Skip to main content
Control Tower 0.7.2Last updated in version 0.7.1

Account Baseline Security with Control Tower Integration

View SourceRelease Notes

A CIS compliant security baseline for AWS Landing Zone for configuring the security account (the one where all your IAM users and IAM groups are defined), as part of a Control Tower integration. This module fills in features NOT supported by Control Tower, including setting up Amazon Guard Duty, Macie, IAM users, IAM groups, IAM password policy, and more.

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S CONTROL-TOWER-SECURITY-ACCOUNT-BASELINE MODULE
# ------------------------------------------------------------------------------------------------------

module "control_tower_security_account_baseline" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/landingzone/control-tower-security-account-baseline?ref=v0.7.2"

  # ----------------------------------------------------------------------------------------------------
  # REQUIRED VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # The AWS Account ID the template should be operated on. This avoids
  # misconfiguration errors caused by environment variables.
  aws_account_id = <string>

  # The AWS Region to use as the global config recorder.
  aws_region = <string>

  # Creates resources in the specified regions. The best practice is to enable
  # EBS Encryption in all enabled regions in your AWS account. This variable
  # must NOT be set to null or empty. Otherwise, we won't know which regions to
  # use and authenticate to, and may use some not enabled in your AWS account
  # (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS
  # account, you can use the AWS CLI: aws ec2 describe-regions.
  ebs_opt_in_regions = <list(string)>

  # Creates resources in the specified regions. The best practice is to enable
  # GuardDuty in all enabled regions in your AWS account. This variable must NOT
  # be set to null or empty. Otherwise, we won't know which regions to use and
  # authenticate to, and may use some not enabled in your AWS account (e.g.,
  # GovCloud, China, etc). To get the list of regions enabled in your AWS
  # account, you can use the AWS CLI: aws ec2 describe-regions.
  guardduty_opt_in_regions = <list(string)>

  # Creates resources in the specified regions. The best practice is to enable
  # IAM Access Analyzer in all enabled regions in your AWS account. This
  # variable must NOT be set to null or empty. Otherwise, we won't know which
  # regions to use and authenticate to, and may use some not enabled in your AWS
  # account (e.g., GovCloud, China, etc). To get the list of regions enabled in
  # your AWS account, you can use the AWS CLI: aws ec2 describe-regions.
  iam_access_analyzer_opt_in_regions = <list(string)>

  # Creates resources in the specified regions. This variable must NOT be set to
  # null or empty. Otherwise, we won't know which regions to use and
  # authenticate to, and may use some not enabled in your AWS account (e.g.,
  # GovCloud, China, etc). To get the list of regions enabled in your AWS
  # account, you can use the AWS CLI: aws ec2 describe-regions.
  kms_cmk_opt_in_regions = <list(string)>

  # Creates resources in the specified regions. The best practice is to enable
  # Amazon Macie in all enabled regions in your AWS account. This variable must
  # NOT be set to null or empty. Otherwise, we won't know which regions to use
  # and authenticate to, and may use some not enabled in your AWS account (e.g.,
  # GovCloud, China, etc). To get the list of regions enabled in your AWS
  # account, you can use the AWS CLI: aws ec2 describe-regions.
  macie_opt_in_regions = <list(string)>

  # The name used to prefix all resources
  name_prefix = <string>

  # AWS Account to join this account's SecurityHub to. Must have already
  # received an invite from this account.
  security_hub_associate_to_admin_account_id = <string>

  # Creates resources in the specified regions. The best practice is to enable
  # AWS Security Hub in all enabled regions in your AWS account. This variable
  # must NOT be set to null or empty. Otherwise, we won't know which regions to
  # use and authenticate to, and may use some not enabled in your AWS account
  # (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS
  # account, you can use the AWS CLI: aws ec2 describe-regions.
  security_hub_opt_in_regions = <list(string)>

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # A list of IAM ARNs from other AWS accounts that will be allowed to assume
  # the auto deploy IAM role that has the permissions in
  # var.auto_deploy_permissions.
  allow_auto_deploy_from_other_account_arns = []

  # A list of IAM ARNs from other AWS accounts that will be allowed full (read
  # and write) access to the billing info for this account.
  allow_billing_access_from_other_account_arns = []

  # A list of IAM ARNs from other AWS accounts that will be allowed full (read
  # and write) access to the services in this account specified in
  # var.dev_permitted_services.
  allow_dev_access_from_other_account_arns = []

  # A list of IAM ARNs from other AWS accounts that will be allowed read access
  # to the logs in CloudTrail, AWS Config, and CloudWatch for this account. If
  # var.cloudtrail_kms_key_arn is set, will also grant decrypt permissions for
  # the KMS CMK.
  allow_logs_access_from_other_account_arns = []

  # A list of IAM ARNs from other AWS accounts that will be allowed read-only
  # access to this account.
  allow_read_only_access_from_other_account_arns = []

  # A list of IAM ARNs from other AWS accounts that will be allowed read access
  # to IAM groups and publish SSH keys. This is used for ssh-grunt.
  allow_ssh_grunt_access_from_other_account_arns = []

  # A list of IAM ARNs from other AWS accounts that will be allowed access to
  # AWS support for this account.
  allow_support_access_from_other_account_arns = []

  # A list of IAM permissions (e.g. ec2:*) which will be granted for automated
  # deployment.
  auto_deploy_permissions = []

  # Namespace all Lambda resources created by this module with this name.
  cleanup_expired_certs_lambda_namespace = "cleanup-expired-iam-certs"

  # The name to use for the custom CloudWatch metric. Only used if
  # var.report_cloudwatch_metric is set to true.
  cleanup_expired_certs_report_cloudwatch_metric_name = "cleanup-expired-iam-certs-count"

  # The namespace to use for the custom CloudWatch metric. Only used if
  # var.report_cloudwatch_metric is set to true.
  cleanup_expired_certs_report_cloudwatch_metric_namespace = "custom/cis"

  # An expression that defines how often to run the Lambda function to clean up
  # expired IAM certs. For example, cron(0 20 * * ? *) or rate(5 minutes).
  cleanup_expired_certs_schedule_expression = "rate(1 hour)"

  # Namespace all Lambda scheduling resources created by this module with this
  # name.
  cleanup_expired_certs_schedule_namespace = "cleanup-expired-iam-certs-scheduled"

  # The ID of the your management (root) AWS account where Control Tower is
  # enabled. Only used if create_control_tower_execution_role is set to true.
  control_tower_management_account_id = null

  # Set to true to create the Control Tower Execution IAM role. This role gives
  # Control Tower permissions to manage this account. If you create an account
  # using Control Tower, it will create this role automatically, but if you are
  # enrolling an existing account in Control Tower, you MUST set this variable
  # to true to create this IAM role. If set to true, you MUST also set the
  # control_tower_management_account_id input variable.
  create_control_tower_execution_role = false

  # Set to true to create an S3 bucket of name macie_bucket_name for storing
  # sensitive data discovery results. Set to false to assume the bucket already
  # exists. NOTE: Whether you choose to create the bucket yourself, or have it
  # automatically created by Terraform, you will need to manually configure this
  # bucket to store sensitive data discovery results in AWS Console.
  create_macie_bucket = false

  # The name of the IAM group that will grant access to all external AWS
  # accounts in var.iam_groups_for_cross_account_access.
  cross_account_access_all_group_name = "access-all-external-accounts"

  # A map of tags to apply to the IAM roles.
  cross_account_iam_role_tags = {}

  # A list of AWS services for which the developers from the accounts in
  # var.allow_dev_access_from_other_account_arns will receive full permissions.
  # See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to
  # grant developers access only to EC2 and Amazon Machine Learning, use the
  # value ["ec2","machinelearning"]. Do NOT add iam to the list of services, or
  # that will grant Developers de facto admin access.
  dev_permitted_services = []

  # The name of the KMS CMK to use by default for encrypting EBS volumes, if
  # var.ebs_enable_encryption and var.ebs_use_existing_kms_keys are enabled. The
  # name must match a name given the var.kms_customer_master_keys variable.
  ebs_kms_key_name = ""

  # If set to true, the KMS Customer Managed Keys (CMK) with the name in
  # var.ebs_kms_key_name will be set as the default for EBS encryption. When
  # false (default), the AWS-managed aws/ebs key will be used.
  ebs_use_existing_kms_keys = false

  # When true, enable the Encrypted Volumes check in AWS Config. This check
  # identifies EBS volumes that are not encrypted. This check is useful for
  # identifying and encrypting EBS volumes, which can help reduce the risk of
  # unauthorized access to your AWS resources.
  enable_encrypted_volumes = false

  # When true, create an Open ID Connect Provider that GitHub actions can use to
  # assume IAM roles in the account. Refer to
  # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
  # for more information.
  enable_github_actions_access = false

  # When true, enable the IAM Password Policy check in AWS Config. This check
  # identifies IAM users whose password policy does not meet the specified
  # requirements. This check is useful for identifying and enforcing a password
  # policy for IAM users, which can help reduce the risk of unauthorized access
  # to your AWS resources.
  enable_iam_password_policy = false

  # When true, enable the IAM User Unused Credentials check in AWS Config. This
  # check identifies IAM users who have not used their credentials for a
  # specified number of days. This check is useful for identifying and removing
  # unused IAM users, which can help reduce the risk of unauthorized access to
  # your AWS resources. Note that this is required for the
  # `revoke_unused_iam_credentials` module, which is provisioned here and is the
  # only reason this is set to true. The current recommended way to handle
  # propagating Config rules in AWS is to use Control Tower Controls.
  enable_iam_user_unused_credentials_check = true

  # When true, enable the Insecure Security Group Rules check in AWS Config.
  # This check identifies security groups that allow unrestricted inbound
  # traffic. This check is useful for identifying and removing insecure security
  # group rules, which can help reduce the risk of unauthorized access to your
  # AWS resources.
  enable_insecure_sg_rules = false

  # When true, enable the RDS Storage Encrypted check in AWS Config. This check
  # identifies RDS instances that are not encrypted. This check is useful for
  # identifying and encrypting RDS instances, which can help reduce the risk of
  # unauthorized access to your AWS resources.
  enable_rds_storage_encrypted = false

  # When true, enable the Root Account MFA check in AWS Config. This check
  # identifies the AWS account root user that does not have multi-factor
  # authentication (MFA) enabled. This check is useful for identifying and
  # enabling MFA for the root account, which can help reduce the risk of
  # unauthorized access to your AWS resources.
  enable_root_account_mfa = false

  # When true, enable the S3 Bucket Public Read Prohibited check in AWS Config.
  # This check identifies S3 buckets that allow public read access. This check
  # is useful for identifying and removing public read access from S3 buckets,
  # which can help reduce the risk of unauthorized access to your AWS resources.
  enable_s3_bucket_public_read_prohibited = false

  # When true, enable the S3 Bucket Public Write Prohibited check in AWS Config.
  # This check identifies S3 buckets that allow public write access. This check
  # is useful for identifying and removing public write access from S3 buckets,
  # which can help reduce the risk of unauthorized access to your AWS resources.
  enable_s3_bucket_public_write_prohibited = false

  # If set to true, when you run 'terraform destroy', delete all objects from
  # the bucket macie_bucket_name so that the bucket can be destroyed without
  # error. Warning: these objects are not recoverable so only use this if you're
  # absolutely sure you want to permanently delete everything!
  force_destroy_macie_bucket = false

  # When destroying this user, destroy even if it has non-Terraform-managed IAM
  # access keys, login profile, or MFA devices. Without force_destroy a user
  # with non-Terraform-managed access keys and login profile will fail to be
  # destroyed.
  force_destroy_users = false

  # When set, use the statically provided hardcoded list of thumbprints rather
  # than looking it up dynamically. This is useful if you want to trade
  # relibaility of the OpenID Connect Provider across certificate renewals with
  # a static list that is obtained using a trustworthy mechanism to mitigate
  # potential damage from a domain hijacking attack on GitHub domains.
  github_actions_openid_connect_provider_thumbprint_list = null

  # Name of the Cloudwatch event rules.
  guardduty_cloudwatch_event_rule_name = "guardduty-finding-events"

  # Map of detector features to enable, where the key is the name of the feature
  # the value is the feature configuration. When AWS Organizations delegated
  # admin account is used, use var.organization_configuration_features instead.
  # See
  # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector_feature
  guardduty_detector_features = {}

  # Specifies the frequency of notifications sent for subsequent finding
  # occurrences. If the detector is a GuardDuty member account, the value is
  # determined by the GuardDuty master account and cannot be modified, otherwise
  # defaults to SIX_HOURS. For standalone and GuardDuty master accounts, it must
  # be configured in Terraform to enable drift detection. Valid values for
  # standalone and master accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS.
  guardduty_finding_publishing_frequency = null

  # If true, an IAM Policy that grants access to the key will be honored. If
  # false, only the ARNs listed in var.kms_key_user_iam_arns will have access to
  # the key and any IAM Policy grants will be ignored. (true or false)
  guardduty_findings_allow_kms_access_with_iam = true

  # The AWS regions that are allowed to write to the GuardDuty findings S3
  # bucket. This is needed to configure the bucket and CMK policy to allow
  # writes from manually-enabled regions. See
  # https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html#guardduty_exportfindings-s3-policies
  guardduty_findings_allowed_regions = []

  # Whether or not to enable automatic annual rotation of the KMS key. Defaults
  # to true.
  guardduty_findings_enable_key_rotation = true

  # A list of external AWS accounts that should be given write access for
  # GuardDuty findings to this S3 bucket. This is useful when aggregating
  # findings for multiple AWS accounts in one common S3 bucket.
  guardduty_findings_external_aws_account_ids_with_write_access = []

  # If set to true, when you run 'terraform destroy', delete all objects from
  # the bucket so that the bucket can be destroyed without error. Warning: these
  # objects are not recoverable so only use this if you're absolutely sure you
  # want to permanently delete everything!
  guardduty_findings_force_destroy = false

  # All GuardDuty findings will be encrypted with a KMS Key (a Customer Master
  # Key). The IAM Users specified in this list will have rights to change who
  # can access the data.
  guardduty_findings_kms_key_administrator_iam_arns = []

  # If set to true, that means the KMS key you're using already exists, and does
  # not need to be created.
  guardduty_findings_kms_key_already_exists = false

  # The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty
  # enforces findings to be encrypted. Only used if
  # guardduty_publish_findings_to_s3 is true.
  guardduty_findings_kms_key_arn = null

  # All GuardDuty findings will be encrypted with a KMS Key (a Customer Master
  # Key). The IAM Users specified in this list will have read-only access to the
  # data.
  guardduty_findings_kms_key_user_iam_arns = []

  # After this number of days, findings should be transitioned from S3 to
  # Glacier. Enter 0 to never archive findings.
  guardduty_findings_num_days_after_which_archive_findings_data = 30

  # After this number of days, log files should be deleted from S3. Enter 0 to
  # never delete log data.
  guardduty_findings_num_days_after_which_delete_findings_data = 365

  # Additional IAM policies to apply to this S3 bucket. You can use this to
  # grant read/write access. This should be a map, where each key is a unique
  # statement ID (SID), and each value is an object that contains the parameters
  # defined in the comment above.
  guardduty_findings_s3_bucket_additional_policy_statements = {}

  # The S3 bucket ARN to which the findings get exported.
  guardduty_findings_s3_bucket_arn = null

  # The name of the S3 Bucket where GuardDuty findings will be stored.
  guardduty_findings_s3_bucket_name = null

  # Optional prefix directory to create in the bucket. Must contain a trailing
  # '/'. If you use a prefix for S3 findings publishing, you must pre-create the
  # prefix in the findings bucket. See
  # https://github.com/hashicorp/terraform-provider-aws/issues/16750.
  guardduty_findings_s3_bucket_prefix = null

  # Enable MFA delete for either 'Change the versioning state of your bucket' or
  # 'Permanently delete an object version'. This setting only applies to the
  # bucket used to storage GuardDuty findings. This cannot be used to toggle
  # this setting but is available to allow managed buckets to reflect the state
  # in AWS. For instructions on how to enable MFA Delete, check out the README
  # from the terraform-aws-security/private-s3-bucket module.
  guardduty_findings_s3_mfa_delete = false

  # The bucket prefix without trailing '/' under which the findings get
  # exported. The prefix is optional and will be
  # AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided.
  guardduty_findings_s3_prefix = null

  # Whether to create a bucket for GuardDuty findings. If set to true, you must
  # provide the var.guardduty_findings_s3_bucket_name.
  guardduty_findings_should_create_bucket = false

  # Specifies a name for the created SNS topics where findings are published.
  # publish_findings_to_sns must be set to true.
  guardduty_findings_sns_topic_name = "guardduty-findings"

  # Tags to apply to the GuardDuty findings resources (S3 bucket and CMK).
  guardduty_findings_tags = {}

  # The invitation message to send to the member accounts.
  guardduty_invitation_message = "Please accept GuardDuty invitation."

  # Map of member accounts to add to GuardDuty where key is the AWS account
  # number. Use to add Organization accounts to delegated admin account or
  # invite member accounts by invite.
  guardduty_member_accounts = {}

  # Publish GuardDuty findings to an S3 bucket.
  guardduty_publish_findings_to_s3 = false

  # Send GuardDuty findings to SNS topics specified by findings_sns_topic_name.
  guardduty_publish_findings_to_sns = false

  # The name of the IAM Access Analyzer module
  iam_access_analyzer_name = "baseline_root-iam_access_analyzer"

  # A list of AWS services for which the developers IAM Group will receive full
  # permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For
  # example, to grant developers access only to EC2 and Amazon Machine Learning,
  # use the value ["ec2","machinelearning"].
  iam_group_developers_permitted_services = []

  # The prefix of the S3 Bucket Name to which an individual IAM User will have
  # full access. For example, if the prefix is acme.user-, then IAM User
  # john.doe will have access to S3 Bucket acme.user-john.doe.
  iam_group_developers_s3_bucket_prefix = "acme.user-"

  # The name to be used for the IAM Group that grants read/write access to all
  # billing features in AWS.
  iam_group_name_billing = "billing"

  # The name to be used for the IAM Group that grants IAM Users a reasonable set
  # of permissions for developers.
  iam_group_name_developers = "developers"

  # The name to be used for the IAM Group that grants IAM administrative access.
  # Effectively grants administrator access.
  iam_group_name_iam_admin = "iam-admin"

  # The name to be used for the IAM Group that grants IAM Users the permissions
  # to manage their own IAM User account.
  iam_group_name_iam_user_self_mgmt = "iam-user-self-mgmt"

  # The name to be used for the IAM Group that grants read access to CloudTrail,
  # AWS Config, and CloudWatch in AWS.
  iam_group_name_logs = "logs"

  # The name to be used for the IAM Group that grants read-only access to all
  # AWS resources.
  iam_group_name_read_only = "read-only"

  # The name of the IAM Group that allows access to AWS Support.
  iam_group_name_support = "support"

  # The name to be used for the IAM Group that grants IAM Users the permissions
  # to use existing IAM Roles when launching AWS Resources. This does NOT grant
  # the permission to create new IAM Roles.
  iam_group_name_use_existing_iam_roles = "use-existing-iam-roles"

  # The list of names to be used for the IAM Group that enables its members to
  # SSH as a sudo user into any server configured with the ssh-grunt Gruntwork
  # module. Pass in multiple to configure multiple different IAM groups to
  # control different groupings of access at the server level. Pass in empty
  # list to disable creation of the IAM groups.
  iam_group_names_ssh_grunt_sudo_users = ["ssh-grunt-sudo-users"]

  # The name to be used for the IAM Group that enables its members to SSH as a
  # non-sudo user into any server configured with the ssh-grunt Gruntwork
  # module. Pass in multiple to configure multiple different IAM groups to
  # control different groupings of access at the server level. Pass in empty
  # list to disable creation of the IAM groups.
  iam_group_names_ssh_grunt_users = ["ssh-grunt-users"]

  # This variable is used to create groups that allow allow IAM users to assume
  # roles in your other AWS accounts. It should be a list of maps, where each
  # map has the keys group_name and iam_role_arn. For each entry in the list, we
  # will create an IAM group that allows users to assume the given IAM role in
  # the other AWS account. This allows you to define all your IAM users in one
  # account (e.g. the users account) and to grant them access to certain IAM
  # roles in other accounts (e.g. the stage, prod, audit accounts).
  iam_groups_for_cross_account_access = []

  # Password expiration requires administrator reset.
  iam_password_policy_hard_expiry = true

  # Number of days before password expiration.
  iam_password_policy_max_password_age = 0

  # Password minimum length. To be compliant with CIS recommendation 1.8, the
  # minimum password length is 14 characters.
  iam_password_policy_minimum_password_length = 14

  # The name to be used for the IAM Policy that grants IAM administrative
  # access.
  iam_policy_iam_admin = "iam-admin"

  # The name to be used for the IAM Policy that grants IAM Users the permissions
  # to manage their own IAM User account.
  iam_policy_iam_user_self_mgmt = "iam-user-self-mgmt"

  # Include this value as a prefix in the name of every IAM role created by this
  # module. This is useful to prepend, for example, '<account-name>-' to every
  # IAM role name: e.g., allow-full-access-from-other-accounts becomes
  # stage-allow-full-access-from-other-accounts.
  iam_role_name_prefix = ""

  # A map of tags to apply to all KMS Keys to be created. In this map variable,
  # the key is the tag name and the value is the tag value.
  kms_cmk_global_tags = {}

  # You can use this variable to create account-level KMS Customer Master Keys
  # (CMKs) for encrypting and decrypting data. This variable should be a map
  # where the keys are the names of the CMK and the values are an object that
  # defines the configuration for that CMK. See the comment below for the
  # configuration options you can set for each key.
  kms_customer_master_keys = {}

  # The map of names of KMS grants to the region where the key resides in. There
  # should be a one to one mapping between entries in this map and the entries
  # of the kms_grants map. This is used to workaround a terraform limitation
  # where the for_each value can not depend on resources.
  kms_grant_regions = {}

  # Create the specified KMS grants to allow entities to use the KMS key without
  # modifying the KMS policy or IAM. This is necessary to allow AWS services
  # (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of
  # grant name to grant properties. The name must be unique per account.
  kms_grants = {}

  # Specifies the status for the account. To enable Amazon Macie and start all
  # Macie activities for the account, set this value to ENABLED. Valid values
  # are ENABLED or PAUSED.
  macie_account_status = "ENABLED"

  # AWS Account to join this account's Amazon Macie to. Must have already
  # received an invite from this account.
  macie_administrator_account_id = ""

  # The name of the S3 bucket for storing sensitive data discovery results. Only
  # used if create_macie_bucket is true. If omitted, Terraform will assign a
  # random, unique name.
  macie_bucket_name = null

  # S3 buckets that Macie should analyze. This should be a map, where each key
  # is a region, and each value is a list of buckets in that region that should
  # be analyzed. Unfortunately, due to the limitations in the Terraform AWS
  # provider, there is no way to automatically select all buckets in a region,
  # therefore an explicit list of buckets to analyze must be maintained in this
  # variable. For more information, see
  # https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/blob/master/modules/security/macie/core-concepts.md#buckets-to-analyze.
  macie_buckets_to_analyze = {}

  # A map from region to ID (ARN, alias ARN, AWS ID) of a customer managed KMS
  # Key to use for encrypting Macie log data. Only used if
  # var.macie_create_logs_kms_key is set to false.
  macie_cloudwatch_log_group_kms_key_id = null

  # The number of days to retain log events in the log group for Macie. Refer to
  # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#retention_in_days
  # for all the valid values. When null, the log events are retained forever.
  macie_cloudwatch_log_group_retention_in_days = null

  # Tags to apply on the Macie CloudWatch Log Group, encoded as a map where the
  # keys are tag keys and values are tag values.
  macie_cloudwatch_log_group_tags = null

  # Set to true to create a KMS key to encrypt sensitive data discovery results.
  # NOTE: Whether you choose to create the key yourself, or have it
  # automatically created by Terraform, you will need to manually configure this
  # key to encrypt sensitive data discovery results in AWS Console.
  macie_create_discovery_results_kms_key = false

  # Set to true to create a KMS key to encrypt Macie log entries. If false, log
  # entries will not be encrypted unless a key is provided with
  # var.macie_cloudwatch_log_group_kms_key_id.
  macie_create_logs_kms_key = false

  # The number of days to keep around the KMS Customer managed Key for
  # encrypting sensitive discovery results after it has been marked for
  # deletion.
  macie_discovery_results_kms_key_deletion_window_in_days = 30

  # The name of the KMS key to encrypt sensitive data discovery results.
  # Required if create_kms_key is set to true, otherwise ignored.
  macie_discovery_results_kms_key_name = null

  # A list of IAM user ARNs with access to the KMS key above. Required if
  # create_kms_key is set to true, otherwise ignored.
  macie_discovery_results_kms_key_users = null

  # Map of AWS Accounts to add as members to this account's Amazon Macie
  # configuration. The keys in this map should each be a unique value (e.g., the
  # account name) and the values should be objects that contain the account ID
  # and Email.
  macie_external_member_accounts = {}

  # Specifies how often to publish updates to policy findings for the account.
  # Valid values are FIFTEEN_MINUTES, ONE_HOUR or SIX_HOURS.
  macie_finding_publishing_frequency = "FIFTEEN_MINUTES"

  # A custom name for the job. If omitted, Terraform will assign a random,
  # unique name.
  macie_job_name = null

  # The number of days to keep the KMS Customer managed Key for Macie Los around
  # after it has been marked for deletion.
  macie_logs_kms_key_deletion_window_in_days = 30

  # The name of the KMS key to encrypt Macie logs. Required if
  # macie_create_logs_kms_key is set to true, otherwise ignored.
  macie_logs_kms_key_name = null

  # The primary region where the kms key for encrypting Macie logs should be
  # created. When set, the KMS key will be created in this region and then
  # replicated to all opted in regions. On the other hand, when null, a
  # different KMS key will be created in all opted in regions.
  macie_logs_kms_key_primary_region = null

  # A list of IAM user ARNs with access to the KMS key above. Required if
  # macie_create_logs_kms_key is set to true, otherwise ignored.
  macie_logs_kms_key_users = null

  # When true, precreate the CloudWatch Log Group to use for the Macie Data
  # Discovery job. This is useful if you wish to customize the CloudWatch Log
  # Group with various settings such as retention periods and KMS encryption.
  # When false, AWS Macie will automatically create a basic log group to use.
  macie_should_create_cloudwatch_log_group = true

  # The maximum allowable session duration, in seconds, for the credentials you
  # get when assuming the IAM roles created by this module. This variable
  # applies to all IAM roles created by this module that are intended for people
  # to use, such as allow-read-only-access-from-other-accounts. For IAM roles
  # that are intended for machine users, such as
  # allow-auto-deploy-from-other-accounts, see
  # var.max_session_duration_machine_users.
  max_session_duration_human_users = 43200

  # The maximum allowable session duration, in seconds, for the credentials you
  # get when assuming the IAM roles created by this module. This variable
  # applies to all IAM roles created by this module that are intended for
  # machine users, such as allow-auto-deploy-from-other-accounts. For IAM roles
  # that are intended for human users, such as
  # allow-read-only-access-from-other-accounts, see
  # var.max_session_duration_human_users.
  max_session_duration_machine_users = 3600

  # Map of organization configuration features to enable, where key is the
  # feature name and value is feature configuration. See
  # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature
  organization_configuration_features = {}

  # Force the user to reset their password on initial login. Only used for users
  # with create_login_profile set to true.
  password_reset_required = true

  # The amount of reserved concurrent executions for this lambda function or -1
  # if unreserved. Note that this defaults to 1 to ensure that we only have one
  # instance of this process running at a time. Since the process depends on
  # querying expired IAM certificates, it can lead to errors if more than one of
  # these are running at a time.
  reserved_concurrent_executions = 1

  # The AWS region (e.g., us-east-1) where all the findings will be aggregated.
  # If null, no region will be designated as an aggregate region and findings
  # will only be visible to the region where it was reported. NOTE: this can
  # only be implemented on the SecurityHub administrator account.
  security_hub_aggregate_region = null

  # When true, enable the CIS benchmark v1.4 ruleset for automatic checks in
  # SecurityHub. Set this to false if you are using Steampipe instead.
  security_hub_enable_cis_1_4_check = true

  # When true, enable the CIS benchmark v1.2 ruleset for automatic checks in
  # SecurityHub. If you also want to disable the CIS benchmark v1.4 check, then
  # var.security_hub_enable_cis_1_4_check should also be set to false. Set this
  # to false if you are using Steampipe instead.
  security_hub_enable_cis_check = true

  # List of AWS Accounts (ID and Email) to add as members to this account's
  # SecurityHub configuration.
  security_hub_external_member_accounts = {}

  # Adjust the logging level of the script to sync SecurityHub member accounts.
  # Valid values: debug, info, warn, error
  security_hub_loglevel = "info"

  # List of product integration IDs to enable on SecurityHub. Refer to
  # https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html#argument-reference
  # for valid values.
  security_hub_product_integrations = []

  # Create service-linked roles for this set of services. You should pass in the
  # URLs of the services, but without the protocol (e.g., http://) in front:
  # e.g., use elasticbeanstalk.amazonaws.com for Elastic Beanstalk or
  # es.amazonaws.com for Amazon Elasticsearch. Service-linked roles are
  # predefined by the service, can typically only be assumed by that service,
  # and include all the permissions that the service requires to call other AWS
  # services on your behalf. You can typically only create one such role per AWS
  # account, which is why this parameter exists in the account baseline. See
  # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
  # for the list of services that support service-linked roles.
  service_linked_roles = []

  # Should we create the IAM Group for auto-deploy? Allows automated deployment
  # by granting the permissions specified in var.auto_deploy_permissions. (true
  # or false)
  should_create_iam_group_auto_deploy = false

  # Should we create the IAM Group for billing? Allows read-write access to
  # billing features only. (true or false)
  should_create_iam_group_billing = false

  # Should we create the IAM Group for access to all external AWS accounts? 
  should_create_iam_group_cross_account_access_all = true

  # Should we create the IAM Group for developers? The permissions of that group
  # are specified via var.iam_group_developers_permitted_services. (true or
  # false)
  should_create_iam_group_developers = false

  # Should we create the IAM Group for logs? Allows read access to CloudTrail,
  # AWS Config, and CloudWatch. If var.cloudtrail_kms_key_arn is set, will also
  # give decrypt access to a KMS CMK. (true or false)
  should_create_iam_group_logs = false

  # Should we create the IAM Group for read-only? Allows read-only access to all
  # AWS resources. (true or false)
  should_create_iam_group_read_only = false

  # Should we create the IAM Group for use-existing-iam-roles? Allow launching
  # AWS resources with existing IAM Roles, but no ability to create new IAM
  # Roles. (true or false)
  should_create_iam_group_use_existing_iam_roles = false

  # Should we create the IAM Group for iam-user-self-mgmt? Allows IAM users to
  # manage their own account, but not other users. (true or false)
  should_create_iam_group_user_self_mgmt = false

  # When true, all IAM policies will be managed as dedicated policies rather
  # than inline policies attached to the IAM roles. Dedicated managed policies
  # are friendlier to automated policy checkers, which may scan a single
  # resource for findings. As such, it is important to avoid inline policies
  # when targeting compliance with various security standards.
  use_managed_iam_policies = true

  # A map of users to create. The keys are the user names and the values are an
  # object with the optional keys 'groups' (a list of IAM groups to add the user
  # to), 'tags' (a map of tags to apply to the user), 'pgp_key' (either a
  # base-64 encoded PGP public key, or a keybase username in the form
  # keybase:username, used to encrypt the user's credentials; required if
  # create_login_profile or create_access_keys is true), 'create_login_profile'
  # (if set to true, create a password to login to the AWS Web Console),
  # 'create_access_keys' (if set to true, create access keys for the user),
  # 'path' (the path), and 'permissions_boundary' (the ARN of the policy that is
  # used to set the permissions boundary for the user).
  users = {}

}


Reference

Required

aws_account_idstringrequired

The AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables.

aws_regionstringrequired

The AWS Region to use as the global config recorder.

ebs_opt_in_regionslist(string)required

Creates resources in the specified regions. The best practice is to enable EBS Encryption in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions.

guardduty_opt_in_regionslist(string)required

Creates resources in the specified regions. The best practice is to enable GuardDuty in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions.

Creates resources in the specified regions. The best practice is to enable IAM Access Analyzer in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions.

kms_cmk_opt_in_regionslist(string)required

Creates resources in the specified regions. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions.

macie_opt_in_regionslist(string)required

Creates resources in the specified regions. The best practice is to enable Amazon Macie in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions.

name_prefixstringrequired

The name used to prefix all resources

AWS Account to join this account's SecurityHub to. Must have already received an invite from this account.

security_hub_opt_in_regionslist(string)required

Creates resources in the specified regions. The best practice is to enable AWS Security Hub in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions.

Optional

A list of IAM ARNs from other AWS accounts that will be allowed to assume the auto deploy IAM role that has the permissions in auto_deploy_permissions.

[]
Example
   default = [
     "arn:aws:iam::123445678910:role/jenkins"
   ]

A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the billing info for this account.

[]
Example
   default = [
     "arn:aws:iam::123445678910:root"
   ]

A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the services in this account specified in dev_permitted_services.

[]
Example
   default = [
     "arn:aws:iam::123445678910:root"
   ]

A list of IAM ARNs from other AWS accounts that will be allowed read access to the logs in CloudTrail, AWS Config, and CloudWatch for this account. If cloudtrail_kms_key_arn is set, will also grant decrypt permissions for the KMS CMK.

[]
Example
   default = [
     "arn:aws:iam::123445678910:root"
   ]

A list of IAM ARNs from other AWS accounts that will be allowed read-only access to this account.

[]
Example
   default = [
     "arn:aws:iam::123445678910:root"
   ]

A list of IAM ARNs from other AWS accounts that will be allowed read access to IAM groups and publish SSH keys. This is used for ssh-grunt.

[]
Example
   default = [
     "arn:aws:iam::123445678910:root"
   ]

A list of IAM ARNs from other AWS accounts that will be allowed access to AWS support for this account.

[]
Example
   default = [
     "arn:aws:iam::123445678910:root"
   ]

auto_deploy_permissionslist(string)optional

A list of IAM permissions (e.g. ec2:*) which will be granted for automated deployment.

[]

Namespace all Lambda resources created by this module with this name.

"cleanup-expired-iam-certs"

The name to use for the custom CloudWatch metric. Only used if report_cloudwatch_metric is set to true.

"cleanup-expired-iam-certs-count"

The namespace to use for the custom CloudWatch metric. Only used if report_cloudwatch_metric is set to true.

"custom/cis"

An expression that defines how often to run the Lambda function to clean up expired IAM certs. For example, cron(0 20 * ? ) or rate(5 minutes).

"rate(1 hour)"

Namespace all Lambda scheduling resources created by this module with this name.

"cleanup-expired-iam-certs-scheduled"

The ID of the your management (root) AWS account where Control Tower is enabled. Only used if create_control_tower_execution_role is set to true.

null

Set to true to create the Control Tower Execution IAM role. This role gives Control Tower permissions to manage this account. If you create an account using Control Tower, it will create this role automatically, but if you are enrolling an existing account in Control Tower, you MUST set this variable to true to create this IAM role. If set to true, you MUST also set the control_tower_management_account_id input variable.

false

Set to true to create an S3 bucket of name macie_bucket_name for storing sensitive data discovery results. Set to false to assume the bucket already exists. NOTE: Whether you choose to create the bucket yourself, or have it automatically created by Terraform, you will need to manually configure this bucket to store sensitive data discovery results in AWS Console.

false

The name of the IAM group that will grant access to all external AWS accounts in iam_groups_for_cross_account_access.

"access-all-external-accounts"
cross_account_iam_role_tagsmap(string)optional

A map of tags to apply to the IAM roles.

{}
dev_permitted_serviceslist(string)optional

A list of AWS services for which the developers from the accounts in allow_dev_access_from_other_account_arns will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ['ec2','machinelearning']. Do NOT add iam to the list of services, or that will grant Developers de facto admin access.

[]
ebs_kms_key_namestringoptional

The name of the KMS CMK to use by default for encrypting EBS volumes, if ebs_enable_encryption and ebs_use_existing_kms_keys are enabled. The name must match a name given the kms_customer_master_keys variable.

""

If set to true, the KMS Customer Managed Keys (CMK) with the name in ebs_kms_key_name will be set as the default for EBS encryption. When false (default), the AWS-managed aws/ebs key will be used.

false

When true, enable the Encrypted Volumes check in AWS Config. This check identifies EBS volumes that are not encrypted. This check is useful for identifying and encrypting EBS volumes, which can help reduce the risk of unauthorized access to your AWS resources.

false

When true, create an Open ID Connect Provider that GitHub actions can use to assume IAM roles in the account. Refer to https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services for more information.

false

When true, enable the IAM Password Policy check in AWS Config. This check identifies IAM users whose password policy does not meet the specified requirements. This check is useful for identifying and enforcing a password policy for IAM users, which can help reduce the risk of unauthorized access to your AWS resources.

false

When true, enable the IAM User Unused Credentials check in AWS Config. This check identifies IAM users who have not used their credentials for a specified number of days. This check is useful for identifying and removing unused IAM users, which can help reduce the risk of unauthorized access to your AWS resources. Note that this is required for the revoke_unused_iam_credentials module, which is provisioned here and is the only reason this is set to true. The current recommended way to handle propagating Config rules in AWS is to use Control Tower Controls.

true

When true, enable the Insecure Security Group Rules check in AWS Config. This check identifies security groups that allow unrestricted inbound traffic. This check is useful for identifying and removing insecure security group rules, which can help reduce the risk of unauthorized access to your AWS resources.

false

When true, enable the RDS Storage Encrypted check in AWS Config. This check identifies RDS instances that are not encrypted. This check is useful for identifying and encrypting RDS instances, which can help reduce the risk of unauthorized access to your AWS resources.

false

When true, enable the Root Account MFA check in AWS Config. This check identifies the AWS account root user that does not have multi-factor authentication (MFA) enabled. This check is useful for identifying and enabling MFA for the root account, which can help reduce the risk of unauthorized access to your AWS resources.

false

When true, enable the S3 Bucket Public Read Prohibited check in AWS Config. This check identifies S3 buckets that allow public read access. This check is useful for identifying and removing public read access from S3 buckets, which can help reduce the risk of unauthorized access to your AWS resources.

false

When true, enable the S3 Bucket Public Write Prohibited check in AWS Config. This check identifies S3 buckets that allow public write access. This check is useful for identifying and removing public write access from S3 buckets, which can help reduce the risk of unauthorized access to your AWS resources.

false

If set to true, when you run 'terraform destroy', delete all objects from the bucket macie_bucket_name so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything!

false

When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile, or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed.

false

When set, use the statically provided hardcoded list of thumbprints rather than looking it up dynamically. This is useful if you want to trade relibaility of the OpenID Connect Provider across certificate renewals with a static list that is obtained using a trustworthy mechanism to mitigate potential damage from a domain hijacking attack on GitHub domains.

null

Name of the Cloudwatch event rules.

"guardduty-finding-events"
guardduty_detector_featuresmap(object(…))optional

Map of detector features to enable, where the key is the name of the feature the value is the feature configuration. When AWS Organizations delegated admin account is used, use organization_configuration_features instead. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector_feature

map(object({
    status = string
    additional_configuration = list(object({
      name   = string
      status = string
    }))
  }))
{}

Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty master account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty master accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and master accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS.

null

If true, an IAM Policy that grants access to the key will be honored. If false, only the ARNs listed in kms_key_user_iam_arns will have access to the key and any IAM Policy grants will be ignored. (true or false)

true

The AWS regions that are allowed to write to the GuardDuty findings S3 bucket. This is needed to configure the bucket and CMK policy to allow writes from manually-enabled regions. See https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html#guardduty_exportfindings-s3-policies

[]

Whether or not to enable automatic annual rotation of the KMS key. Defaults to true.

true

A list of external AWS accounts that should be given write access for GuardDuty findings to this S3 bucket. This is useful when aggregating findings for multiple AWS accounts in one common S3 bucket.

[]

If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything!

false

All GuardDuty findings will be encrypted with a KMS Key (a Customer Master Key). The IAM Users specified in this list will have rights to change who can access the data.

[]

If set to true, that means the KMS key you're using already exists, and does not need to be created.

false

The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty enforces findings to be encrypted. Only used if guardduty_publish_findings_to_s3 is true.

null

All GuardDuty findings will be encrypted with a KMS Key (a Customer Master Key). The IAM Users specified in this list will have read-only access to the data.

[]

After this number of days, findings should be transitioned from S3 to Glacier. Enter 0 to never archive findings.

30

After this number of days, log files should be deleted from S3. Enter 0 to never delete log data.

365

Additional IAM policies to apply to this S3 bucket. You can use this to grant read/write access. This should be a map, where each key is a unique statement ID (SID), and each value is an object that contains the parameters defined in the comment above.

Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
{}
Example
   {
      AllIamUsersReadAccess = {
        effect     = "Allow"
        actions    = ["s3:GetObject"]
        principals = {
          AWS = ["arn:aws:iam::111111111111:user/ann", "arn:aws:iam::111111111111:user/bob"]
        }
        condition = {
          SourceVPCCheck = {
            test = "StringEquals"
            variable = "aws:SourceVpc"
            values = ["vpc-abcd123"]
          }
        }
      }
   }

Details

   Ideally, this would be a map(object({...})), but the Terraform object type constraint doesn't support optional
   parameters, whereas IAM policy statements have many optional params. And we can't even use map(any), as the
   Terraform map type constraint requires all values to have the same type ("shape"), but as each object in the map
   may specify different optional params, this won't work either. So, sadly, we are forced to fall back to "any."

The S3 bucket ARN to which the findings get exported.

null

The name of the S3 Bucket where GuardDuty findings will be stored.

null

Optional prefix directory to create in the bucket. Must contain a trailing '/'. If you use a prefix for S3 findings publishing, you must pre-create the prefix in the findings bucket. See https://github.com/hashicorp/terraform-provider-aws/issues/16750.

null

Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage GuardDuty findings. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module.

false

The bucket prefix without trailing '/' under which the findings get exported. The prefix is optional and will be AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided.

null

Whether to create a bucket for GuardDuty findings. If set to true, you must provide the guardduty_findings_s3_bucket_name.

false

Specifies a name for the created SNS topics where findings are published. publish_findings_to_sns must be set to true.

"guardduty-findings"
guardduty_findings_tagsmap(string)optional

Tags to apply to the GuardDuty findings resources (S3 bucket and CMK).

{}

The invitation message to send to the member accounts.

"Please accept GuardDuty invitation."
guardduty_member_accountsmap(object(…))optional

Map of member accounts to add to GuardDuty where key is the AWS account number. Use to add Organization accounts to delegated admin account or invite member accounts by invite.

map(object({
    email = string
  }))
{}

Publish GuardDuty findings to an S3 bucket.

false

Send GuardDuty findings to SNS topics specified by findings_sns_topic_name.

false

The name of the IAM Access Analyzer module

"baseline_root-iam_access_analyzer"

A list of AWS services for which the developers IAM Group will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ['ec2','machinelearning'].

[]

The prefix of the S3 Bucket Name to which an individual IAM User will have full access. For example, if the prefix is acme.user-, then IAM User john.doe will have access to S3 Bucket acme.user-john.doe.

"acme.user-"

The name to be used for the IAM Group that grants read/write access to all billing features in AWS.

"billing"

The name to be used for the IAM Group that grants IAM Users a reasonable set of permissions for developers.

"developers"

The name to be used for the IAM Group that grants IAM administrative access. Effectively grants administrator access.

"iam-admin"

The name to be used for the IAM Group that grants IAM Users the permissions to manage their own IAM User account.

"iam-user-self-mgmt"
iam_group_name_logsstringoptional

The name to be used for the IAM Group that grants read access to CloudTrail, AWS Config, and CloudWatch in AWS.

"logs"

The name to be used for the IAM Group that grants read-only access to all AWS resources.

"read-only"

The name of the IAM Group that allows access to AWS Support.

"support"

The name to be used for the IAM Group that grants IAM Users the permissions to use existing IAM Roles when launching AWS Resources. This does NOT grant the permission to create new IAM Roles.

"use-existing-iam-roles"

The list of names to be used for the IAM Group that enables its members to SSH as a sudo user into any server configured with the ssh-grunt Gruntwork module. Pass in multiple to configure multiple different IAM groups to control different groupings of access at the server level. Pass in empty list to disable creation of the IAM groups.

[
  "ssh-grunt-sudo-users"
]

The name to be used for the IAM Group that enables its members to SSH as a non-sudo user into any server configured with the ssh-grunt Gruntwork module. Pass in multiple to configure multiple different IAM groups to control different groupings of access at the server level. Pass in empty list to disable creation of the IAM groups.

[
  "ssh-grunt-users"
]
iam_groups_for_cross_account_accesslist(object(…))optional

This variable is used to create groups that allow allow IAM users to assume roles in your other AWS accounts. It should be a list of maps, where each map has the keys group_name and iam_role_arn. For each entry in the list, we will create an IAM group that allows users to assume the given IAM role in the other AWS account. This allows you to define all your IAM users in one account (e.g. the users account) and to grant them access to certain IAM roles in other accounts (e.g. the stage, prod, audit accounts).

list(object({
    group_name    = string
    iam_role_arns = list(string)
  }))
[]
Example
   default = [
     {
       group_name    = "stage-full-access"
       iam_role_arns = ["arn:aws:iam::123445678910:role/mgmt-full-access"]
     },
     {
       group_name    = "prod-read-only-access"
       iam_role_arns = ["arn:aws:iam::9876543210:role/prod-read-only-access"]
     }
   ]

Password expiration requires administrator reset.

true

Number of days before password expiration.

0

Password minimum length. To be compliant with CIS recommendation 1.8, the minimum password length is 14 characters.

14
iam_policy_iam_adminstringoptional

The name to be used for the IAM Policy that grants IAM administrative access.

"iam-admin"

The name to be used for the IAM Policy that grants IAM Users the permissions to manage their own IAM User account.

"iam-user-self-mgmt"
iam_role_name_prefixstringoptional

Include this value as a prefix in the name of every IAM role created by this module. This is useful to prepend, for example, '<account-name>-' to every IAM role name: e.g., allow-full-access-from-other-accounts becomes stage-allow-full-access-from-other-accounts.

""
kms_cmk_global_tagsmap(string)optional

A map of tags to apply to all KMS Keys to be created. In this map variable, the key is the tag name and the value is the tag value.

{}

You can use this variable to create account-level KMS Customer Master Keys (CMKs) for encrypting and decrypting data. This variable should be a map where the keys are the names of the CMK and the values are an object that defines the configuration for that CMK. See the comment below for the configuration options you can set for each key.

Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
{}
Details

   Each entry in the map supports the following attributes:
  
   OPTIONAL (defaults to value of corresponding module input):
   - region                                  string                : The region (e.g., us-west-2) where the key should be created. If null or
                                                                     omitted, the key will be created in all enabled regions. Any keys
                                                                     targeting an opted out region or invalid region string will show up in the
                                                                     invalid_cmk_inputs output.
   - cmk_administrator_iam_arns              list(string)          : A list of IAM ARNs for users who should be given
                                                                     administrator access to this CMK (e.g.
                                                                     arn:aws:iam::<aws-account-id>:user/<iam-user-arn>).
   - cmk_user_iam_arns                       list(object[CMKUser]) : A list of IAM ARNs for users who should be given
                                                                     permissions to use this CMK (e.g.
                                                                     arn:aws:iam::<aws-account-id>:user/<iam-user-arn>).
   - cmk_read_only_user_iam_arns             list(object[CMKUser]) : A list of IAM ARNs for users who should be given
                                                                     read-only (decrypt-only) permissions to use this CMK (e.g.
                                                                     arn:aws:iam::<aws-account-id>:user/<iam-user-arn>).
   - cmk_external_user_iam_arns              list(string)          : A list of IAM ARNs for users from external AWS accounts
                                                                     who should be given permissions to use this CMK (e.g.
                                                                     arn:aws:iam::<aws-account-id>:root).
   - allow_manage_key_permissions_with_iam   bool                  : If true, both the CMK's Key Policy and IAM Policies
                                                                     (permissions) can be used to grant permissions on the CMK.
                                                                     If false, only the CMK's Key Policy can be used to grant
                                                                     permissions on the CMK. False is more secure (and
                                                                     generally preferred), but true is more flexible and
                                                                     convenient.
   - deletion_window_in_days                 number                : The number of days to keep this KMS Master Key around after it has been
                                                                     marked for deletion.
   - tags                                    map(string)           : A map of tags to apply to the KMS Key to be created. In this map
                                                                     variable, the key is the tag name and the value  is the tag value. Note
                                                                     that this map is merged with var.global_tags, and can be used to override
                                                                     tags specified in that variable.
   - enable_key_rotation                     bool                  : Whether or not to enable automatic annual rotation of the KMS key.
   - spec                                    string                : Specifies whether the key contains a symmetric key or an asymmetric key
                                                                     pair and the encryption algorithms or signing algorithms that the key
                                                                     supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096,
                                                                     ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1.
   - cmk_service_principals                  list(object[ServicePrincipal]) : A list of Service Principals that should be given
                                                                              permissions to use this CMK (e.g. s3.amazonaws.com). See
                                                                              below for the structure of the object that should be passed
                                                                              in.
  
   Structure of ServicePrincipal object:
   - name          string                   : The name of the service principal (e.g.: s3.amazonaws.com).
   - actions       list(string)             : The list of actions that the given service principal is allowed to
                                              perform (e.g. ["kms:DescribeKey", "kms:GenerateDataKey"]).
   - conditions    list(object[Condition])  : (Optional) List of conditions to apply to the permissions for the service
                                              principal. Use this to apply conditions on the permissions for
                                              accessing the KMS key (e.g., only allow access for certain encryption
                                              contexts). The condition object accepts the same fields as the condition
                                              block on the IAM policy document (See
                                              https://www.terraform.io/docs/providers/aws/d/iam_policy_document.htmlcondition).
   Structure of CMKUser object:
   - name          list(string)             : The list of names of the AWS principal (e.g.: arn:aws:iam::0000000000:user/dev).
   - conditions    list(object[Condition])  : (Optional) List of conditions to apply to the permissions for the CMK User
                                              Use this to apply conditions on the permissions for accessing the KMS key
                                              (e.g., only allow access for certain encryption contexts).
                                              The condition object accepts the same fields as the condition
                                              block on the IAM policy document (See
                                              https://www.terraform.io/docs/providers/aws/d/iam_policy_document.htmlcondition).
   Example:
   kms_customer_master_keys = {
     cmk-stage = {
       region                                = "us-west-1"
       cmk_administrator_iam_arns            = ["arn:aws:iam::0000000000:user/admin"]
       cmk_user_iam_arns                     = [
         {
           name = ["arn:aws:iam::0000000000:user/dev"]
           conditions = []
         }
       ]
       cmk_read_only_user_iam_arns           = [
         {
           name = ["arn:aws:iam::0000000000:user/qa"]
           conditions = []
         }
       ]
       cmk_external_user_iam_arns            = ["arn:aws:iam::1111111111:user/root"]
       cmk_service_principals                = [
         {
           name       = "s3.amazonaws.com"
           actions    = ["kms:Encrypt"]
           conditions = []
         }
       ]
     }
     cmk-prod = {
       region                                = "us-east-1"
       cmk_administrator_iam_arns            = ["arn:aws:iam::0000000000:user/admin"]
       cmk_user_iam_arns                     = [
         {
           name = ["arn:aws:iam::0000000000:user/prod"]
           conditions = []
         }
       ]
       allow_manage_key_permissions_with_iam = true
        Override the default value for all keys configured with var.default_deletion_window_in_days
       deletion_window_in_days = 7
  
        Set extra tags on the CMK for prod
       tags = {
         Environment = "prod"
       }
     }
   }

kms_grant_regionsmap(string)optional

The map of names of KMS grants to the region where the key resides in. There should be a one to one mapping between entries in this map and the entries of the kms_grants map. This is used to workaround a terraform limitation where the for_each value can not depend on resources.

{}
kms_grantsmap(object(…))optional

Create the specified KMS grants to allow entities to use the KMS key without modifying the KMS policy or IAM. This is necessary to allow AWS services (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of grant name to grant properties. The name must be unique per account.

map(object({
    # ARN of the KMS CMK that the grant applies to. Note that the region is introspected based on the ARN.
    kms_cmk_arn = string

    # The principal that is given permission to perform the operations that the grant permits. This must be in ARN
    # format. For example, the grantee principal for ASG is:
    # arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
    grantee_principal = string

    # A list of operations that the grant permits. The permitted values are:
    # Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant,
    # RetireGrant, DescribeKey
    granted_operations = list(string)
  }))
{}
Details

     The principal that is given permission to perform the operations that the grant permits. This must be in ARN
     format. For example, the grantee principal for ASG is:
     arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling

Details

     A list of operations that the grant permits. The permitted values are:
     Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant,
     RetireGrant, DescribeKey

macie_account_statusstringoptional

Specifies the status for the account. To enable Amazon Macie and start all Macie activities for the account, set this value to ENABLED. Valid values are ENABLED or PAUSED.

"ENABLED"

AWS Account to join this account's Amazon Macie to. Must have already received an invite from this account.

""
macie_bucket_namestringoptional

The name of the S3 bucket for storing sensitive data discovery results. Only used if create_macie_bucket is true. If omitted, Terraform will assign a random, unique name.

null
macie_buckets_to_analyzemap(list(…))optional

S3 buckets that Macie should analyze. This should be a map, where each key is a region, and each value is a list of buckets in that region that should be analyzed. Unfortunately, due to the limitations in the Terraform AWS provider, there is no way to automatically select all buckets in a region, therefore an explicit list of buckets to analyze must be maintained in this variable. For more information, see https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/blob/master/modules/security/macie/core-concepts.md#buckets-to-analyze.

map(list(string))
{}

A map from region to ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for encrypting Macie log data. Only used if macie_create_logs_kms_key is set to false.

null

The number of days to retain log events in the log group for Macie. Refer to https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#retention_in_days for all the valid values. When null, the log events are retained forever.

null

Tags to apply on the Macie CloudWatch Log Group, encoded as a map where the keys are tag keys and values are tag values.

null

Set to true to create a KMS key to encrypt sensitive data discovery results. NOTE: Whether you choose to create the key yourself, or have it automatically created by Terraform, you will need to manually configure this key to encrypt sensitive data discovery results in AWS Console.

false

Set to true to create a KMS key to encrypt Macie log entries. If false, log entries will not be encrypted unless a key is provided with macie_cloudwatch_log_group_kms_key_id.

false

The number of days to keep around the KMS Customer managed Key for encrypting sensitive discovery results after it has been marked for deletion.

30

The name of the KMS key to encrypt sensitive data discovery results. Required if create_kms_key is set to true, otherwise ignored.

null

A list of IAM user ARNs with access to the KMS key above. Required if create_kms_key is set to true, otherwise ignored.

null
macie_external_member_accountsmap(object(…))optional

Map of AWS Accounts to add as members to this account's Amazon Macie configuration. The keys in this map should each be a unique value (e.g., the account name) and the values should be objects that contain the account ID and Email.

map(object({
    account_id = string
    email      = string
  }))
{}

Specifies how often to publish updates to policy findings for the account. Valid values are FIFTEEN_MINUTES, ONE_HOUR or SIX_HOURS.

"FIFTEEN_MINUTES"
macie_job_namestringoptional

A custom name for the job. If omitted, Terraform will assign a random, unique name.

null

The number of days to keep the KMS Customer managed Key for Macie Los around after it has been marked for deletion.

30

The name of the KMS key to encrypt Macie logs. Required if macie_create_logs_kms_key is set to true, otherwise ignored.

null

The primary region where the kms key for encrypting Macie logs should be created. When set, the KMS key will be created in this region and then replicated to all opted in regions. On the other hand, when null, a different KMS key will be created in all opted in regions.

null
macie_logs_kms_key_userslist(string)optional

A list of IAM user ARNs with access to the KMS key above. Required if macie_create_logs_kms_key is set to true, otherwise ignored.

null

When true, precreate the CloudWatch Log Group to use for the Macie Data Discovery job. This is useful if you wish to customize the CloudWatch Log Group with various settings such as retention periods and KMS encryption. When false, AWS Macie will automatically create a basic log group to use.

true

The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for people to use, such as allow-read-only-access-from-other-accounts. For IAM roles that are intended for machine users, such as allow-auto-deploy-from-other-accounts, see max_session_duration_machine_users.

43200

The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for machine users, such as allow-auto-deploy-from-other-accounts. For IAM roles that are intended for human users, such as allow-read-only-access-from-other-accounts, see max_session_duration_human_users.

3600
organization_configuration_featuresmap(object(…))optional

Map of organization configuration features to enable, where key is the feature name and value is feature configuration. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature

map(object({
    auto_enable = string
    additional_configuration = list(object({
      name        = string
      auto_enable = string
    }))
  }))
{}

Force the user to reset their password on initial login. Only used for users with create_login_profile set to true.

true

The amount of reserved concurrent executions for this lambda function or -1 if unreserved. Note that this defaults to 1 to ensure that we only have one instance of this process running at a time. Since the process depends on querying expired IAM certificates, it can lead to errors if more than one of these are running at a time.

1

The AWS region (e.g., us-east-1) where all the findings will be aggregated. If null, no region will be designated as an aggregate region and findings will only be visible to the region where it was reported. NOTE: this can only be implemented on the SecurityHub administrator account.

null

When true, enable the CIS benchmark v1.4 ruleset for automatic checks in SecurityHub. Set this to false if you are using Steampipe instead.

true

When true, enable the CIS benchmark v1.2 ruleset for automatic checks in SecurityHub. If you also want to disable the CIS benchmark v1.4 check, then security_hub_enable_cis_1_4_check should also be set to false. Set this to false if you are using Steampipe instead.

true

List of AWS Accounts (ID and Email) to add as members to this account's SecurityHub configuration.

map(object({
    account_id = string
    email      = string
  }))
{}
security_hub_loglevelstringoptional

Adjust the logging level of the script to sync SecurityHub member accounts. Valid values: debug, info, warn, error

"info"
security_hub_product_integrationslist(object(…))optional

List of product integration IDs to enable on SecurityHub. Refer to https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html#argument-reference for valid values.

list(object({
    owning_account_id = string
    product_id        = string
  }))
[]
service_linked_rolesset(string)optional

Create service-linked roles for this set of services. You should pass in the URLs of the services, but without the protocol (e.g., http://) in front: e.g., use elasticbeanstalk.amazonaws.com for Elastic Beanstalk or es.amazonaws.com for Amazon Elasticsearch. Service-linked roles are predefined by the service, can typically only be assumed by that service, and include all the permissions that the service requires to call other AWS services on your behalf. You can typically only create one such role per AWS account, which is why this parameter exists in the account baseline. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html for the list of services that support service-linked roles.

[]

Should we create the IAM Group for auto-deploy? Allows automated deployment by granting the permissions specified in auto_deploy_permissions. (true or false)

false

Should we create the IAM Group for billing? Allows read-write access to billing features only. (true or false)

false

Should we create the IAM Group for access to all external AWS accounts?

true

Should we create the IAM Group for developers? The permissions of that group are specified via iam_group_developers_permitted_services. (true or false)

false

Should we create the IAM Group for logs? Allows read access to CloudTrail, AWS Config, and CloudWatch. If cloudtrail_kms_key_arn is set, will also give decrypt access to a KMS CMK. (true or false)

false

Should we create the IAM Group for read-only? Allows read-only access to all AWS resources. (true or false)

false

Should we create the IAM Group for use-existing-iam-roles? Allow launching AWS resources with existing IAM Roles, but no ability to create new IAM Roles. (true or false)

false

Should we create the IAM Group for iam-user-self-mgmt? Allows IAM users to manage their own account, but not other users. (true or false)

false

When true, all IAM policies will be managed as dedicated policies rather than inline policies attached to the IAM roles. Dedicated managed policies are friendlier to automated policy checkers, which may scan a single resource for findings. As such, it is important to avoid inline policies when targeting compliance with various security standards.

true
usersanyoptional

A map of users to create. The keys are the user names and the values are an object with the optional keys 'groups' (a list of IAM groups to add the user to), 'tags' (a map of tags to apply to the user), 'pgp_key' (either a base-64 encoded PGP public key, or a keybase username in the form keybase:username, used to encrypt the user's credentials; required if create_login_profile or create_access_keys is true), 'create_login_profile' (if set to true, create a password to login to the AWS Web Console), 'create_access_keys' (if set to true, create access keys for the user), 'path' (the path), and 'permissions_boundary' (the ARN of the policy that is used to set the permissions boundary for the user).

Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
{}
Example
   users = {
     alice = {
       groups = ["user-self-mgmt", "developers", "ssh-sudo-users"]
     }
  
     bob = {
       path   = "/"
       groups = ["user-self-mgmt", "ops", "admins"]
       tags   = {
         foo = "bar"
       }
     }
  
     carol = {
       groups               = ["user-self-mgmt", "developers", "ssh-users"]
       pgp_key              = "keybase:carol_on_keybase"
       create_login_profile = true
       create_access_keys   = true
     }
   }

Details

   Ideally, this would be a map of (string, object), but object does not support optional properties, and we want
   users to be able to specify, say, tags for some users, but not for others. We can't use a map(any) either, as that
   would require the values to all have the same type, and due to optional parameters, that wouldn't work either. So,
   we have to lamely fall back to any.