# Creates resources in the specified regions. The best practice is to enable
# EBS Encryption in all enabled regions in your AWS account. This variable
# must NOT be set to null or empty. Otherwise, we won't know which regions to
# use and authenticate to, and may use some not enabled in your AWS account
# (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS
# account, you can use the AWS CLI: aws ec2 describe-regions.
ebs_opt_in_regions = <list(string)>
# Creates resources in the specified regions. The best practice is to enable
# GuardDuty in all enabled regions in your AWS account. This variable must NOT
# be set to null or empty. Otherwise, we won't know which regions to use and
# authenticate to, and may use some not enabled in your AWS account (e.g.,
# GovCloud, China, etc). To get the list of regions enabled in your AWS
# account, you can use the AWS CLI: aws ec2 describe-regions.
guardduty_opt_in_regions = <list(string)>
# Creates resources in the specified regions. The best practice is to enable
# IAM Access Analyzer in all enabled regions in your AWS account. This
# variable must NOT be set to null or empty. Otherwise, we won't know which
# regions to use and authenticate to, and may use some not enabled in your AWS
# account (e.g., GovCloud, China, etc). To get the list of regions enabled in
# your AWS account, you can use the AWS CLI: aws ec2 describe-regions.
iam_access_analyzer_opt_in_regions = <list(string)>
# Creates resources in the specified regions. This variable must NOT be set to
# null or empty. Otherwise, we won't know which regions to use and
# authenticate to, and may use some not enabled in your AWS account (e.g.,
# GovCloud, China, etc). To get the list of regions enabled in your AWS
# account, you can use the AWS CLI: aws ec2 describe-regions.
kms_cmk_opt_in_regions = <list(string)>
# Creates resources in the specified regions. The best practice is to enable
# Amazon Macie in all enabled regions in your AWS account. This variable must
# NOT be set to null or empty. Otherwise, we won't know which regions to use
# and authenticate to, and may use some not enabled in your AWS account (e.g.,
# GovCloud, China, etc). To get the list of regions enabled in your AWS
# account, you can use the AWS CLI: aws ec2 describe-regions.
macie_opt_in_regions = <list(string)>
# The name used to prefix all resources
name_prefix = <string>
# AWS Account to join this account's SecurityHub to. Must have already
# received an invite from this account.
security_hub_associate_to_admin_account_id = <string>
# Creates resources in the specified regions. The best practice is to enable
# AWS Security Hub in all enabled regions in your AWS account. This variable
# must NOT be set to null or empty. Otherwise, we won't know which regions to
# use and authenticate to, and may use some not enabled in your AWS account
# (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS
# account, you can use the AWS CLI: aws ec2 describe-regions.
security_hub_opt_in_regions = <list(string)>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# A list of IAM ARNs from other AWS accounts that will be allowed to assume
# the auto deploy IAM role that has the permissions in
# var.auto_deploy_permissions.
allow_auto_deploy_from_other_account_arns = []
# A list of IAM ARNs from other AWS accounts that will be allowed full (read
# and write) access to the billing info for this account.
allow_billing_access_from_other_account_arns = []
# A list of IAM ARNs from other AWS accounts that will be allowed full (read
# and write) access to the services in this account specified in
# var.dev_permitted_services.
allow_dev_access_from_other_account_arns = []
# A list of IAM ARNs from other AWS accounts that will be allowed read access
# to the logs in CloudTrail, AWS Config, and CloudWatch for this account. If
# var.cloudtrail_kms_key_arn is set, will also grant decrypt permissions for
# the KMS CMK.
allow_logs_access_from_other_account_arns = []
# A list of IAM ARNs from other AWS accounts that will be allowed read-only
# access to this account.
allow_read_only_access_from_other_account_arns = []
# A list of IAM ARNs from other AWS accounts that will be allowed read access
# to IAM groups and publish SSH keys. This is used for ssh-grunt.
allow_ssh_grunt_access_from_other_account_arns = []
# A list of IAM ARNs from other AWS accounts that will be allowed access to
# AWS support for this account.
allow_support_access_from_other_account_arns = []
# A list of IAM permissions (e.g. ec2:*) which will be granted for automated
# deployment.
auto_deploy_permissions = []
# Namespace all Lambda resources created by this module with this name.
cleanup_expired_certs_lambda_namespace = "cleanup-expired-iam-certs"
# The name to use for the custom CloudWatch metric. Only used if
# var.report_cloudwatch_metric is set to true.
cleanup_expired_certs_report_cloudwatch_metric_name = "cleanup-expired-iam-certs-count"
# The namespace to use for the custom CloudWatch metric. Only used if
# var.report_cloudwatch_metric is set to true.
cleanup_expired_certs_report_cloudwatch_metric_namespace = "custom/cis"
# An expression that defines how often to run the Lambda function to clean up
# expired IAM certs. For example, cron(0 20 * * ? *) or rate(5 minutes).
cleanup_expired_certs_schedule_expression = "rate(1 hour)"
# Namespace all Lambda scheduling resources created by this module with this
# name.
cleanup_expired_certs_schedule_namespace = "cleanup-expired-iam-certs-scheduled"
# The ID of the your management (root) AWS account where Control Tower is
# enabled. Only used if create_control_tower_execution_role is set to true.
control_tower_management_account_id = null
# Set to true to create the Control Tower Execution IAM role. This role gives
# Control Tower permissions to manage this account. If you create an account
# using Control Tower, it will create this role automatically, but if you are
# enrolling an existing account in Control Tower, you MUST set this variable
# to true to create this IAM role. If set to true, you MUST also set the
# control_tower_management_account_id input variable.
create_control_tower_execution_role = false
# Set to true to create an S3 bucket of name macie_bucket_name for storing
# sensitive data discovery results. Set to false to assume the bucket already
# exists. NOTE: Whether you choose to create the bucket yourself, or have it
# automatically created by Terraform, you will need to manually configure this
# bucket to store sensitive data discovery results in AWS Console.
create_macie_bucket = false
# The name of the IAM group that will grant access to all external AWS
# accounts in var.iam_groups_for_cross_account_access.
cross_account_access_all_group_name = "access-all-external-accounts"
# A map of tags to apply to the IAM roles.
cross_account_iam_role_tags = {}
# A list of AWS services for which the developers from the accounts in
# var.allow_dev_access_from_other_account_arns will receive full permissions.
# See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to
# grant developers access only to EC2 and Amazon Machine Learning, use the
# value ["ec2","machinelearning"]. Do NOT add iam to the list of services, or
# that will grant Developers de facto admin access.
dev_permitted_services = []
# The name of the KMS CMK to use by default for encrypting EBS volumes, if
# var.ebs_enable_encryption and var.ebs_use_existing_kms_keys are enabled. The
# name must match a name given the var.kms_customer_master_keys variable.
ebs_kms_key_name = ""
# If set to true, the KMS Customer Managed Keys (CMK) with the name in
# var.ebs_kms_key_name will be set as the default for EBS encryption. When
# false (default), the AWS-managed aws/ebs key will be used.
ebs_use_existing_kms_keys = false
# When true, enable the Encrypted Volumes check in AWS Config. This check
# identifies EBS volumes that are not encrypted. This check is useful for
# identifying and encrypting EBS volumes, which can help reduce the risk of
# unauthorized access to your AWS resources.
enable_encrypted_volumes = false
# When true, create an Open ID Connect Provider that GitHub actions can use to
# assume IAM roles in the account. Refer to
# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
# for more information.
enable_github_actions_access = false
# When true, enable the IAM Password Policy check in AWS Config. This check
# identifies IAM users whose password policy does not meet the specified
# requirements. This check is useful for identifying and enforcing a password
# policy for IAM users, which can help reduce the risk of unauthorized access
# to your AWS resources.
enable_iam_password_policy = false
# When true, enable the IAM User Unused Credentials check in AWS Config. This
# check identifies IAM users who have not used their credentials for a
# specified number of days. This check is useful for identifying and removing
# unused IAM users, which can help reduce the risk of unauthorized access to
# your AWS resources. Note that this is required for the
# `revoke_unused_iam_credentials` module, which is provisioned here and is the
# only reason this is set to true. The current recommended way to handle
# propagating Config rules in AWS is to use Control Tower Controls.
enable_iam_user_unused_credentials_check = true
# When true, enable the Insecure Security Group Rules check in AWS Config.
# This check identifies security groups that allow unrestricted inbound
# traffic. This check is useful for identifying and removing insecure security
# group rules, which can help reduce the risk of unauthorized access to your
# AWS resources.
enable_insecure_sg_rules = false
# When true, enable the RDS Storage Encrypted check in AWS Config. This check
# identifies RDS instances that are not encrypted. This check is useful for
# identifying and encrypting RDS instances, which can help reduce the risk of
# unauthorized access to your AWS resources.
enable_rds_storage_encrypted = false
# When true, enable the Root Account MFA check in AWS Config. This check
# identifies the AWS account root user that does not have multi-factor
# authentication (MFA) enabled. This check is useful for identifying and
# enabling MFA for the root account, which can help reduce the risk of
# unauthorized access to your AWS resources.
enable_root_account_mfa = false
# When true, enable the S3 Bucket Public Read Prohibited check in AWS Config.
# This check identifies S3 buckets that allow public read access. This check
# is useful for identifying and removing public read access from S3 buckets,
# which can help reduce the risk of unauthorized access to your AWS resources.
enable_s3_bucket_public_read_prohibited = false
# When true, enable the S3 Bucket Public Write Prohibited check in AWS Config.
# This check identifies S3 buckets that allow public write access. This check
# is useful for identifying and removing public write access from S3 buckets,
# which can help reduce the risk of unauthorized access to your AWS resources.
enable_s3_bucket_public_write_prohibited = false
# If set to true, when you run 'terraform destroy', delete all objects from
# the bucket macie_bucket_name so that the bucket can be destroyed without
# error. Warning: these objects are not recoverable so only use this if you're
# absolutely sure you want to permanently delete everything!
force_destroy_macie_bucket = false
# When destroying this user, destroy even if it has non-Terraform-managed IAM
# access keys, login profile, or MFA devices. Without force_destroy a user
# with non-Terraform-managed access keys and login profile will fail to be
# destroyed.
force_destroy_users = false
# When set, use the statically provided hardcoded list of thumbprints rather
# than looking it up dynamically. This is useful if you want to trade
# relibaility of the OpenID Connect Provider across certificate renewals with
# a static list that is obtained using a trustworthy mechanism to mitigate
# potential damage from a domain hijacking attack on GitHub domains.
github_actions_openid_connect_provider_thumbprint_list = null
# Name of the Cloudwatch event rules.
guardduty_cloudwatch_event_rule_name = "guardduty-finding-events"
# Map of detector features to enable, where the key is the name of the feature
# the value is the feature configuration. When AWS Organizations delegated
# admin account is used, use var.organization_configuration_features instead.
# See
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector_feature
guardduty_detector_features = {}
# Specifies the frequency of notifications sent for subsequent finding
# occurrences. If the detector is a GuardDuty member account, the value is
# determined by the GuardDuty master account and cannot be modified, otherwise
# defaults to SIX_HOURS. For standalone and GuardDuty master accounts, it must
# be configured in Terraform to enable drift detection. Valid values for
# standalone and master accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS.
guardduty_finding_publishing_frequency = null
# If true, an IAM Policy that grants access to the key will be honored. If
# false, only the ARNs listed in var.kms_key_user_iam_arns will have access to
# the key and any IAM Policy grants will be ignored. (true or false)
guardduty_findings_allow_kms_access_with_iam = true
# The AWS regions that are allowed to write to the GuardDuty findings S3
# bucket. This is needed to configure the bucket and CMK policy to allow
# writes from manually-enabled regions. See
# https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html#guardduty_exportfindings-s3-policies
guardduty_findings_allowed_regions = []
# Whether or not to enable automatic annual rotation of the KMS key. Defaults
# to true.
guardduty_findings_enable_key_rotation = true
# A list of external AWS accounts that should be given write access for
# GuardDuty findings to this S3 bucket. This is useful when aggregating
# findings for multiple AWS accounts in one common S3 bucket.
guardduty_findings_external_aws_account_ids_with_write_access = []
# If set to true, when you run 'terraform destroy', delete all objects from
# the bucket so that the bucket can be destroyed without error. Warning: these
# objects are not recoverable so only use this if you're absolutely sure you
# want to permanently delete everything!
guardduty_findings_force_destroy = false
# All GuardDuty findings will be encrypted with a KMS Key (a Customer Master
# Key). The IAM Users specified in this list will have rights to change who
# can access the data.
guardduty_findings_kms_key_administrator_iam_arns = []
# If set to true, that means the KMS key you're using already exists, and does
# not need to be created.
guardduty_findings_kms_key_already_exists = false
# The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty
# enforces findings to be encrypted. Only used if
# guardduty_publish_findings_to_s3 is true.
guardduty_findings_kms_key_arn = null
# Additional service principals beyond GuardDuty that should have access to
# the KMS key used to encrypt the logs.
guardduty_findings_kms_key_service_principals = []
# All GuardDuty findings will be encrypted with a KMS Key (a Customer Master
# Key). The IAM Users specified in this list will have read-only access to the
# data.
guardduty_findings_kms_key_user_iam_arns = []
# After this number of days, findings should be transitioned from S3 to
# Glacier. Enter 0 to never archive findings.
guardduty_findings_num_days_after_which_archive_findings_data = 30
# After this number of days, log files should be deleted from S3. Enter 0 to
# never delete log data.
guardduty_findings_num_days_after_which_delete_findings_data = 365
# Additional IAM policies to apply to this S3 bucket. You can use this to
# grant read/write access. This should be a map, where each key is a unique
# statement ID (SID), and each value is an object that contains the parameters
# defined in the comment above.
guardduty_findings_s3_bucket_additional_policy_statements = {}
# The S3 bucket ARN to which the findings get exported.
guardduty_findings_s3_bucket_arn = null
# The name of the S3 Bucket where GuardDuty findings will be stored.
guardduty_findings_s3_bucket_name = null
# Optional prefix directory to create in the bucket. Must contain a trailing
# '/'. If you use a prefix for S3 findings publishing, you must pre-create the
# prefix in the findings bucket. See
# https://github.com/hashicorp/terraform-provider-aws/issues/16750.
guardduty_findings_s3_bucket_prefix = null
# Enable MFA delete for either 'Change the versioning state of your bucket' or
# 'Permanently delete an object version'. This setting only applies to the
# bucket used to storage GuardDuty findings. This cannot be used to toggle
# this setting but is available to allow managed buckets to reflect the state
# in AWS. For instructions on how to enable MFA Delete, check out the README
# from the terraform-aws-security/private-s3-bucket module.
guardduty_findings_s3_mfa_delete = false
# The bucket prefix without trailing '/' under which the findings get
# exported. The prefix is optional and will be
# AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided.
guardduty_findings_s3_prefix = null
# Whether to create a bucket for GuardDuty findings. If set to true, you must
# provide the var.guardduty_findings_s3_bucket_name.
guardduty_findings_should_create_bucket = false
# Specifies a name for the created SNS topics where findings are published.
# publish_findings_to_sns must be set to true.
guardduty_findings_sns_topic_name = "guardduty-findings"
# Tags to apply to the GuardDuty findings resources (S3 bucket and CMK).
guardduty_findings_tags = {}
# The invitation message to send to the member accounts.
guardduty_invitation_message = "Please accept GuardDuty invitation."
# Map of member accounts to add to GuardDuty where key is the AWS account
# number. Use to add Organization accounts to delegated admin account or
# invite member accounts by invite.
guardduty_member_accounts = {}
# Publish GuardDuty findings to an S3 bucket.
guardduty_publish_findings_to_s3 = false
# Send GuardDuty findings to SNS topics specified by findings_sns_topic_name.
guardduty_publish_findings_to_sns = false
# The name of the IAM Access Analyzer module
iam_access_analyzer_name = "baseline_root-iam_access_analyzer"
# A list of AWS services for which the developers IAM Group will receive full
# permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For
# example, to grant developers access only to EC2 and Amazon Machine Learning,
# use the value ["ec2","machinelearning"].
iam_group_developers_permitted_services = []
# The prefix of the S3 Bucket Name to which an individual IAM User will have
# full access. For example, if the prefix is acme.user-, then IAM User
# john.doe will have access to S3 Bucket acme.user-john.doe.
iam_group_developers_s3_bucket_prefix = "acme.user-"
# The name to be used for the IAM Group that grants read/write access to all
# billing features in AWS.
iam_group_name_billing = "billing"
# The name to be used for the IAM Group that grants IAM Users a reasonable set
# of permissions for developers.
iam_group_name_developers = "developers"
# The name to be used for the IAM Group that grants IAM administrative access.
# Effectively grants administrator access.
iam_group_name_iam_admin = "iam-admin"
# The name to be used for the IAM Group that grants IAM Users the permissions
# to manage their own IAM User account.
iam_group_name_iam_user_self_mgmt = "iam-user-self-mgmt"
# The name to be used for the IAM Group that grants read access to CloudTrail,
# AWS Config, and CloudWatch in AWS.
iam_group_name_logs = "logs"
# The name to be used for the IAM Group that grants read-only access to all
# AWS resources.
iam_group_name_read_only = "read-only"
# The name of the IAM Group that allows access to AWS Support.
iam_group_name_support = "support"
# The name to be used for the IAM Group that grants IAM Users the permissions
# to use existing IAM Roles when launching AWS Resources. This does NOT grant
# the permission to create new IAM Roles.
iam_group_name_use_existing_iam_roles = "use-existing-iam-roles"
# The list of names to be used for the IAM Group that enables its members to
# SSH as a sudo user into any server configured with the ssh-grunt Gruntwork
# module. Pass in multiple to configure multiple different IAM groups to
# control different groupings of access at the server level. Pass in empty
# list to disable creation of the IAM groups.
iam_group_names_ssh_grunt_sudo_users = ["ssh-grunt-sudo-users"]
# The name to be used for the IAM Group that enables its members to SSH as a
# non-sudo user into any server configured with the ssh-grunt Gruntwork
# module. Pass in multiple to configure multiple different IAM groups to
# control different groupings of access at the server level. Pass in empty
# list to disable creation of the IAM groups.
iam_group_names_ssh_grunt_users = ["ssh-grunt-users"]
# This variable is used to create groups that allow allow IAM users to assume
# roles in your other AWS accounts. It should be a list of maps, where each
# map has the keys group_name and iam_role_arn. For each entry in the list, we
# will create an IAM group that allows users to assume the given IAM role in
# the other AWS account. This allows you to define all your IAM users in one
# account (e.g. the users account) and to grant them access to certain IAM
# roles in other accounts (e.g. the stage, prod, audit accounts).
iam_groups_for_cross_account_access = []
# Password expiration requires administrator reset.
iam_password_policy_hard_expiry = true
# Number of days before password expiration.
iam_password_policy_max_password_age = 0
# Password minimum length. To be compliant with CIS recommendation 1.8, the
# minimum password length is 14 characters.
iam_password_policy_minimum_password_length = 14
# The name to be used for the IAM Policy that grants IAM administrative
# access.
iam_policy_iam_admin = "iam-admin"
# The name to be used for the IAM Policy that grants IAM Users the permissions
# to manage their own IAM User account.
iam_policy_iam_user_self_mgmt = "iam-user-self-mgmt"
# Include this value as a prefix in the name of every IAM role created by this
# module. This is useful to prepend, for example, '<account-name>-' to every
# IAM role name: e.g., allow-full-access-from-other-accounts becomes
# stage-allow-full-access-from-other-accounts.
iam_role_name_prefix = ""
# A map of tags to apply to all KMS Keys to be created. In this map variable,
# the key is the tag name and the value is the tag value.
kms_cmk_global_tags = {}
# You can use this variable to create account-level KMS Customer Master Keys
# (CMKs) for encrypting and decrypting data. This variable should be a map
# where the keys are the names of the CMK and the values are an object that
# defines the configuration for that CMK. See the comment below for the
# configuration options you can set for each key.
kms_customer_master_keys = {}
# The map of names of KMS grants to the region where the key resides in. There
# should be a one to one mapping between entries in this map and the entries
# of the kms_grants map. This is used to workaround a terraform limitation
# where the for_each value can not depend on resources.
kms_grant_regions = {}
# Create the specified KMS grants to allow entities to use the KMS key without
# modifying the KMS policy or IAM. This is necessary to allow AWS services
# (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of
# grant name to grant properties. The name must be unique per account.
kms_grants = {}
# Specifies the status for the account. To enable Amazon Macie and start all
# Macie activities for the account, set this value to ENABLED. Valid values
# are ENABLED or PAUSED.
macie_account_status = "ENABLED"
# AWS Account to join this account's Amazon Macie to. Must have already
# received an invite from this account.
macie_administrator_account_id = ""
# The name of the S3 bucket for storing sensitive data discovery results. Only
# used if create_macie_bucket is true. If omitted, Terraform will assign a
# random, unique name.
macie_bucket_name = null
# S3 buckets that Macie should analyze. This should be a map, where each key
# is a region, and each value is a list of buckets in that region that should
# be analyzed. Unfortunately, due to the limitations in the Terraform AWS
# provider, there is no way to automatically select all buckets in a region,
# therefore an explicit list of buckets to analyze must be maintained in this
# variable. For more information, see
# https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/blob/master/modules/security/macie/core-concepts.md#buckets-to-analyze.
macie_buckets_to_analyze = {}
# A map from region to ID (ARN, alias ARN, AWS ID) of a customer managed KMS
# Key to use for encrypting Macie log data. Only used if
# var.macie_create_logs_kms_key is set to false.
macie_cloudwatch_log_group_kms_key_id = null
# The number of days to retain log events in the log group for Macie. Refer to
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#retention_in_days
# for all the valid values. When null, the log events are retained forever.
macie_cloudwatch_log_group_retention_in_days = null
# Tags to apply on the Macie CloudWatch Log Group, encoded as a map where the
# keys are tag keys and values are tag values.
macie_cloudwatch_log_group_tags = null
# Set to true to create a KMS key to encrypt sensitive data discovery results.
# NOTE: Whether you choose to create the key yourself, or have it
# automatically created by Terraform, you will need to manually configure this
# key to encrypt sensitive data discovery results in AWS Console.
macie_create_discovery_results_kms_key = false
# Set to true to create a KMS key to encrypt Macie log entries. If false, log
# entries will not be encrypted unless a key is provided with
# var.macie_cloudwatch_log_group_kms_key_id.
macie_create_logs_kms_key = false
# The number of days to keep around the KMS Customer managed Key for
# encrypting sensitive discovery results after it has been marked for
# deletion.
macie_discovery_results_kms_key_deletion_window_in_days = 30
# The name of the KMS key to encrypt sensitive data discovery results.
# Required if create_kms_key is set to true, otherwise ignored.
macie_discovery_results_kms_key_name = null
# A list of IAM user ARNs with access to the KMS key above. Required if
# create_kms_key is set to true, otherwise ignored.
macie_discovery_results_kms_key_users = null
# Map of AWS Accounts to add as members to this account's Amazon Macie
# configuration. The keys in this map should each be a unique value (e.g., the
# account name) and the values should be objects that contain the account ID
# and Email.
macie_external_member_accounts = {}
# Specifies how often to publish updates to policy findings for the account.
# Valid values are FIFTEEN_MINUTES, ONE_HOUR or SIX_HOURS.
macie_finding_publishing_frequency = "FIFTEEN_MINUTES"
# A custom name for the job. If omitted, Terraform will assign a random,
# unique name.
macie_job_name = null
# The number of days to keep the KMS Customer managed Key for Macie Los around
# after it has been marked for deletion.
macie_logs_kms_key_deletion_window_in_days = 30
# The name of the KMS key to encrypt Macie logs. Required if
# macie_create_logs_kms_key is set to true, otherwise ignored.
macie_logs_kms_key_name = null
# The primary region where the kms key for encrypting Macie logs should be
# created. When set, the KMS key will be created in this region and then
# replicated to all opted in regions. On the other hand, when null, a
# different KMS key will be created in all opted in regions.
macie_logs_kms_key_primary_region = null
# A list of IAM user ARNs with access to the KMS key above. Required if
# macie_create_logs_kms_key is set to true, otherwise ignored.
macie_logs_kms_key_users = null
# When true, precreate the CloudWatch Log Group to use for the Macie Data
# Discovery job. This is useful if you wish to customize the CloudWatch Log
# Group with various settings such as retention periods and KMS encryption.
# When false, AWS Macie will automatically create a basic log group to use.
macie_should_create_cloudwatch_log_group = true
# The maximum allowable session duration, in seconds, for the credentials you
# get when assuming the IAM roles created by this module. This variable
# applies to all IAM roles created by this module that are intended for people
# to use, such as allow-read-only-access-from-other-accounts. For IAM roles
# that are intended for machine users, such as
# allow-auto-deploy-from-other-accounts, see
# var.max_session_duration_machine_users.
max_session_duration_human_users = 43200
# The maximum allowable session duration, in seconds, for the credentials you
# get when assuming the IAM roles created by this module. This variable
# applies to all IAM roles created by this module that are intended for
# machine users, such as allow-auto-deploy-from-other-accounts. For IAM roles
# that are intended for human users, such as
# allow-read-only-access-from-other-accounts, see
# var.max_session_duration_human_users.
max_session_duration_machine_users = 3600
# Map of organization configuration features to enable, where key is the
# feature name and value is feature configuration. See
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature
organization_configuration_features = {}
# Force the user to reset their password on initial login. Only used for users
# with create_login_profile set to true.
password_reset_required = true
# The amount of reserved concurrent executions for this lambda function or -1
# if unreserved. Note that this defaults to 1 to ensure that we only have one
# instance of this process running at a time. Since the process depends on
# querying expired IAM certificates, it can lead to errors if more than one of
# these are running at a time.
reserved_concurrent_executions = 1
# The AWS region (e.g., us-east-1) where all the findings will be aggregated.
# If null, no region will be designated as an aggregate region and findings
# will only be visible to the region where it was reported. NOTE: this can
# only be implemented on the SecurityHub administrator account.
security_hub_aggregate_region = null
# When true, enable the CIS benchmark v1.4 ruleset for automatic checks in
# SecurityHub. Set this to false if you are using Steampipe instead.
security_hub_enable_cis_1_4_check = true
# When true, enable the CIS benchmark v1.2 ruleset for automatic checks in
# SecurityHub. If you also want to disable the CIS benchmark v1.4 check, then
# var.security_hub_enable_cis_1_4_check should also be set to false. Set this
# to false if you are using Steampipe instead.
security_hub_enable_cis_check = true
# List of AWS Accounts (ID and Email) to add as members to this account's
# SecurityHub configuration.
security_hub_external_member_accounts = {}
# Adjust the logging level of the script to sync SecurityHub member accounts.
# Valid values: debug, info, warn, error
security_hub_loglevel = "info"
# List of product integration IDs to enable on SecurityHub. Refer to
# https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html#argument-reference
# for valid values.
security_hub_product_integrations = []
# Create service-linked roles for this set of services. You should pass in the
# URLs of the services, but without the protocol (e.g., http://) in front:
# e.g., use elasticbeanstalk.amazonaws.com for Elastic Beanstalk or
# es.amazonaws.com for Amazon Elasticsearch. Service-linked roles are
# predefined by the service, can typically only be assumed by that service,
# and include all the permissions that the service requires to call other AWS
# services on your behalf. You can typically only create one such role per AWS
# account, which is why this parameter exists in the account baseline. See
# https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
# for the list of services that support service-linked roles.
service_linked_roles = []
# Should we create the IAM Group for auto-deploy? Allows automated deployment
# by granting the permissions specified in var.auto_deploy_permissions. (true
# or false)
should_create_iam_group_auto_deploy = false
# Should we create the IAM Group for billing? Allows read-write access to
# billing features only. (true or false)
should_create_iam_group_billing = false
# Should we create the IAM Group for access to all external AWS accounts?
should_create_iam_group_cross_account_access_all = true
# Should we create the IAM Group for developers? The permissions of that group
# are specified via var.iam_group_developers_permitted_services. (true or
# false)
should_create_iam_group_developers = false
# Should we create the IAM Group for logs? Allows read access to CloudTrail,
# AWS Config, and CloudWatch. If var.cloudtrail_kms_key_arn is set, will also
# give decrypt access to a KMS CMK. (true or false)
should_create_iam_group_logs = false
# Should we create the IAM Group for read-only? Allows read-only access to all
# AWS resources. (true or false)
should_create_iam_group_read_only = false
# Should we create the IAM Group for use-existing-iam-roles? Allow launching
# AWS resources with existing IAM Roles, but no ability to create new IAM
# Roles. (true or false)
should_create_iam_group_use_existing_iam_roles = false
# Should we create the IAM Group for iam-user-self-mgmt? Allows IAM users to
# manage their own account, but not other users. (true or false)
should_create_iam_group_user_self_mgmt = false
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
# resource for findings. As such, it is important to avoid inline policies
# when targeting compliance with various security standards.
use_managed_iam_policies = true
# A map of users to create. The keys are the user names and the values are an
# object with the optional keys 'groups' (a list of IAM groups to add the user
# to), 'tags' (a map of tags to apply to the user), 'pgp_key' (either a
# base-64 encoded PGP public key, or a keybase username in the form
# keybase:username, used to encrypt the user's credentials; required if
# create_login_profile or create_access_keys is true), 'create_login_profile'
# (if set to true, create a password to login to the AWS Web Console),
# 'create_access_keys' (if set to true, create access keys for the user),
# 'path' (the path), and 'permissions_boundary' (the ARN of the policy that is
# used to set the permissions boundary for the user).
users = {}
}
Reference
- Inputs
- Outputs
Required
aws_account_id
stringThe AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables.
aws_region
stringThe AWS Region to use as the global config recorder.
ebs_opt_in_regions
list(string)Creates resources in the specified regions. The best practice is to enable EBS Encryption in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions.
guardduty_opt_in_regions
list(string)Creates resources in the specified regions. The best practice is to enable GuardDuty in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions.
iam_access_analyzer_opt_in_regions
list(string)Creates resources in the specified regions. The best practice is to enable IAM Access Analyzer in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions.
kms_cmk_opt_in_regions
list(string)Creates resources in the specified regions. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions.
macie_opt_in_regions
list(string)Creates resources in the specified regions. The best practice is to enable Amazon Macie in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions.
name_prefix
stringThe name used to prefix all resources
AWS Account to join this account's SecurityHub to. Must have already received an invite from this account.
security_hub_opt_in_regions
list(string)Creates resources in the specified regions. The best practice is to enable AWS Security Hub in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions.
Optional
allow_auto_deploy_from_other_account_arns
list(string)A list of IAM ARNs from other AWS accounts that will be allowed to assume the auto deploy IAM role that has the permissions in auto_deploy_permissions
.
[]
Example
default = [
"arn:aws:iam::123445678910:role/jenkins"
]
allow_billing_access_from_other_account_arns
list(string)A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the billing info for this account.
[]
Example
default = [
"arn:aws:iam::123445678910:root"
]
allow_dev_access_from_other_account_arns
list(string)A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the services in this account specified in dev_permitted_services
.
[]
Example
default = [
"arn:aws:iam::123445678910:root"
]
allow_logs_access_from_other_account_arns
list(string)A list of IAM ARNs from other AWS accounts that will be allowed read access to the logs in CloudTrail, AWS Config, and CloudWatch for this account. If cloudtrail_kms_key_arn
is set, will also grant decrypt permissions for the KMS CMK.
[]
Example
default = [
"arn:aws:iam::123445678910:root"
]
allow_read_only_access_from_other_account_arns
list(string)A list of IAM ARNs from other AWS accounts that will be allowed read-only access to this account.
[]
Example
default = [
"arn:aws:iam::123445678910:root"
]
allow_ssh_grunt_access_from_other_account_arns
list(string)A list of IAM ARNs from other AWS accounts that will be allowed read access to IAM groups and publish SSH keys. This is used for ssh-grunt.
[]
Example
default = [
"arn:aws:iam::123445678910:root"
]
allow_support_access_from_other_account_arns
list(string)A list of IAM ARNs from other AWS accounts that will be allowed access to AWS support for this account.
[]
Example
default = [
"arn:aws:iam::123445678910:root"
]
auto_deploy_permissions
list(string)A list of IAM permissions (e.g. ec2:*) which will be granted for automated deployment.
[]
Namespace all Lambda resources created by this module with this name.
"cleanup-expired-iam-certs"
The name to use for the custom CloudWatch metric. Only used if report_cloudwatch_metric
is set to true.
"cleanup-expired-iam-certs-count"
The namespace to use for the custom CloudWatch metric. Only used if report_cloudwatch_metric
is set to true.
"custom/cis"
An expression that defines how often to run the Lambda function to clean up expired IAM certs. For example, cron(0 20 * * ? *) or rate(5 minutes).
"rate(1 hour)"
Namespace all Lambda scheduling resources created by this module with this name.
"cleanup-expired-iam-certs-scheduled"
The ID of the your management (root) AWS account where Control Tower is enabled. Only used if create_control_tower_execution_role is set to true.
null
Set to true to create the Control Tower Execution IAM role. This role gives Control Tower permissions to manage this account. If you create an account using Control Tower, it will create this role automatically, but if you are enrolling an existing account in Control Tower, you MUST set this variable to true to create this IAM role. If set to true, you MUST also set the control_tower_management_account_id input variable.
false
Set to true to create an S3 bucket of name macie_bucket_name for storing sensitive data discovery results. Set to false to assume the bucket already exists. NOTE: Whether you choose to create the bucket yourself, or have it automatically created by Terraform, you will need to manually configure this bucket to store sensitive data discovery results in AWS Console.
false
The name of the IAM group that will grant access to all external AWS accounts in iam_groups_for_cross_account_access
.
"access-all-external-accounts"
cross_account_iam_role_tags
map(string)A map of tags to apply to the IAM roles.
{}
dev_permitted_services
list(string)A list of AWS services for which the developers from the accounts in allow_dev_access_from_other_account_arns
will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ['ec2','machinelearning']. Do NOT add iam to the list of services, or that will grant Developers de facto admin access.
[]
ebs_kms_key_name
stringThe name of the KMS CMK to use by default for encrypting EBS volumes, if ebs_enable_encryption
and ebs_use_existing_kms_keys
are enabled. The name must match a name given the kms_customer_master_keys
variable.
""
If set to true, the KMS Customer Managed Keys (CMK) with the name in ebs_kms_key_name
will be set as the default for EBS encryption. When false (default), the AWS-managed aws/ebs key will be used.
false
When true, enable the Encrypted Volumes check in AWS Config. This check identifies EBS volumes that are not encrypted. This check is useful for identifying and encrypting EBS volumes, which can help reduce the risk of unauthorized access to your AWS resources.
false
When true, create an Open ID Connect Provider that GitHub actions can use to assume IAM roles in the account. Refer to https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services for more information.
false
When true, enable the IAM Password Policy check in AWS Config. This check identifies IAM users whose password policy does not meet the specified requirements. This check is useful for identifying and enforcing a password policy for IAM users, which can help reduce the risk of unauthorized access to your AWS resources.
false
When true, enable the IAM User Unused Credentials check in AWS Config. This check identifies IAM users who have not used their credentials for a specified number of days. This check is useful for identifying and removing unused IAM users, which can help reduce the risk of unauthorized access to your AWS resources. Note that this is required for the revoke_unused_iam_credentials
module, which is provisioned here and is the only reason this is set to true. The current recommended way to handle propagating Config rules in AWS is to use Control Tower Controls.
true
When true, enable the Insecure Security Group Rules check in AWS Config. This check identifies security groups that allow unrestricted inbound traffic. This check is useful for identifying and removing insecure security group rules, which can help reduce the risk of unauthorized access to your AWS resources.
false
When true, enable the RDS Storage Encrypted check in AWS Config. This check identifies RDS instances that are not encrypted. This check is useful for identifying and encrypting RDS instances, which can help reduce the risk of unauthorized access to your AWS resources.
false
When true, enable the Root Account MFA check in AWS Config. This check identifies the AWS account root user that does not have multi-factor authentication (MFA) enabled. This check is useful for identifying and enabling MFA for the root account, which can help reduce the risk of unauthorized access to your AWS resources.
false
When true, enable the S3 Bucket Public Read Prohibited check in AWS Config. This check identifies S3 buckets that allow public read access. This check is useful for identifying and removing public read access from S3 buckets, which can help reduce the risk of unauthorized access to your AWS resources.
false
When true, enable the S3 Bucket Public Write Prohibited check in AWS Config. This check identifies S3 buckets that allow public write access. This check is useful for identifying and removing public write access from S3 buckets, which can help reduce the risk of unauthorized access to your AWS resources.
false
If set to true, when you run 'terraform destroy', delete all objects from the bucket macie_bucket_name so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything!
false
When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile, or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed.
false
When set, use the statically provided hardcoded list of thumbprints rather than looking it up dynamically. This is useful if you want to trade relibaility of the OpenID Connect Provider across certificate renewals with a static list that is obtained using a trustworthy mechanism to mitigate potential damage from a domain hijacking attack on GitHub domains.
null
Name of the Cloudwatch event rules.
"guardduty-finding-events"
guardduty_detector_features
map(object(…))Map of detector features to enable, where the key is the name of the feature the value is the feature configuration. When AWS Organizations delegated admin account is used, use organization_configuration_features
instead. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector_feature
map(object({
status = string
additional_configuration = list(object({
name = string
status = string
}))
}))
{}
Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty master account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty master accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and master accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS.
null
If true, an IAM Policy that grants access to the key will be honored. If false, only the ARNs listed in kms_key_user_iam_arns
will have access to the key and any IAM Policy grants will be ignored. (true or false)
true
guardduty_findings_allowed_regions
list(string)The AWS regions that are allowed to write to the GuardDuty findings S3 bucket. This is needed to configure the bucket and CMK policy to allow writes from manually-enabled regions. See https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html#guardduty_exportfindings-s3-policies
[]
Whether or not to enable automatic annual rotation of the KMS key. Defaults to true.
true
A list of external AWS accounts that should be given write access for GuardDuty findings to this S3 bucket. This is useful when aggregating findings for multiple AWS accounts in one common S3 bucket.
[]
If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything!
false
All GuardDuty findings will be encrypted with a KMS Key (a Customer Master Key). The IAM Users specified in this list will have rights to change who can access the data.
[]
If set to true, that means the KMS key you're using already exists, and does not need to be created.
false
The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty enforces findings to be encrypted. Only used if guardduty_publish_findings_to_s3 is true.
null
guardduty_findings_kms_key_service_principals
list(object(…))Additional service principals beyond GuardDuty that should have access to the KMS key used to encrypt the logs.
list(object({
# The name of the service principal (e.g.: s3.amazonaws.com).
name = string
# The list of actions that the given service principal is allowed to perform (e.g. ["kms:DescribeKey",
# "kms:GenerateDataKey"]).
actions = list(string)
# List of additional service principals. Useful when, for example, granting
# access to opt-in region service endpoints (e.g. guardduty.us-east-1.amazonaws.com).
additional_principals = list(string)
# List of conditions to apply to the permissions for the service principal. Use this to apply conditions on the
# permissions for accessing the KMS key (e.g., only allow access for certain encryption contexts).
conditions = list(object({
# Name of the IAM condition operator to evaluate.
test = string
# Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables
# starting with aws: or service-specific variables prefixed with the service name.
variable = string
# Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one
# of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
values = list(string)
}))
}))
[]
Details
The list of actions that the given service principal is allowed to perform (e.g. ["kms:DescribeKey",
"kms:GenerateDataKey"]).
Details
List of additional service principals. Useful when, for example, granting
access to opt-in region service endpoints (e.g. guardduty.us-east-1.amazonaws.com).
Details
List of conditions to apply to the permissions for the service principal. Use this to apply conditions on the
permissions for accessing the KMS key (e.g., only allow access for certain encryption contexts).
Details
Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables
starting with aws: or service-specific variables prefixed with the service name.
Details
Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one
of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
guardduty_findings_kms_key_user_iam_arns
list(string)All GuardDuty findings will be encrypted with a KMS Key (a Customer Master Key). The IAM Users specified in this list will have read-only access to the data.
[]
After this number of days, findings should be transitioned from S3 to Glacier. Enter 0 to never archive findings.
30
After this number of days, log files should be deleted from S3. Enter 0 to never delete log data.
365
Additional IAM policies to apply to this S3 bucket. You can use this to grant read/write access. This should be a map, where each key is a unique statement ID (SID), and each value is an object that contains the parameters defined in the comment above.
Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
{}
Example
{
AllIamUsersReadAccess = {
effect = "Allow"
actions = ["s3:GetObject"]
principals = {
AWS = ["arn:aws:iam::111111111111:user/ann", "arn:aws:iam::111111111111:user/bob"]
}
condition = {
SourceVPCCheck = {
test = "StringEquals"
variable = "aws:SourceVpc"
values = ["vpc-abcd123"]
}
}
}
}
Details
Ideally, this would be a map(object({...})), but the Terraform object type constraint doesn't support optional
parameters, whereas IAM policy statements have many optional params. And we can't even use map(any), as the
Terraform map type constraint requires all values to have the same type ("shape"), but as each object in the map
may specify different optional params, this won't work either. So, sadly, we are forced to fall back to "any."
The S3 bucket ARN to which the findings get exported.
null
The name of the S3 Bucket where GuardDuty findings will be stored.
null
Optional prefix directory to create in the bucket. Must contain a trailing '/'. If you use a prefix for S3 findings publishing, you must pre-create the prefix in the findings bucket. See https://github.com/hashicorp/terraform-provider-aws/issues/16750.
null
Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage GuardDuty findings. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module.
false
The bucket prefix without trailing '/' under which the findings get exported. The prefix is optional and will be AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided.
null
Whether to create a bucket for GuardDuty findings. If set to true, you must provide the guardduty_findings_s3_bucket_name
.
false
Specifies a name for the created SNS topics where findings are published. publish_findings_to_sns must be set to true.
"guardduty-findings"
guardduty_findings_tags
map(string)Tags to apply to the GuardDuty findings resources (S3 bucket and CMK).
{}
The invitation message to send to the member accounts.
"Please accept GuardDuty invitation."
guardduty_member_accounts
map(object(…))Map of member accounts to add to GuardDuty where key is the AWS account number. Use to add Organization accounts to delegated admin account or invite member accounts by invite.
map(object({
email = string
}))
{}
Publish GuardDuty findings to an S3 bucket.
false
Send GuardDuty findings to SNS topics specified by findings_sns_topic_name.
false
iam_access_analyzer_name
stringThe name of the IAM Access Analyzer module
"baseline_root-iam_access_analyzer"
iam_group_developers_permitted_services
list(string)A list of AWS services for which the developers IAM Group will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ['ec2','machinelearning'].
[]
The prefix of the S3 Bucket Name to which an individual IAM User will have full access. For example, if the prefix is acme.user-, then IAM User john.doe will have access to S3 Bucket acme.user-john.doe.
"acme.user-"
iam_group_name_billing
stringThe name to be used for the IAM Group that grants read/write access to all billing features in AWS.
"billing"
The name to be used for the IAM Group that grants IAM Users a reasonable set of permissions for developers.
"developers"
iam_group_name_iam_admin
stringThe name to be used for the IAM Group that grants IAM administrative access. Effectively grants administrator access.
"iam-admin"
The name to be used for the IAM Group that grants IAM Users the permissions to manage their own IAM User account.
"iam-user-self-mgmt"
iam_group_name_logs
stringThe name to be used for the IAM Group that grants read access to CloudTrail, AWS Config, and CloudWatch in AWS.
"logs"
iam_group_name_read_only
stringThe name to be used for the IAM Group that grants read-only access to all AWS resources.
"read-only"
iam_group_name_support
stringThe name of the IAM Group that allows access to AWS Support.
"support"
The name to be used for the IAM Group that grants IAM Users the permissions to use existing IAM Roles when launching AWS Resources. This does NOT grant the permission to create new IAM Roles.
"use-existing-iam-roles"
iam_group_names_ssh_grunt_sudo_users
list(string)The list of names to be used for the IAM Group that enables its members to SSH as a sudo user into any server configured with the ssh-grunt Gruntwork module. Pass in multiple to configure multiple different IAM groups to control different groupings of access at the server level. Pass in empty list to disable creation of the IAM groups.
[
"ssh-grunt-sudo-users"
]
iam_group_names_ssh_grunt_users
list(string)The name to be used for the IAM Group that enables its members to SSH as a non-sudo user into any server configured with the ssh-grunt Gruntwork module. Pass in multiple to configure multiple different IAM groups to control different groupings of access at the server level. Pass in empty list to disable creation of the IAM groups.
[
"ssh-grunt-users"
]
iam_groups_for_cross_account_access
list(object(…))This variable is used to create groups that allow allow IAM users to assume roles in your other AWS accounts. It should be a list of maps, where each map has the keys group_name and iam_role_arn. For each entry in the list, we will create an IAM group that allows users to assume the given IAM role in the other AWS account. This allows you to define all your IAM users in one account (e.g. the users account) and to grant them access to certain IAM roles in other accounts (e.g. the stage, prod, audit accounts).
list(object({
group_name = string
iam_role_arns = list(string)
}))
[]
Example
default = [
{
group_name = "stage-full-access"
iam_role_arns = ["arn:aws:iam::123445678910:role/mgmt-full-access"]
},
{
group_name = "prod-read-only-access"
iam_role_arns = ["arn:aws:iam::9876543210:role/prod-read-only-access"]
}
]
Password expiration requires administrator reset.
true
Number of days before password expiration.
0
Password minimum length. To be compliant with CIS recommendation 1.8, the minimum password length is 14 characters.
14
iam_policy_iam_admin
stringThe name to be used for the IAM Policy that grants IAM administrative access.
"iam-admin"
The name to be used for the IAM Policy that grants IAM Users the permissions to manage their own IAM User account.
"iam-user-self-mgmt"
iam_role_name_prefix
stringInclude this value as a prefix in the name of every IAM role created by this module. This is useful to prepend, for example, '<account-name>-' to every IAM role name: e.g., allow-full-access-from-other-accounts becomes stage-allow-full-access-from-other-accounts.
""
kms_cmk_global_tags
map(string)A map of tags to apply to all KMS Keys to be created. In this map variable, the key is the tag name and the value is the tag value.
{}
You can use this variable to create account-level KMS Customer Master Keys (CMKs) for encrypting and decrypting data. This variable should be a map where the keys are the names of the CMK and the values are an object that defines the configuration for that CMK. See the comment below for the configuration options you can set for each key.
Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
{}
Details
Each entry in the map supports the following attributes:
OPTIONAL (defaults to value of corresponding module input):
- region string : The region (e.g., us-west-2) where the key should be created. If null or
omitted, the key will be created in all enabled regions. Any keys
targeting an opted out region or invalid region string will show up in the
invalid_cmk_inputs output.
- cmk_administrator_iam_arns list(string) : A list of IAM ARNs for users who should be given
administrator access to this CMK (e.g.
arn:aws:iam::<aws-account-id>:user/<iam-user-arn>).
- cmk_user_iam_arns list(object[CMKUser]) : A list of IAM ARNs for users who should be given
permissions to use this CMK (e.g.
arn:aws:iam::<aws-account-id>:user/<iam-user-arn>).
- cmk_read_only_user_iam_arns list(object[CMKUser]) : A list of IAM ARNs for users who should be given
read-only (decrypt-only) permissions to use this CMK (e.g.
arn:aws:iam::<aws-account-id>:user/<iam-user-arn>).
- cmk_external_user_iam_arns list(string) : A list of IAM ARNs for users from external AWS accounts
who should be given permissions to use this CMK (e.g.
arn:aws:iam::<aws-account-id>:root).
- allow_manage_key_permissions_with_iam bool : If true, both the CMK's Key Policy and IAM Policies
(permissions) can be used to grant permissions on the CMK.
If false, only the CMK's Key Policy can be used to grant
permissions on the CMK. False is more secure (and
generally preferred), but true is more flexible and
convenient.
- deletion_window_in_days number : The number of days to keep this KMS Master Key around after it has been
marked for deletion.
- tags map(string) : A map of tags to apply to the KMS Key to be created. In this map
variable, the key is the tag name and the value is the tag value. Note
that this map is merged with var.global_tags, and can be used to override
tags specified in that variable.
- enable_key_rotation bool : Whether or not to enable automatic annual rotation of the KMS key.
- spec string : Specifies whether the key contains a symmetric key or an asymmetric key
pair and the encryption algorithms or signing algorithms that the key
supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096,
ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1.
- cmk_service_principals list(object[ServicePrincipal]) : A list of Service Principals that should be given
permissions to use this CMK (e.g. s3.amazonaws.com). See
below for the structure of the object that should be passed
in.
Structure of ServicePrincipal object:
- name string : The name of the service principal (e.g.: s3.amazonaws.com).
- actions list(string) : The list of actions that the given service principal is allowed to
perform (e.g. ["kms:DescribeKey", "kms:GenerateDataKey"]).
- conditions list(object[Condition]) : (Optional) List of conditions to apply to the permissions for the service
principal. Use this to apply conditions on the permissions for
accessing the KMS key (e.g., only allow access for certain encryption
contexts). The condition object accepts the same fields as the condition
block on the IAM policy document (See
https://www.terraform.io/docs/providers/aws/d/iam_policy_document.htmlcondition).
Structure of CMKUser object:
- name list(string) : The list of names of the AWS principal (e.g.: arn:aws:iam::0000000000:user/dev).
- conditions list(object[Condition]) : (Optional) List of conditions to apply to the permissions for the CMK User
Use this to apply conditions on the permissions for accessing the KMS key
(e.g., only allow access for certain encryption contexts).
The condition object accepts the same fields as the condition
block on the IAM policy document (See
https://www.terraform.io/docs/providers/aws/d/iam_policy_document.htmlcondition).
Example:
kms_customer_master_keys = {
cmk-stage = {
region = "us-west-1"
cmk_administrator_iam_arns = ["arn:aws:iam::0000000000:user/admin"]
cmk_user_iam_arns = [
{
name = ["arn:aws:iam::0000000000:user/dev"]
conditions = []
}
]
cmk_read_only_user_iam_arns = [
{
name = ["arn:aws:iam::0000000000:user/qa"]
conditions = []
}
]
cmk_external_user_iam_arns = ["arn:aws:iam::1111111111:user/root"]
cmk_service_principals = [
{
name = "s3.amazonaws.com"
actions = ["kms:Encrypt"]
conditions = []
}
]
}
cmk-prod = {
region = "us-east-1"
cmk_administrator_iam_arns = ["arn:aws:iam::0000000000:user/admin"]
cmk_user_iam_arns = [
{
name = ["arn:aws:iam::0000000000:user/prod"]
conditions = []
}
]
allow_manage_key_permissions_with_iam = true
Override the default value for all keys configured with var.default_deletion_window_in_days
deletion_window_in_days = 7
Set extra tags on the CMK for prod
tags = {
Environment = "prod"
}
}
}
kms_grant_regions
map(string)The map of names of KMS grants to the region where the key resides in. There should be a one to one mapping between entries in this map and the entries of the kms_grants map. This is used to workaround a terraform limitation where the for_each value can not depend on resources.
{}
kms_grants
map(object(…))Create the specified KMS grants to allow entities to use the KMS key without modifying the KMS policy or IAM. This is necessary to allow AWS services (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of grant name to grant properties. The name must be unique per account.
map(object({
# ARN of the KMS CMK that the grant applies to. Note that the region is introspected based on the ARN.
kms_cmk_arn = string
# The principal that is given permission to perform the operations that the grant permits. This must be in ARN
# format. For example, the grantee principal for ASG is:
# arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
grantee_principal = string
# A list of operations that the grant permits. The permitted values are:
# Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant,
# RetireGrant, DescribeKey
granted_operations = list(string)
}))
{}
Details
The principal that is given permission to perform the operations that the grant permits. This must be in ARN
format. For example, the grantee principal for ASG is:
arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
Details
A list of operations that the grant permits. The permitted values are:
Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant,
RetireGrant, DescribeKey
macie_account_status
stringSpecifies the status for the account. To enable Amazon Macie and start all Macie activities for the account, set this value to ENABLED. Valid values are ENABLED or PAUSED.
"ENABLED"
AWS Account to join this account's Amazon Macie to. Must have already received an invite from this account.
""
macie_bucket_name
stringThe name of the S3 bucket for storing sensitive data discovery results. Only used if create_macie_bucket is true. If omitted, Terraform will assign a random, unique name.
null
macie_buckets_to_analyze
map(list(…))S3 buckets that Macie should analyze. This should be a map, where each key is a region, and each value is a list of buckets in that region that should be analyzed. Unfortunately, due to the limitations in the Terraform AWS provider, there is no way to automatically select all buckets in a region, therefore an explicit list of buckets to analyze must be maintained in this variable. For more information, see https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/blob/master/modules/security/macie/core-concepts.md#buckets-to-analyze.
map(list(string))
{}
A map from region to ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for encrypting Macie log data. Only used if macie_create_logs_kms_key
is set to false.
null
The number of days to retain log events in the log group for Macie. Refer to https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#retention_in_days for all the valid values. When null, the log events are retained forever.
null
macie_cloudwatch_log_group_tags
map(string)Tags to apply on the Macie CloudWatch Log Group, encoded as a map where the keys are tag keys and values are tag values.
null
Set to true to create a KMS key to encrypt sensitive data discovery results. NOTE: Whether you choose to create the key yourself, or have it automatically created by Terraform, you will need to manually configure this key to encrypt sensitive data discovery results in AWS Console.
false
Set to true to create a KMS key to encrypt Macie log entries. If false, log entries will not be encrypted unless a key is provided with macie_cloudwatch_log_group_kms_key_id
.
false
The number of days to keep around the KMS Customer managed Key for encrypting sensitive discovery results after it has been marked for deletion.
30
The name of the KMS key to encrypt sensitive data discovery results. Required if create_kms_key is set to true, otherwise ignored.
null
macie_discovery_results_kms_key_users
list(string)A list of IAM user ARNs with access to the KMS key above. Required if create_kms_key is set to true, otherwise ignored.
null
macie_external_member_accounts
map(object(…))Map of AWS Accounts to add as members to this account's Amazon Macie configuration. The keys in this map should each be a unique value (e.g., the account name) and the values should be objects that contain the account ID and Email.
map(object({
account_id = string
email = string
}))
{}
Specifies how often to publish updates to policy findings for the account. Valid values are FIFTEEN_MINUTES, ONE_HOUR or SIX_HOURS.
"FIFTEEN_MINUTES"
macie_job_name
stringA custom name for the job. If omitted, Terraform will assign a random, unique name.
null
The number of days to keep the KMS Customer managed Key for Macie Los around after it has been marked for deletion.
30
macie_logs_kms_key_name
stringThe name of the KMS key to encrypt Macie logs. Required if macie_create_logs_kms_key is set to true, otherwise ignored.
null
The primary region where the kms key for encrypting Macie logs should be created. When set, the KMS key will be created in this region and then replicated to all opted in regions. On the other hand, when null, a different KMS key will be created in all opted in regions.
null
macie_logs_kms_key_users
list(string)A list of IAM user ARNs with access to the KMS key above. Required if macie_create_logs_kms_key is set to true, otherwise ignored.
null
When true, precreate the CloudWatch Log Group to use for the Macie Data Discovery job. This is useful if you wish to customize the CloudWatch Log Group with various settings such as retention periods and KMS encryption. When false, AWS Macie will automatically create a basic log group to use.
true
The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for people to use, such as allow-read-only-access-from-other-accounts. For IAM roles that are intended for machine users, such as allow-auto-deploy-from-other-accounts, see max_session_duration_machine_users
.
43200
The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for machine users, such as allow-auto-deploy-from-other-accounts. For IAM roles that are intended for human users, such as allow-read-only-access-from-other-accounts, see max_session_duration_human_users
.
3600
organization_configuration_features
map(object(…))Map of organization configuration features to enable, where key is the feature name and value is feature configuration. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature
map(object({
auto_enable = string
additional_configuration = list(object({
name = string
auto_enable = string
}))
}))
{}
Force the user to reset their password on initial login. Only used for users with create_login_profile set to true.
true
The amount of reserved concurrent executions for this lambda function or -1 if unreserved. Note that this defaults to 1 to ensure that we only have one instance of this process running at a time. Since the process depends on querying expired IAM certificates, it can lead to errors if more than one of these are running at a time.
1
The AWS region (e.g., us-east-1) where all the findings will be aggregated. If null, no region will be designated as an aggregate region and findings will only be visible to the region where it was reported. NOTE: this can only be implemented on the SecurityHub administrator account.
null
When true, enable the CIS benchmark v1.4 ruleset for automatic checks in SecurityHub. Set this to false if you are using Steampipe instead.
true
When true, enable the CIS benchmark v1.2 ruleset for automatic checks in SecurityHub. If you also want to disable the CIS benchmark v1.4 check, then security_hub_enable_cis_1_4_check
should also be set to false. Set this to false if you are using Steampipe instead.
true
security_hub_external_member_accounts
map(object(…))List of AWS Accounts (ID and Email) to add as members to this account's SecurityHub configuration.
map(object({
account_id = string
email = string
}))
{}
security_hub_loglevel
stringAdjust the logging level of the script to sync SecurityHub member accounts. Valid values: debug, info, warn, error
"info"
security_hub_product_integrations
list(object(…))List of product integration IDs to enable on SecurityHub. Refer to https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html#argument-reference for valid values.
list(object({
owning_account_id = string
product_id = string
}))
[]
service_linked_roles
set(string)Create service-linked roles for this set of services. You should pass in the URLs of the services, but without the protocol (e.g., http://) in front: e.g., use elasticbeanstalk.amazonaws.com for Elastic Beanstalk or es.amazonaws.com for Amazon Elasticsearch. Service-linked roles are predefined by the service, can typically only be assumed by that service, and include all the permissions that the service requires to call other AWS services on your behalf. You can typically only create one such role per AWS account, which is why this parameter exists in the account baseline. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html for the list of services that support service-linked roles.
[]
Should we create the IAM Group for auto-deploy? Allows automated deployment by granting the permissions specified in auto_deploy_permissions
. (true or false)
false
Should we create the IAM Group for billing? Allows read-write access to billing features only. (true or false)
false
Should we create the IAM Group for access to all external AWS accounts?
true
Should we create the IAM Group for developers? The permissions of that group are specified via iam_group_developers_permitted_services
. (true or false)
false
Should we create the IAM Group for logs? Allows read access to CloudTrail, AWS Config, and CloudWatch. If cloudtrail_kms_key_arn
is set, will also give decrypt access to a KMS CMK. (true or false)
false
Should we create the IAM Group for read-only? Allows read-only access to all AWS resources. (true or false)
false
Should we create the IAM Group for use-existing-iam-roles? Allow launching AWS resources with existing IAM Roles, but no ability to create new IAM Roles. (true or false)
false
Should we create the IAM Group for iam-user-self-mgmt? Allows IAM users to manage their own account, but not other users. (true or false)
false
When true, all IAM policies will be managed as dedicated policies rather than inline policies attached to the IAM roles. Dedicated managed policies are friendlier to automated policy checkers, which may scan a single resource for findings. As such, it is important to avoid inline policies when targeting compliance with various security standards.
true
users
anyA map of users to create. The keys are the user names and the values are an object with the optional keys 'groups' (a list of IAM groups to add the user to), 'tags' (a map of tags to apply to the user), 'pgp_key' (either a base-64 encoded PGP public key, or a keybase username in the form keybase:username, used to encrypt the user's credentials; required if create_login_profile or create_access_keys is true), 'create_login_profile' (if set to true, create a password to login to the AWS Web Console), 'create_access_keys' (if set to true, create access keys for the user), 'path' (the path), and 'permissions_boundary' (the ARN of the policy that is used to set the permissions boundary for the user).
Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
{}
Example
users = {
alice = {
groups = ["user-self-mgmt", "developers", "ssh-sudo-users"]
}
bob = {
path = "/"
groups = ["user-self-mgmt", "ops", "admins"]
tags = {
foo = "bar"
}
}
carol = {
groups = ["user-self-mgmt", "developers", "ssh-users"]
pgp_key = "keybase:carol_on_keybase"
create_login_profile = true
create_access_keys = true
}
}
Details
Ideally, this would be a map of (string, object), but object does not support optional properties, and we want
users to be able to specify, say, tags for some users, but not for others. We can't use a map(any) either, as that
would require the values to all have the same type, and due to optional parameters, that wouldn't work either. So,
we have to lamely fall back to any.
The ARN of the Control Tower Execution Role. Only set if create_control_tower_execution_role is true.
The ARNs of the cloudwatch event rules used to publish findings to sns if publish_findings_to_sns
is set to true.
The ARNs of the cloudwatch event targets used to publish findings to sns if publish_findings_to_sns
is set to true.
The IDs of the GuardDuty detectors.
The alias of the KMS key used by the S3 bucket to encrypt GuardDuty findings.
The ARN of the KMS key used by the S3 bucket to encrypt GuardDuty findings.
The ARN of the S3 bucket where GuardDuty findings are delivered.
The name of the S3 bucket where GuardDuty findings are delivered.
The ARNs of the SNS topics where findings are published if publish_findings_to_sns
is set to true.
The names of the SNS topic where findings are published if publish_findings_to_sns
is set to true.
A map from region to aliases of the KMS CMKs that were created. The value will also be a map mapping the keys from the customer_master_keys
input variable to the corresponding alias.
A map from region to ARNs of the KMS CMKs that were created. The value will also be a map mapping the keys from the kms_customer_master_keys
input variable to the corresponding ARN.
A map from region to IDs of the KMS CMKs that were created. The value will also be a map mapping the keys from the kms_customer_master_keys
input variable to the corresponding ID.
A map of ARNs of the service linked roles created from service_linked_roles
.
A map of usernames to that user's access keys (a map with keys access_key_id and secret_access_key), with the secret_access_key encrypted with that user's PGP key (only shows up for users with create_access_keys = true). You can decrypt the secret_access_key on the CLI: echo <secret_access_key> | base64 --decode | keybase pgp decrypt
A map of usernames to the ARN for that IAM user.
A map of usernames to that user's AWS Web Console password, encrypted with that user's PGP key (only shows up for users with create_login_profile = true). You can decrypt the password on the CLI: echo <password> | base64 --decode | keybase pgp decrypt