Skip to main content
Service Catalog Version 0.118.1Last updated in version 0.112.1

Account Baseline for security account

View Source Release Notes

Overview

A security baseline for AWS Landing Zone for configuring the security account (the one where all your IAM users and IAM groups are defined), including setting up AWS Config, AWS CloudTrail, Amazon Guard Duty, IAM users, IAM groups, IAM password policy, and more.

For large scale organizations that frequently onboard and offboard new users, consider taking a look at the iam-users-and-groups module for managing IAM Users and Groups.

Features

Get a secure baseline for the security account of your AWS Organization that includes:

Learn

note

This repo is a part of the Gruntwork Service Catalog, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Service Catalog before, make sure to read How to use the Gruntwork Service Catalog!

Core concepts

Repo organization

  • modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.
  • examples: This folder contains working examples of how to use the submodules.
  • test: Automated tests for the modules and examples.

Deploy

Non-production deployment (quick start for learning)

If you just want to try this repo out for experimenting and learning, check out the following resources:

Production deployment

If you want to deploy this repo in production, check out the following resources:

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S ACCOUNT-BASELINE-SECURITY MODULE
# ------------------------------------------------------------------------------------------------------

module "account_baseline_security" {

source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/account-baseline-security?ref=v0.118.1"

# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------

# The AWS Account ID the template should be operated on. This avoids
# misconfiguration errors caused by environment variables.
aws_account_id = <string>

# The AWS Region to use as the global config recorder and seed region for
# GuardDuty.
aws_region = <string>

# Creates resources in the specified regions. The best practice is to enable
# AWS Config in all enabled regions in your AWS account. This variable must
# NOT be set to null or empty. Otherwise, we won't know which regions to use
# and authenticate to, and may use some not enabled in your AWS account (e.g.,
# GovCloud, China, etc). To get the list of regions enabled in your AWS
# account, you can use the AWS CLI: aws ec2 describe-regions.
config_opt_in_regions = <list(string)>

# Creates resources in the specified regions. The best practice is to enable
# EBS Encryption in all enabled regions in your AWS account. This variable
# must NOT be set to null or empty. Otherwise, we won't know which regions to
# use and authenticate to, and may use some not enabled in your AWS account
# (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS
# account, you can use the AWS CLI: aws ec2 describe-regions. The value
# provided for global_recorder_region must be in this list.
ebs_opt_in_regions = <list(string)>

# Creates resources in the specified regions. The best practice is to enable
# GuardDuty in all enabled regions in your AWS account. This variable must NOT
# be set to null or empty. Otherwise, we won't know which regions to use and
# authenticate to, and may use some not enabled in your AWS account (e.g.,
# GovCloud, China, etc). To get the list of regions enabled in your AWS
# account, you can use the AWS CLI: aws ec2 describe-regions. The value
# provided for global_recorder_region must be in this list.
guardduty_opt_in_regions = <list(string)>

# Creates resources in the specified regions. The best practice is to enable
# IAM Access Analyzer in all enabled regions in your AWS account. This
# variable must NOT be set to null or empty. Otherwise, we won't know which
# regions to use and authenticate to, and may use some not enabled in your AWS
# account (e.g., GovCloud, China, etc). To get the list of regions enabled in
# your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The
# value provided for global_recorder_region must be in this list.
iam_access_analyzer_opt_in_regions = <list(string)>

# Creates resources in the specified regions. This variable must NOT be set to
# null or empty. Otherwise, we won't know which regions to use and
# authenticate to, and may use some not enabled in your AWS account (e.g.,
# GovCloud, China, etc). To get the list of regions enabled in your AWS
# account, you can use the AWS CLI: aws ec2 describe-regions. The value
# provided for global_recorder_region must be in this list.
kms_cmk_opt_in_regions = <list(string)>

# The name used to prefix AWS Config and Cloudtrail resources, including the
# S3 bucket names and SNS topics used for each.
name_prefix = <string>

# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------

# Map of additional managed rules to add. The key is the name of the rule
# (e.g. ´acm-certificate-expiration-check´) and the value is an object
# specifying the rule details
additional_config_rules = {}

# Map of github repositories to the list of branches that are allowed to
# assume the IAM role. The repository should be encoded as org/repo-name
# (e.g., gruntwork-io/terrraform-aws-ci). Allows GitHub Actions to assume the
# auto deploy IAM role using an OpenID Connect Provider for the given
# repositories. Refer to the docs for github-actions-iam-role for more
# information. Note that this is mutually exclusive with
# var.allow_auto_deploy_from_other_account_arns. Only used if
# var.enable_github_actions_access is true.
allow_auto_deploy_from_github_actions_for_sources = {}

# A list of IAM ARNs from other AWS accounts that will be allowed to assume
# the auto deploy IAM role that has the permissions in
# var.auto_deploy_permissions.
allow_auto_deploy_from_other_account_arns = []

# The ARN of the policy that is used to set the permissions boundary for the
# IAM role
allow_auto_deploy_iam_role_permissions_boundary = null

# A list of IAM ARNs from other AWS accounts that will be allowed full (read
# and write) access to the billing info for this account.
allow_billing_access_from_other_account_arns = []

# The ARN of the policy that is used to set the permissions boundary for the
# IAM role
allow_billing_access_iam_role_permissions_boundary = null

# If true, an IAM Policy that grants access to CloudTrail will be honored. If
# false, only the ARNs listed in var.kms_key_user_iam_arns will have access to
# CloudTrail and any IAM Policy grants will be ignored. (true or false)
allow_cloudtrail_access_with_iam = true

# A list of IAM ARNs from other AWS accounts that will be allowed full (read
# and write) access to the services in this account specified in
# var.dev_permitted_services.
allow_dev_access_from_other_account_arns = []

# The ARN of the policy that is used to set the permissions boundary for the
# IAM role
allow_dev_access_iam_role_permissions_boundary = null

# A list of IAM ARNs from other AWS accounts that will be allowed full (read
# and write) access to this account.
allow_full_access_from_other_account_arns = []

# The ARN of the policy that is used to set the permissions boundary for the
# IAM role
allow_full_access_iam_role_permissions_boundary = null

# A list of IAM ARNs from other AWS accounts that will be allowed access to
# the logs in CloudTrail, AWS Config, and CloudWatch for this account. Will
# also be given permissions to decrypt with the KMS CMK that is used to
# encrypt CloudTrail logs.
allow_logs_access_from_other_account_arns = []

# A list of IAM ARNs from other AWS accounts that will be allowed read-only
# access to this account.
allow_read_only_access_from_other_account_arns = []

# The ARN of the policy that is used to set the permissions boundary for the
# IAM role
allow_read_only_access_iam_role_permissions_boundary = null

# A list of IAM ARNs from other AWS accounts that will be allowed read access
# to IAM groups and publish SSH keys. This is used for ssh-grunt.
allow_ssh_grunt_access_from_other_account_arns = []

# A list of IAM ARNs from other AWS accounts that will be allowed support
# access (AWSSupportAccess) to this account.
allow_support_access_from_other_account_arns = []

# The ARN of the policy that is used to set the permissions boundary for the
# IAM role
allow_support_access_iam_role_permissions_boundary = null

# A list of IAM permissions (e.g. ec2:*) that will be added to an IAM Group
# for doing automated deployments. NOTE: If
# var.should_create_iam_group_auto_deploy is true, the list must have at least
# one element (e.g. '*').
auto_deploy_permissions = []

# The ARN of the policy that is used to set the permissions boundary for the
# IAM role
aws_config_iam_role_permissions_boundary = null

# Whether or not to allow kms:DescribeKey to external AWS accounts with write
# access to the CloudTrail bucket. This is useful during deployment so that
# you don't have to pass around the KMS key ARN.
cloudtrail_allow_kms_describe_key_to_external_aws_accounts = false

# Specify the name of the CloudWatch Logs group to publish the CloudTrail logs
# to. This log group exists in the current account. Set this value to `null`
# to avoid publishing the trail logs to the logs group. The recommended
# configuration for CloudTrail is (a) for each child account to aggregate its
# logs in an S3 bucket in a single central account, such as a logs account and
# (b) to also store 14 days work of logs in CloudWatch in the child account
# itself for local debugging.
cloudtrail_cloudwatch_logs_group_name = "cloudtrail-logs"

# If true, logging of data events will be enabled.
cloudtrail_data_logging_enabled = false

# Specify if you want your event selector to include management events for
# your trail.
cloudtrail_data_logging_include_management_events = true

# Specify if you want your trail to log read-only events, write-only events,
# or all. Possible values are: ReadOnly, WriteOnly, All.
cloudtrail_data_logging_read_write_type = "All"

# Data resources for which to log data events. This should be a map, where
# each key is a data resource type, and each value is a list of data resource
# values. Possible values for data resource types are: AWS::S3::Object,
# AWS::Lambda::Function and AWS::DynamoDB::Table. See the 'data_resource'
# block within the 'event_selector' block of the 'aws_cloudtrail' resource for
# context:
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#data_resource.
cloudtrail_data_logging_resources = {}

# A list of external AWS accounts that should be given write access for
# CloudTrail logs to this S3 bucket. This is useful when aggregating
# CloudTrail logs for multiple AWS accounts in one common S3 bucket.
cloudtrail_external_aws_account_ids_with_write_access = []

# If set to true, when you run 'terraform destroy', delete all objects from
# the bucket so that the bucket can be destroyed without error. Warning: these
# objects are not recoverable so only use this if you're absolutely sure you
# want to permanently delete everything!
cloudtrail_force_destroy = false

# The ARN of the policy that is used to set the permissions boundary for the
# IAM role
cloudtrail_iam_role_permissions_boundary = null

# All CloudTrail Logs will be encrypted with a KMS Key (a Customer Master Key)
# that governs access to write API calls older than 7 days and all read API
# calls. The IAM Users specified in this list will have rights to change who
# can access this extended log data.
cloudtrail_kms_key_administrator_iam_arns = []

# All CloudTrail Logs will be encrypted with a KMS CMK (Customer Master Key)
# that governs access to write API calls older than 7 days and all read API
# calls. If that CMK already exists, set this to the ARN of that CMK.
# Otherwise, set this to null, and a new CMK will be created. We recommend
# setting this to the ARN of a CMK that already exists in a separate logs
# account.
cloudtrail_kms_key_arn = null

# If the kms_key_arn provided is an alias or alias ARN, then this must be set
# to true so that the module will exchange the alias for a CMK ARN. Setting
# this to true and using aliases requires
# var.cloudtrail_allow_kms_describe_key_to_external_aws_accounts to also be
# true for multi-account scenarios.
cloudtrail_kms_key_arn_is_alias = false

# Additional service principals beyond CloudTrail that should have access to
# the KMS key used to encrypt the logs. This is useful for granting access to
# the logs for the purposes of constructing metric filters.
cloudtrail_kms_key_service_principals = []

# All CloudTrail Logs will be encrypted with a KMS Key (a Customer Master Key)
# that governs access to write API calls older than 7 days and all read API
# calls. The IAM Users specified in this list will have read-only access to
# this extended log data.
cloudtrail_kms_key_user_iam_arns = []

# After this number of days, log files should be transitioned from S3 to
# Glacier. Enter 0 to never archive log data.
cloudtrail_num_days_after_which_archive_log_data = 30

# After this number of days, log files should be deleted from S3. Enter 0 to
# never delete log data.
cloudtrail_num_days_after_which_delete_log_data = 365

# After this number of days, logs stored in CloudWatch will be deleted.
# Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400,
# 545, 731, 1827, 3653, and 0 (default). When set to 0, logs will be retained
# indefinitely.
cloudtrail_num_days_to_retain_cloudwatch_logs = 0

# Set to false to create an S3 bucket of name var.cloudtrail_s3_bucket_name in
# this account for storing CloudTrail logs. Set to true to assume the bucket
# specified in var.cloudtrail_s3_bucket_name already exists in another AWS
# account. We recommend setting this to true and setting
# var.cloudtrail_s3_bucket_name to the name of a bucket that already exists in
# a separate logs account.
cloudtrail_s3_bucket_already_exists = false

# The name of the S3 Bucket where CloudTrail logs will be stored. If value is
# `null`, defaults to `var.name_prefix`-cloudtrail
cloudtrail_s3_bucket_name = null

# Enable MFA delete for either 'Change the versioning state of your bucket' or
# 'Permanently delete an object version'. This setting only applies to the
# bucket used to storage Cloudtrail data. This cannot be used to toggle this
# setting but is available to allow managed buckets to reflect the state in
# AWS. For instructions on how to enable MFA Delete, check out the README from
# the terraform-aws-security/private-s3-bucket module.
cloudtrail_s3_mfa_delete = false

# Tags to apply to the CloudTrail resources.
cloudtrail_tags = {}

# Set to true to send the AWS Config data to another account (e.g., a logs
# account) for aggregation purposes. You must set the ID of that other account
# via the config_central_account_id variable. This redundant variable has to
# exist because Terraform does not allow computed data in count and for_each
# parameters and var.config_central_account_id may be computed if its the ID
# of a newly-created AWS account.
config_aggregate_config_data_in_external_account = false

# If the S3 bucket and SNS topics used for AWS Config live in a different AWS
# account, set this variable to the ID of that account. If the S3 bucket and
# SNS topics live in this account, set this variable to null. We recommend
# setting this to the ID of a separate logs account. Only used if
# var.config_aggregate_config_data_in_external_account is true.
config_central_account_id = null

# Set to true to create AWS Config rules directly in this account. Set false
# to not create any Config rules in this account (i.e., if you created the
# rules at the organization level already). We recommend setting this to true
# to use account-level rules because org-level rules create a chicken-and-egg
# problem with creating new accounts.
config_create_account_rules = true

# Optional KMS key to use for encrypting S3 objects on the AWS Config delivery
# channel for an externally managed S3 bucket. This must belong to the same
# region as the destination S3 bucket. If null, AWS Config will default to
# encrypting the delivered data with AES-256 encryption. Only used if
# var.should_create_s3_bucket is false - otherwise, var.kms_key_arn is used.
config_delivery_channel_kms_key_arn = null

# Same as var.config_delivery_channel_kms_key_arn, except the value is a name
# of a KMS key configured with var.kms_customer_master_keys. The module
# created KMS key for the delivery region (indexed by the name) will be used.
# Note that if both var.config_delivery_channel_kms_key_arn and
# var.config_delivery_channel_kms_key_by_name are configured, the key in
# var.config_delivery_channel_kms_key_arn will always be used.
config_delivery_channel_kms_key_by_name = null

# If set to true, when you run 'terraform destroy', delete all objects from
# the bucket so that the bucket can be destroyed without error. Warning: these
# objects are not recoverable so only use this if you're absolutely sure you
# want to permanently delete everything!
config_force_destroy = false

# Provide a list of AWS account IDs that will send Config data to this
# account. This is useful if your aggregating config data in this account for
# other accounts.
config_linked_accounts = []

# After this number of days, log files should be transitioned from S3 to
# Glacier. Enter 0 to never archive log data.
config_num_days_after_which_archive_log_data = 365

# After this number of days, log files should be deleted from S3. Enter 0 to
# never delete log data.
config_num_days_after_which_delete_log_data = 730

# Optional KMS key to use for encrypting S3 objects on the AWS Config bucket,
# when the S3 bucket is created within this module
# (var.config_should_create_s3_bucket is true). For encrypting S3 objects on
# delivery for an externally managed S3 bucket, refer to the
# var.config_delivery_channel_kms_key_arn input variable. If null, data in S3
# will be encrypted using the default aws/s3 key. If provided, the key policy
# of the provided key must permit the IAM role used by AWS Config. See
# https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html. Note that
# the KMS key must reside in the global recorder region (as configured by
# var.aws_region).
config_s3_bucket_kms_key_arn = null

# Same as var.config_s3_bucket_kms_key_arn, except the value is a name of a
# KMS key configured with var.kms_customer_master_keys. The module created KMS
# key for the global recorder region (indexed by the name) will be used. Note
# that if both var.config_s3_bucket_kms_key_arn and
# var.config_s3_bucket_kms_key_by_name are configured, the key in
# var.config_s3_bucket_kms_key_arn will always be used.
config_s3_bucket_kms_key_by_name = null

# The name of the S3 Bucket where CloudTrail logs will be stored. This could
# be a bucket in this AWS account or the name of a bucket in another AWS
# account where logs should be sent. We recommend setting this to the name of
# a bucket in a separate logs account.
config_s3_bucket_name = null

# Enable MFA delete for either 'Change the versioning state of your bucket' or
# 'Permanently delete an object version'. This setting only applies to the
# bucket used to storage AWS Config data. This cannot be used to toggle this
# setting but is available to allow managed buckets to reflect the state in
# AWS. For instructions on how to enable MFA Delete, check out the README from
# the terraform-aws-security/private-s3-bucket module.
config_s3_mfa_delete = false

# Set to true to create an S3 bucket of name var.config_s3_bucket_name in this
# account for storing AWS Config data. Set to false to assume the bucket
# specified in var.config_s3_bucket_name already exists in another AWS
# account. We recommend setting this to false and setting
# var.config_s3_bucket_name to the name off an S3 bucket that already exists
# in a separate logs account.
config_should_create_s3_bucket = false

# Set to true to create an SNS topic in this account for sending AWS Config
# notifications (e.g., if this is the logs account). Set to false to assume
# the topic specified in var.config_sns_topic_name already exists in another
# AWS account (e.g., if this is the stage or prod account and
# var.config_sns_topic_name is the name of an SNS topic in the logs account).
config_should_create_sns_topic = false

# Same as var.config_sns_topic_kms_key_region_map, except the value is a name
# of a KMS key configured with var.kms_customer_master_keys. The module
# created KMS key for each region (indexed by the name) will be used. Note
# that if an entry exists for a region in both
# var.config_sns_topic_kms_key_region_map and
# var.config_sns_topic_kms_key_by_name_region_map, then the key in
# var.config_sns_topic_kms_key_region_map will always be used.
config_sns_topic_kms_key_by_name_region_map = null

# Optional KMS key to use for each region for configuring default encryption
# for the SNS topic (encoded as a map from region - e.g. us-east-1 - to ARN of
# KMS key). If null or the region key is missing, encryption will not be
# configured for the SNS topic in that region.
config_sns_topic_kms_key_region_map = null

# The name of the SNS Topic in where AWS Config notifications will be sent.
# Can be in the same account or in another account.
config_sns_topic_name = "ConfigTopic"

# A map of tags to apply to the S3 Bucket. The key is the tag name and the
# value is the tag value.
config_tags = {}

# The maximum frequency with which AWS Config runs evaluations for the
# ´PERIODIC´ rules. See
# https://www.terraform.io/docs/providers/aws/r/config_organization_managed_rule.html#maximum_execution_frequency
configrules_maximum_execution_frequency = "TwentyFour_Hours"

# The name of the IAM group that will grant access to all external AWS
# accounts in var.iam_groups_for_cross_account_access.
cross_account_access_all_group_name = "_all-accounts"

# A custom name to use for the Cloudtrail Trail. If null, defaults to the
# var.name_prefix input variable.
custom_cloudtrail_trail_name = null

# A list of AWS services for which the developers from the accounts in
# var.allow_dev_access_from_other_account_arns will receive full permissions.
# See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to
# grant developers access only to EC2 and Amazon Machine Learning, use the
# value ["ec2","machinelearning"]. Do NOT add iam to the list of services, or
# that will grant Developers de facto admin access.
dev_permitted_services = []

# If set to true (default), all new EBS volumes will have encryption enabled
# by default
ebs_enable_encryption = true

# The name of the KMS CMK to use by default for encrypting EBS volumes, if
# var.ebs_enable_encryption and var.ebs_use_existing_kms_keys are enabled. The
# name must match a name given the var.kms_customer_master_keys variable.
ebs_kms_key_name = ""

# If set to true, the KMS Customer Managed Keys (CMK) with the name in
# var.ebs_kms_key_name will be set as the default for EBS encryption. When
# false (default), the AWS-managed aws/ebs key will be used.
ebs_use_existing_kms_keys = false

# Set to true (default) to enable CloudTrail in the security account. Set to
# false to disable CloudTrail (note: all other CloudTrail variables will be
# ignored). Note that if you have enabled organization trail in the root
# (parent) account, you should set this to false; the organization trail will
# enable CloudTrail on child accounts by default.
enable_cloudtrail = true

# Set to true to enable AWS Config in the security account. Set to false to
# disable AWS Config (note: all other AWS config variables will be ignored).
enable_config = true

# Checks whether the EBS volumes that are in an attached state are encrypted.
enable_encrypted_volumes = true

# When true, create an Open ID Connect Provider that GitHub actions can use to
# assume IAM roles in the account. Refer to
# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
# for more information.
enable_github_actions_access = false

# Set to true (default) to enable GuardDuty in this app account. Set to false
# to disable GuardDuty (note: all other GuardDuty variables will be ignored).
# Note that if you have enabled organization level GuardDuty in the root
# (parent) account, you should set this to false; the organization GuardDuty
# will enable GuardDuty on child accounts by default.
enable_guardduty = true

# A feature flag to enable or disable this module.
enable_iam_access_analyzer = false

# A feature flag to enable or disable the Cross Account Iam Roles module.
enable_iam_cross_account_roles = true

# A feature flag to enable or disable the IAM Groups module.
enable_iam_groups = true

# Checks whether the account password policy for IAM users meets the specified
# requirements.
enable_iam_password_policy = true

# Checks whether the security group with 0.0.0.0/0 of any Amazon Virtual
# Private Cloud (Amazon VPC) allows only specific inbound TCP or UDP traffic.
enable_insecure_sg_rules = true

# Checks whether storage encryption is enabled for your RDS DB instances.
enable_rds_storage_encrypted = true

# Checks whether users of your AWS account require a multi-factor
# authentication (MFA) device to sign in with root credentials.
enable_root_account_mfa = true

# Checks that your Amazon S3 buckets do not allow public read access.
enable_s3_bucket_public_read_prohibited = true

# Checks that your Amazon S3 buckets do not allow public write access.
enable_s3_bucket_public_write_prohibited = true

# ID or ARN of the KMS key that is used to encrypt the volume. Used for
# configuring the encrypted volumes config rule.
encrypted_volumes_kms_id = null

# When destroying this user, destroy even if it has non-Terraform-managed IAM
# access keys, login profile, or MFA devices. Without force_destroy a user
# with non-Terraform-managed access keys and login profile will fail to be
# destroyed.
force_destroy_users = false

# When set, use the statically provided hardcoded list of thumbprints rather
# than looking it up dynamically. This is useful if you want to trade
# reliability of the OpenID Connect Provider across certificate renewals with
# a static list that is obtained using a trustworthy mechanism, to mitigate
# potential damage from a domain hijacking attack on GitHub domains.
github_actions_openid_connect_provider_thumbprint_list = null

# Name of the Cloudwatch event rules.
guardduty_cloudwatch_event_rule_name = "guardduty-finding-events"

# Map of detector features to enable, where the key is the name of the feature
# the value is the feature configuration. When AWS Organizations delegated
# admin account is used, use var.organization_configuration_features instead.
# See
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector_feature
guardduty_detector_features = {}

# Specifies the frequency of notifications sent for subsequent finding
# occurrences. If the detector is a GuardDuty member account, the value is
# determined by the GuardDuty master account and cannot be modified, otherwise
# defaults to SIX_HOURS. For standalone and GuardDuty master accounts, it must
# be configured in Terraform to enable drift detection. Valid values for
# standalone and master accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS.
guardduty_finding_publishing_frequency = null

# If true, an IAM Policy that grants access to the key will be honored. If
# false, only the ARNs listed in var.kms_key_user_iam_arns will have access to
# the key and any IAM Policy grants will be ignored. (true or false)
guardduty_findings_allow_kms_access_with_iam = true

# The AWS regions that are allowed to write to the GuardDuty findings S3
# bucket. This is needed to configure the bucket and CMK policy to allow
# writes from manually-enabled regions. See
# https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html#guardduty_exportfindings-s3-policies
guardduty_findings_allowed_regions = []

# Whether or not to enable automatic annual rotation of the KMS key. Defaults
# to true.
guardduty_findings_enable_key_rotation = true

# A list of external AWS accounts that should be given write access for
# GuardDuty findings to this S3 bucket. This is useful when aggregating
# findings for multiple AWS accounts in one common S3 bucket.
guardduty_findings_external_aws_account_ids_with_write_access = []

# If set to true, when you run 'terraform destroy', delete all objects from
# the bucket so that the bucket can be destroyed without error. Warning: these
# objects are not recoverable so only use this if you're absolutely sure you
# want to permanently delete everything!
guardduty_findings_force_destroy = false

# All GuardDuty findings will be encrypted with a KMS Key (a Customer Master
# Key). The IAM Users specified in this list will have rights to change who
# can access the data.
guardduty_findings_kms_key_administrator_iam_arns = []

# If set to true, that means the KMS key you're using already exists, and does
# not need to be created.
guardduty_findings_kms_key_already_exists = false

# The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty
# enforces findings to be encrypted. Only used if
# guardduty_publish_findings_to_s3 is true.
guardduty_findings_kms_key_arn = null

# Additional service principals beyond GuardDuty that should have access to
# the KMS key used to encrypt the logs.
guardduty_findings_kms_key_service_principals = []

# All GuardDuty findings will be encrypted with a KMS Key (a Customer Master
# Key). The IAM Users specified in this list will have read-only access to the
# data.
guardduty_findings_kms_key_user_iam_arns = []

# After this number of days, findings should be transitioned from S3 to
# Glacier. Enter 0 to never archive findings.
guardduty_findings_num_days_after_which_archive_findings_data = 30

# After this number of days, log files should be deleted from S3. Enter 0 to
# never delete log data.
guardduty_findings_num_days_after_which_delete_findings_data = 365

# Additional IAM policies to apply to this S3 bucket. You can use this to
# grant read/write access. This should be a map, where each key is a unique
# statement ID (SID), and each value is an object that contains the parameters
# defined in the comment above.
guardduty_findings_s3_bucket_additional_policy_statements = {}

# The S3 bucket ARN to which the findings get exported.
guardduty_findings_s3_bucket_arn = null

# The name of the S3 Bucket where GuardDuty findings will be stored.
guardduty_findings_s3_bucket_name = null

# Optional prefix directory to create in the bucket. Must contain a trailing
# '/'. If you use a prefix for S3 findings publishing, you must pre-create the
# prefix in the findings bucket. See
# https://github.com/hashicorp/terraform-provider-aws/issues/16750.
guardduty_findings_s3_bucket_prefix = null

# Enable MFA delete for either 'Change the versioning state of your bucket' or
# 'Permanently delete an object version'. This setting only applies to the
# bucket used to storage GuardDuty findings. This cannot be used to toggle
# this setting but is available to allow managed buckets to reflect the state
# in AWS. For instructions on how to enable MFA Delete, check out the README
# from the terraform-aws-security/private-s3-bucket module.
guardduty_findings_s3_mfa_delete = false

# The bucket prefix without trailing '/' under which the findings get
# exported. The prefix is optional and will be
# AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided.
guardduty_findings_s3_prefix = null

# Whether to create a bucket for GuardDuty findings. If set to true, you must
# provide the var.guardduty_findings_s3_bucket_name.
guardduty_findings_should_create_bucket = false

# Specifies a name for the created SNS topics where findings are published.
# publish_findings_to_sns must be set to true.
guardduty_findings_sns_topic_name = "guardduty-findings"

# Tags to apply to the GuardDuty findings resources (S3 bucket and CMK).
guardduty_findings_tags = {}

# The invitation message to send to the member accounts.
guardduty_invitation_message = "Please accept GuardDuty invitation."

# Map of member accounts to add to GuardDuty where key is the AWS account
# number. Use to add Organization accounts to delegated admin account or
# invite member accounts by invite.
guardduty_member_accounts = {}

# Publish GuardDuty findings to an S3 bucket.
guardduty_publish_findings_to_s3 = false

# Send GuardDuty findings to SNS topics specified by findings_sns_topic_name.
guardduty_publish_findings_to_sns = false

# The name of the IAM Access Analyzer module
iam_access_analyzer_name = "baseline_security-iam_access_analyzer"

# If set to ACCOUNT, the analyzer will only be scanning the current AWS
# account it's in. If set to ORGANIZATION - will scan the organization AWS
# account and the child accounts.
iam_access_analyzer_type = "ACCOUNT"

# A list of AWS services for which the developers IAM Group will receive full
# permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For
# example, to grant developers access only to EC2 and Amazon Machine Learning,
# use the value ["ec2","machinelearning"]. Do NOT add iam to the list of
# services, or that will grant Developers de facto admin access. If you need
# to grant iam privileges, just grant the user Full Access.
iam_group_developers_permitted_services = []

# The name of the IAM Group that allows automated deployment by graning the
# permissions specified in var.auto_deploy_permissions.
iam_group_name_auto_deploy = "_machine.ecs-auto-deploy"

# The name to be used for the IAM Group that grants read/write access to all
# billing features in AWS.
iam_group_name_billing = "billing"

# The name to be used for the IAM Group that grants IAM Users a reasonable set
# of permissions for developers.
iam_group_name_developers = "developers"

# The name to be used for the IAM Group that grants full access to all AWS
# resources.
iam_group_name_full_access = "full-access"

# The name to be used for the IAM Group that grants IAM administrative access.
# Effectively grants administrator access.
iam_group_name_iam_admin = "iam-admin"

# The name to be used for the IAM Group that grants IAM Users the permissions
# to manage their own IAM User account.
iam_group_name_iam_user_self_mgmt = "iam-user-self-mgmt"

# The name to be used for the IAM Group that grants read access to CloudTrail,
# AWS Config, and CloudWatch in AWS.
iam_group_name_logs = "logs"

# The name to be used for the IAM Group that grants read-only access to all
# AWS resources.
iam_group_name_read_only = "read-only"

# The name of the IAM Group that allows access to AWS Support.
iam_group_name_support = "support"

# The name to be used for the IAM Group that grants IAM Users the permissions
# to use existing IAM Roles when launching AWS Resources. This does NOT grant
# the permission to create new IAM Roles.
iam_group_name_use_existing_iam_roles = "use-existing-iam-roles"

# The list of names to be used for the IAM Group that enables its members to
# SSH as a sudo user into any server configured with the ssh-grunt Gruntwork
# module. Pass in multiple to configure multiple different IAM groups to
# control different groupings of access at the server level. Pass in empty
# list to disable creation of the IAM groups.
iam_group_names_ssh_grunt_sudo_users = ["ssh-grunt-sudo-users"]

# The name to be used for the IAM Group that enables its members to SSH as a
# non-sudo user into any server configured with the ssh-grunt Gruntwork
# module. Pass in multiple to configure multiple different IAM groups to
# control different groupings of access at the server level. Pass in empty
# list to disable creation of the IAM groups.
iam_group_names_ssh_grunt_users = ["ssh-grunt-users"]

# This variable is used to create groups that allow IAM users to assume roles
# in your other AWS accounts. It should be a list of objects, where each
# object has the fields 'group_name', which will be used as the name of the
# IAM group, and 'iam_role_arns', which is a list of ARNs of IAM Roles that
# you can assume when part of that group. For each entry in the list of
# objects, we will create an IAM group that allows users to assume the given
# IAM role(s) in the other AWS account. This allows you to define all your IAM
# users in one account (e.g. the users account) and to grant them access to
# certain IAM roles in other accounts (e.g. the stage, prod, audit accounts).
iam_groups_for_cross_account_access = []

# Allow users to change their own password.
iam_password_policy_allow_users_to_change_password = true

# Password expiration requires administrator reset.
iam_password_policy_hard_expiry = false

# Number of days before password expiration.
iam_password_policy_max_password_age = 30

# Password minimum length.
iam_password_policy_minimum_password_length = 16

# Number of passwords before allowing reuse.
iam_password_policy_password_reuse_prevention = 5

# Require at least one lowercase character in password.
iam_password_policy_require_lowercase_characters = true

# Require at least one number in password.
iam_password_policy_require_numbers = true

# Require at least one symbol in password.
iam_password_policy_require_symbols = true

# Require at least one uppercase character in password.
iam_password_policy_require_uppercase_characters = true

# The name to be used for the IAM Policy that grants IAM Users the permissions
# to manage their own IAM User account.
iam_policy_iam_user_self_mgmt = "iam-user-self-mgmt"

# The tags to apply to all the IAM role resources.
iam_role_tags = {}

# Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0. Ranges
# are defined by a dash; for example, '443,1020-1025'.
insecure_sg_rules_authorized_tcp_ports = "443"

# Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0. Ranges
# are defined by a dash; for example, '500,1020-1025'.
insecure_sg_rules_authorized_udp_ports = null

# A map of tags to apply to all KMS Keys to be created. In this map variable,
# the key is the tag name and the value is the tag value.
kms_cmk_global_tags = {}

# You can use this variable to create account-level KMS Customer Master Keys
# (CMKs) for encrypting and decrypting data. This variable should be a map
# where the keys are the names of the CMK and the values are an object that
# defines the configuration for that CMK. See the comment below for the
# configuration options you can set for each key.
kms_customer_master_keys = {}

# The map of names of KMS grants to the region where the key resides in. There
# should be a one to one mapping between entries in this map and the entries
# of the kms_grants map. This is used to workaround a terraform limitation
# where the for_each value can not depend on resources.
kms_grant_regions = {}

# Create the specified KMS grants to allow entities to use the KMS key without
# modifying the KMS policy or IAM. This is necessary to allow AWS services
# (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of
# grant name to grant properties. The name must be unique per account.
kms_grants = {}

# The maximum allowable session duration, in seconds, for the credentials you
# get when assuming the IAM roles created by this module. This variable
# applies to all IAM roles created by this module that are intended for people
# to use, such as allow-read-only-access-from-other-accounts. For IAM roles
# that are intended for machine users, such as
# allow-auto-deploy-from-other-accounts, see
# var.max_session_duration_machine_users.
max_session_duration_human_users = 43200

# The maximum allowable session duration, in seconds, for the credentials you
# get when assuming the IAM roles created by this module. This variable
# applies to all IAM roles created by this module that are intended for
# machine users, such as allow-auto-deploy-from-other-accounts. For IAM roles
# that are intended for human users, such as
# allow-read-only-access-from-other-accounts, see
# var.max_session_duration_human_users.
max_session_duration_machine_users = 3600

# Map of organization configuration features to enable, where key is the
# feature name and value is feature configuration. See
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature
organization_configuration_features = {}

# Force the user to reset their password on initial login. Only used for users
# with create_login_profile set to true.
password_reset_required = true

# KMS key ID or ARN used to encrypt the storage. Used for configuring the RDS
# storage encryption config rule.
rds_storage_encrypted_kms_id = null

# The mode for AWS Config to record configuration changes.
#
# recording_frequency:
# The frequency with which AWS Config records configuration changes (service defaults to CONTINUOUS).
# - CONTINUOUS
# - DAILY
#
# You can also override the recording frequency for specific resource types.
# recording_mode_override:
# description:
# A description for the override.
# recording_frequency:
# The frequency with which AWS Config records configuration changes for the specified resource types.
# - CONTINUOUS
# - DAILY
# resource_types:
# A list of resource types for which AWS Config records configuration changes. For example, AWS::EC2::Instance.
#
# See the following for more information:
# https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html
#
# /*
# recording_mode = {
# recording_frequency = "DAILY"
# recording_mode_override = {
# description = "Override for specific resource types"
# recording_frequency = "CONTINUOUS"
# resource_types = ["AWS::EC2::Instance"]
# }
# }
# */
#
recording_mode = null

# Create service-linked roles for this set of services. You should pass in the
# URLs of the services, but without the protocol (e.g., http://) in front:
# e.g., use elasticbeanstalk.amazonaws.com for Elastic Beanstalk or
# es.amazonaws.com for Amazon Elasticsearch. Service-linked roles are
# predefined by the service, can typically only be assumed by that service,
# and include all the permissions that the service requires to call other AWS
# services on your behalf. You can typically only create one such role per AWS
# account, which is why this parameter exists in the account baseline. See
# https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
# for the list of services that support service-linked roles.
service_linked_roles = []

# Should we create the IAM Group for auto-deploy? Allows automated deployment
# by granting the permissions specified in var.auto_deploy_permissions. (true
# or false)
should_create_iam_group_auto_deploy = false

# Should we create the IAM Group for billing? Allows read-write access to
# billing features only. (true or false)
should_create_iam_group_billing = false

# Should we create the IAM Group for access to all external AWS accounts?
should_create_iam_group_cross_account_access_all = true

# Should we create the IAM Group for developers? The permissions of that group
# are specified via var.iam_group_developers_permitted_services. (true or
# false)
should_create_iam_group_developers = false

# Should we create the IAM Group for full access? Allows full access to all
# AWS resources. (true or false)
should_create_iam_group_full_access = true

# Should we create the IAM Group for IAM administrator access? Allows users to
# manage all IAM entities, effectively granting administrator access. (true or
# false)
should_create_iam_group_iam_admin = false

# Should we create the IAM Group for logs? Allows read access to CloudTrail,
# AWS Config, and CloudWatch. If var.cloudtrail_kms_key_arn is set, will also
# give decrypt access to a KMS CMK. (true or false)
should_create_iam_group_logs = false

# Should we create the IAM Group for read-only? Allows read-only access to all
# AWS resources. (true or false)
should_create_iam_group_read_only = false

# Should we create the IAM Group for support? Allows support access
# (AWSupportAccess). (true or false)
should_create_iam_group_support = false

# Should we create the IAM Group for use-existing-iam-roles? Allow launching
# AWS resources with existing IAM Roles, but no ability to create new IAM
# Roles. (true or false)
should_create_iam_group_use_existing_iam_roles = false

# Should we create the IAM Group for user self-management? Allows users to
# manage their own IAM user accounts, but not other IAM users. (true or false)
should_create_iam_group_user_self_mgmt = true

# Should we require that all IAM Users use Multi-Factor Authentication for
# both AWS API calls and the AWS Web Console? (true or false)
should_require_mfa = true

# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
# resource for findings. As such, it is important to avoid inline policies
# when targeting compliance with various security standards.
use_managed_iam_policies = true

# A map of users to create. The keys are the user names and the values are an
# object with the optional keys 'groups' (a list of IAM groups to add the user
# to), 'tags' (a map of tags to apply to the user), 'pgp_key' (either a
# base-64 encoded PGP public key, or a keybase username in the form
# keybase:username, used to encrypt the user's credentials; required if
# create_login_profile or create_access_keys is true), 'create_login_profile'
# (if set to true, create a password to login to the AWS Web Console),
# 'create_access_keys' (if set to true, create access keys for the user),
# 'path' (the path), and 'permissions_boundary' (the ARN of the policy that is
# used to set the permissions boundary for the user).
users = {}

}


Reference

Required

aws_account_idstringrequired

The AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables.

aws_regionstringrequired

The AWS Region to use as the global config recorder and seed region for GuardDuty.

config_opt_in_regionslist(string)required

Creates resources in the specified regions. The best practice is to enable AWS Config in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions.

ebs_opt_in_regionslist(string)required

Creates resources in the specified regions. The best practice is to enable EBS Encryption in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list.

guardduty_opt_in_regionslist(string)required

Creates resources in the specified regions. The best practice is to enable GuardDuty in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list.

Creates resources in the specified regions. The best practice is to enable IAM Access Analyzer in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list.

kms_cmk_opt_in_regionslist(string)required

Creates resources in the specified regions. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list.

name_prefixstringrequired

The name used to prefix AWS Config and Cloudtrail resources, including the S3 bucket names and SNS topics used for each.

Optional

additional_config_rulesmap(object(…))optional

Map of additional managed rules to add. The key is the name of the rule (e.g. ´acm-certificate-expiration-check´) and the value is an object specifying the rule details

map(object({
# Description of the rule
description : string
# Identifier of an available AWS Config Managed Rule to call.
identifier : string
# Trigger type of the rule, must be one of ´CONFIG_CHANGE´ or ´PERIODIC´.
trigger_type : string
# A map of input parameters for the rule. If you don't have parameters, pass in an empty map ´{}´.
input_parameters : map(string)
# Whether or not this applies to global (non-regional) resources like IAM roles. When true, these rules are disabled
# if var.enable_global_resource_rules is false.
applies_to_global_resources = bool
}))
{}
Example
   additional_config_rules = {
acm-certificate-expiration-check = {
description = "Checks whether ACM Certificates in your account are marked for expiration within the specified number of days.",
identifier = "ACM_CERTIFICATE_EXPIRATION_CHECK",
trigger_type = "PERIODIC",
input_parameters = { "daysToExpiration": "14"},
applies_to_global_resources = false
}
}

Map of github repositories to the list of branches that are allowed to assume the IAM role. The repository should be encoded as org/repo-name (e.g., gruntwork-io/terrraform-aws-ci). Allows GitHub Actions to assume the auto deploy IAM role using an OpenID Connect Provider for the given repositories. Refer to the docs for github-actions-iam-role for more information. Note that this is mutually exclusive with allow_auto_deploy_from_other_account_arns. Only used if enable_github_actions_access is true.

map(list(string))
{}

A list of IAM ARNs from other AWS accounts that will be allowed to assume the auto deploy IAM role that has the permissions in auto_deploy_permissions.

[]

The ARN of the policy that is used to set the permissions boundary for the IAM role

null

A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the billing info for this account.

[]

The ARN of the policy that is used to set the permissions boundary for the IAM role

null

If true, an IAM Policy that grants access to CloudTrail will be honored. If false, only the ARNs listed in kms_key_user_iam_arns will have access to CloudTrail and any IAM Policy grants will be ignored. (true or false)

true

A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the services in this account specified in dev_permitted_services.

[]

The ARN of the policy that is used to set the permissions boundary for the IAM role

null

A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to this account.

[]

The ARN of the policy that is used to set the permissions boundary for the IAM role

null

A list of IAM ARNs from other AWS accounts that will be allowed access to the logs in CloudTrail, AWS Config, and CloudWatch for this account. Will also be given permissions to decrypt with the KMS CMK that is used to encrypt CloudTrail logs.

[]

A list of IAM ARNs from other AWS accounts that will be allowed read-only access to this account.

[]

The ARN of the policy that is used to set the permissions boundary for the IAM role

null

A list of IAM ARNs from other AWS accounts that will be allowed read access to IAM groups and publish SSH keys. This is used for ssh-grunt.

[]

A list of IAM ARNs from other AWS accounts that will be allowed support access (AWSSupportAccess) to this account.

[]

The ARN of the policy that is used to set the permissions boundary for the IAM role

null
auto_deploy_permissionslist(string)optional

A list of IAM permissions (e.g. ec2:) that will be added to an IAM Group for doing automated deployments. NOTE: If should_create_iam_group_auto_deploy is true, the list must have at least one element (e.g. '').

[]

The ARN of the policy that is used to set the permissions boundary for the IAM role

null

Whether or not to allow kms:DescribeKey to external AWS accounts with write access to the CloudTrail bucket. This is useful during deployment so that you don't have to pass around the KMS key ARN.

false

Specify the name of the CloudWatch Logs group to publish the CloudTrail logs to. This log group exists in the current account. Set this value to null to avoid publishing the trail logs to the logs group. The recommended configuration for CloudTrail is (a) for each child account to aggregate its logs in an S3 bucket in a single central account, such as a logs account and (b) to also store 14 days work of logs in CloudWatch in the child account itself for local debugging.

"cloudtrail-logs"

If true, logging of data events will be enabled.

false

Specify if you want your event selector to include management events for your trail.

true

Specify if you want your trail to log read-only events, write-only events, or all. Possible values are: ReadOnly, WriteOnly, All.

"All"
cloudtrail_data_logging_resourcesmap(list(…))optional

Data resources for which to log data events. This should be a map, where each key is a data resource type, and each value is a list of data resource values. Possible values for data resource types are: AWS::S3::Object, AWS::Lambda::Function and AWS::DynamoDB::Table. See the 'data_resource' block within the 'event_selector' block of the 'aws_cloudtrail' resource for context: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#data_resource.

map(list(string))
{}

A list of external AWS accounts that should be given write access for CloudTrail logs to this S3 bucket. This is useful when aggregating CloudTrail logs for multiple AWS accounts in one common S3 bucket.

[]

If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything!

false

The ARN of the policy that is used to set the permissions boundary for the IAM role

null

All CloudTrail Logs will be encrypted with a KMS Key (a Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. The IAM Users specified in this list will have rights to change who can access this extended log data.

[]

All CloudTrail Logs will be encrypted with a KMS CMK (Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. If that CMK already exists, set this to the ARN of that CMK. Otherwise, set this to null, and a new CMK will be created. We recommend setting this to the ARN of a CMK that already exists in a separate logs account.

null

If the kms_key_arn provided is an alias or alias ARN, then this must be set to true so that the module will exchange the alias for a CMK ARN. Setting this to true and using aliases requires cloudtrail_allow_kms_describe_key_to_external_aws_accounts to also be true for multi-account scenarios.

false
cloudtrail_kms_key_service_principalslist(object(…))optional

Additional service principals beyond CloudTrail that should have access to the KMS key used to encrypt the logs. This is useful for granting access to the logs for the purposes of constructing metric filters.

list(object({
# The name of the service principal (e.g.: s3.amazonaws.com).
name = string

# The list of actions that the given service principal is allowed to perform (e.g. ["kms:DescribeKey",
# "kms:GenerateDataKey"]).
actions = list(string)

# List of conditions to apply to the permissions for the service principal. Use this to apply conditions on the
# permissions for accessing the KMS key (e.g., only allow access for certain encryption contexts).
conditions = list(object({
# Name of the IAM condition operator to evaluate.
test = string

# Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables
# starting with aws: or service-specific variables prefixed with the service name.
variable = string

# Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one
# of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
values = list(string)
}))
}))
[]
Details

The list of actions that the given service principal is allowed to perform (e.g. ["kms:DescribeKey",
"kms:GenerateDataKey"]).

Details

List of conditions to apply to the permissions for the service principal. Use this to apply conditions on the
permissions for accessing the KMS key (e.g., only allow access for certain encryption contexts).

Details

Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables
starting with aws: or service-specific variables prefixed with the service name.

Details

Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one
of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.

All CloudTrail Logs will be encrypted with a KMS Key (a Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. The IAM Users specified in this list will have read-only access to this extended log data.

[]

After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data.

30

After this number of days, log files should be deleted from S3. Enter 0 to never delete log data.

365

After this number of days, logs stored in CloudWatch will be deleted. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0 (default). When set to 0, logs will be retained indefinitely.

0

Set to false to create an S3 bucket of name cloudtrail_s3_bucket_name in this account for storing CloudTrail logs. Set to true to assume the bucket specified in cloudtrail_s3_bucket_name already exists in another AWS account. We recommend setting this to true and setting cloudtrail_s3_bucket_name to the name of a bucket that already exists in a separate logs account.

false

The name of the S3 Bucket where CloudTrail logs will be stored. If value is null, defaults to <a href="#name_prefix"><code>name_prefix</code></a>-cloudtrail

null

Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage Cloudtrail data. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module.

false
cloudtrail_tagsmap(string)optional

Tags to apply to the CloudTrail resources.

{}

Set to true to send the AWS Config data to another account (e.g., a logs account) for aggregation purposes. You must set the ID of that other account via the config_central_account_id variable. This redundant variable has to exist because Terraform does not allow computed data in count and for_each parameters and config_central_account_id may be computed if its the ID of a newly-created AWS account.

false

If the S3 bucket and SNS topics used for AWS Config live in a different AWS account, set this variable to the ID of that account. If the S3 bucket and SNS topics live in this account, set this variable to null. We recommend setting this to the ID of a separate logs account. Only used if config_aggregate_config_data_in_external_account is true.

null

Set to true to create AWS Config rules directly in this account. Set false to not create any Config rules in this account (i.e., if you created the rules at the organization level already). We recommend setting this to true to use account-level rules because org-level rules create a chicken-and-egg problem with creating new accounts.

true

Optional KMS key to use for encrypting S3 objects on the AWS Config delivery channel for an externally managed S3 bucket. This must belong to the same region as the destination S3 bucket. If null, AWS Config will default to encrypting the delivered data with AES-256 encryption. Only used if should_create_s3_bucket is false - otherwise, kms_key_arn is used.

null

Same as config_delivery_channel_kms_key_arn, except the value is a name of a KMS key configured with kms_customer_master_keys. The module created KMS key for the delivery region (indexed by the name) will be used. Note that if both config_delivery_channel_kms_key_arn and config_delivery_channel_kms_key_by_name are configured, the key in config_delivery_channel_kms_key_arn will always be used.

object({
name = string
region = string
})
null

If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything!

false
config_linked_accountslist(string)optional

Provide a list of AWS account IDs that will send Config data to this account. This is useful if your aggregating config data in this account for other accounts.

[]

After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data.

365

After this number of days, log files should be deleted from S3. Enter 0 to never delete log data.

730

Optional KMS key to use for encrypting S3 objects on the AWS Config bucket, when the S3 bucket is created within this module (config_should_create_s3_bucket is true). For encrypting S3 objects on delivery for an externally managed S3 bucket, refer to the config_delivery_channel_kms_key_arn input variable. If null, data in S3 will be encrypted using the default aws/s3 key. If provided, the key policy of the provided key must permit the IAM role used by AWS Config. See https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html. Note that the KMS key must reside in the global recorder region (as configured by aws_region).

null

Same as config_s3_bucket_kms_key_arn, except the value is a name of a KMS key configured with kms_customer_master_keys. The module created KMS key for the global recorder region (indexed by the name) will be used. Note that if both config_s3_bucket_kms_key_arn and config_s3_bucket_kms_key_by_name are configured, the key in config_s3_bucket_kms_key_arn will always be used.

null
config_s3_bucket_namestringoptional

The name of the S3 Bucket where CloudTrail logs will be stored. This could be a bucket in this AWS account or the name of a bucket in another AWS account where logs should be sent. We recommend setting this to the name of a bucket in a separate logs account.

null

Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage AWS Config data. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module.

false

Set to true to create an S3 bucket of name config_s3_bucket_name in this account for storing AWS Config data. Set to false to assume the bucket specified in config_s3_bucket_name already exists in another AWS account. We recommend setting this to false and setting config_s3_bucket_name to the name off an S3 bucket that already exists in a separate logs account.

false

Set to true to create an SNS topic in this account for sending AWS Config notifications (e.g., if this is the logs account). Set to false to assume the topic specified in config_sns_topic_name already exists in another AWS account (e.g., if this is the stage or prod account and config_sns_topic_name is the name of an SNS topic in the logs account).

false

Same as config_sns_topic_kms_key_region_map, except the value is a name of a KMS key configured with kms_customer_master_keys. The module created KMS key for each region (indexed by the name) will be used. Note that if an entry exists for a region in both config_sns_topic_kms_key_region_map and config_sns_topic_kms_key_by_name_region_map, then the key in config_sns_topic_kms_key_region_map will always be used.

null

Optional KMS key to use for each region for configuring default encryption for the SNS topic (encoded as a map from region - e.g. us-east-1 - to ARN of KMS key). If null or the region key is missing, encryption will not be configured for the SNS topic in that region.

null
config_sns_topic_namestringoptional

The name of the SNS Topic in where AWS Config notifications will be sent. Can be in the same account or in another account.

"ConfigTopic"
config_tagsmap(string)optional

A map of tags to apply to the S3 Bucket. The key is the tag name and the value is the tag value.

{}

The maximum frequency with which AWS Config runs evaluations for the ´PERIODIC´ rules. See https://www.terraform.io/docs/providers/aws/r/config_organization_managed_rule.html#maximum_execution_frequency

"TwentyFour_Hours"

The name of the IAM group that will grant access to all external AWS accounts in iam_groups_for_cross_account_access.

"_all-accounts"

A custom name to use for the Cloudtrail Trail. If null, defaults to the name_prefix input variable.

null
dev_permitted_serviceslist(string)optional

A list of AWS services for which the developers from the accounts in allow_dev_access_from_other_account_arns will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ['ec2','machinelearning']. Do NOT add iam to the list of services, or that will grant Developers de facto admin access.

[]

If set to true (default), all new EBS volumes will have encryption enabled by default

true
ebs_kms_key_namestringoptional

The name of the KMS CMK to use by default for encrypting EBS volumes, if ebs_enable_encryption and ebs_use_existing_kms_keys are enabled. The name must match a name given the kms_customer_master_keys variable.

""

If set to true, the KMS Customer Managed Keys (CMK) with the name in ebs_kms_key_name will be set as the default for EBS encryption. When false (default), the AWS-managed aws/ebs key will be used.

false
enable_cloudtrailbooloptional

Set to true (default) to enable CloudTrail in the security account. Set to false to disable CloudTrail (note: all other CloudTrail variables will be ignored). Note that if you have enabled organization trail in the root (parent) account, you should set this to false; the organization trail will enable CloudTrail on child accounts by default.

true
enable_configbooloptional

Set to true to enable AWS Config in the security account. Set to false to disable AWS Config (note: all other AWS config variables will be ignored).

true

Checks whether the EBS volumes that are in an attached state are encrypted.

true

When true, create an Open ID Connect Provider that GitHub actions can use to assume IAM roles in the account. Refer to https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services for more information.

false
enable_guarddutybooloptional

Set to true (default) to enable GuardDuty in this app account. Set to false to disable GuardDuty (note: all other GuardDuty variables will be ignored). Note that if you have enabled organization level GuardDuty in the root (parent) account, you should set this to false; the organization GuardDuty will enable GuardDuty on child accounts by default.

true

A feature flag to enable or disable this module.

false

A feature flag to enable or disable the Cross Account Iam Roles module.

true
enable_iam_groupsbooloptional

A feature flag to enable or disable the IAM Groups module.

true

Checks whether the account password policy for IAM users meets the specified requirements.

true

Checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPC) allows only specific inbound TCP or UDP traffic.

true

Checks whether storage encryption is enabled for your RDS DB instances.

true

Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.

true

Checks that your Amazon S3 buckets do not allow public read access.

true

Checks that your Amazon S3 buckets do not allow public write access.

true

ID or ARN of the KMS key that is used to encrypt the volume. Used for configuring the encrypted volumes config rule.

null

When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile, or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed.

false

When set, use the statically provided hardcoded list of thumbprints rather than looking it up dynamically. This is useful if you want to trade reliability of the OpenID Connect Provider across certificate renewals with a static list that is obtained using a trustworthy mechanism, to mitigate potential damage from a domain hijacking attack on GitHub domains.

null

Name of the Cloudwatch event rules.

"guardduty-finding-events"
guardduty_detector_featuresmap(object(…))optional

Map of detector features to enable, where the key is the name of the feature the value is the feature configuration. When AWS Organizations delegated admin account is used, use organization_configuration_features instead. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector_feature

map(object({
status = string
additional_configuration = list(object({
name = string
status = string
}))
}))
{}

Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty master account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty master accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and master accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS.

null

If true, an IAM Policy that grants access to the key will be honored. If false, only the ARNs listed in kms_key_user_iam_arns will have access to the key and any IAM Policy grants will be ignored. (true or false)

true

The AWS regions that are allowed to write to the GuardDuty findings S3 bucket. This is needed to configure the bucket and CMK policy to allow writes from manually-enabled regions. See https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html#guardduty_exportfindings-s3-policies

[]

Whether or not to enable automatic annual rotation of the KMS key. Defaults to true.

true

A list of external AWS accounts that should be given write access for GuardDuty findings to this S3 bucket. This is useful when aggregating findings for multiple AWS accounts in one common S3 bucket.

[]

If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything!

false

All GuardDuty findings will be encrypted with a KMS Key (a Customer Master Key). The IAM Users specified in this list will have rights to change who can access the data.

[]

If set to true, that means the KMS key you're using already exists, and does not need to be created.

false

The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty enforces findings to be encrypted. Only used if guardduty_publish_findings_to_s3 is true.

null

Additional service principals beyond GuardDuty that should have access to the KMS key used to encrypt the logs.

list(object({
# The name of the service principal (e.g.: s3.amazonaws.com).
name = string

# The list of actions that the given service principal is allowed to perform (e.g. ["kms:DescribeKey",
# "kms:GenerateDataKey"]).
actions = list(string)

# List of additional service principals. Useful when, for example, granting
# access to opt-in region service endpoints (e.g. guardduty.us-east-1.amazonaws.com).
additional_principals = list(string)

# List of conditions to apply to the permissions for the service principal. Use this to apply conditions on the
# permissions for accessing the KMS key (e.g., only allow access for certain encryption contexts).
conditions = list(object({
# Name of the IAM condition operator to evaluate.
test = string

# Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables
# starting with aws: or service-specific variables prefixed with the service name.
variable = string

# Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one
# of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
values = list(string)
}))
}))
[]
Details

The list of actions that the given service principal is allowed to perform (e.g. ["kms:DescribeKey",
"kms:GenerateDataKey"]).

Details

List of additional service principals. Useful when, for example, granting
access to opt-in region service endpoints (e.g. guardduty.us-east-1.amazonaws.com).

Details

List of conditions to apply to the permissions for the service principal. Use this to apply conditions on the
permissions for accessing the KMS key (e.g., only allow access for certain encryption contexts).

Details

Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables
starting with aws: or service-specific variables prefixed with the service name.

Details

Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one
of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.

All GuardDuty findings will be encrypted with a KMS Key (a Customer Master Key). The IAM Users specified in this list will have read-only access to the data.

[]

After this number of days, findings should be transitioned from S3 to Glacier. Enter 0 to never archive findings.

30

After this number of days, log files should be deleted from S3. Enter 0 to never delete log data.

365

Additional IAM policies to apply to this S3 bucket. You can use this to grant read/write access. This should be a map, where each key is a unique statement ID (SID), and each value is an object that contains the parameters defined in the comment above.

Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
{}
Example
   {
AllIamUsersReadAccess = {
effect = "Allow"
actions = ["s3:GetObject"]
principals = {
AWS = ["arn:aws:iam::111111111111:user/ann", "arn:aws:iam::111111111111:user/bob"]
}
condition = {
SourceVPCCheck = {
test = "StringEquals"
variable = "aws:SourceVpc"
values = ["vpc-abcd123"]
}
}
}
}

Details

Ideally, this would be a map(object({...})), but the Terraform object type constraint doesn't support optional
parameters, whereas IAM policy statements have many optional params. And we can't even use map(any), as the
Terraform map type constraint requires all values to have the same type ("shape"), but as each object in the map
may specify different optional params, this won't work either. So, sadly, we are forced to fall back to "any."

The S3 bucket ARN to which the findings get exported.

null

The name of the S3 Bucket where GuardDuty findings will be stored.

null

Optional prefix directory to create in the bucket. Must contain a trailing '/'. If you use a prefix for S3 findings publishing, you must pre-create the prefix in the findings bucket. See https://github.com/hashicorp/terraform-provider-aws/issues/16750.

null

Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage GuardDuty findings. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module.

false

The bucket prefix without trailing '/' under which the findings get exported. The prefix is optional and will be AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided.

null

Whether to create a bucket for GuardDuty findings. If set to true, you must provide the guardduty_findings_s3_bucket_name.

false

Specifies a name for the created SNS topics where findings are published. publish_findings_to_sns must be set to true.

"guardduty-findings"
guardduty_findings_tagsmap(string)optional

Tags to apply to the GuardDuty findings resources (S3 bucket and CMK).

{}

The invitation message to send to the member accounts.

"Please accept GuardDuty invitation."
guardduty_member_accountsmap(object(…))optional

Map of member accounts to add to GuardDuty where key is the AWS account number. Use to add Organization accounts to delegated admin account or invite member accounts by invite.

map(object({
email = string
}))
{}

Publish GuardDuty findings to an S3 bucket.

false

Send GuardDuty findings to SNS topics specified by findings_sns_topic_name.

false

The name of the IAM Access Analyzer module

"baseline_security-iam_access_analyzer"

If set to ACCOUNT, the analyzer will only be scanning the current AWS account it's in. If set to ORGANIZATION - will scan the organization AWS account and the child accounts.

"ACCOUNT"

A list of AWS services for which the developers IAM Group will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ['ec2','machinelearning']. Do NOT add iam to the list of services, or that will grant Developers de facto admin access. If you need to grant iam privileges, just grant the user Full Access.

[]

The name of the IAM Group that allows automated deployment by graning the permissions specified in auto_deploy_permissions.

"_machine.ecs-auto-deploy"

The name to be used for the IAM Group that grants read/write access to all billing features in AWS.

"billing"

The name to be used for the IAM Group that grants IAM Users a reasonable set of permissions for developers.

"developers"

The name to be used for the IAM Group that grants full access to all AWS resources.

"full-access"

The name to be used for the IAM Group that grants IAM administrative access. Effectively grants administrator access.

"iam-admin"

The name to be used for the IAM Group that grants IAM Users the permissions to manage their own IAM User account.

"iam-user-self-mgmt"
iam_group_name_logsstringoptional

The name to be used for the IAM Group that grants read access to CloudTrail, AWS Config, and CloudWatch in AWS.

"logs"

The name to be used for the IAM Group that grants read-only access to all AWS resources.

"read-only"

The name of the IAM Group that allows access to AWS Support.

"support"

The name to be used for the IAM Group that grants IAM Users the permissions to use existing IAM Roles when launching AWS Resources. This does NOT grant the permission to create new IAM Roles.

"use-existing-iam-roles"

The list of names to be used for the IAM Group that enables its members to SSH as a sudo user into any server configured with the ssh-grunt Gruntwork module. Pass in multiple to configure multiple different IAM groups to control different groupings of access at the server level. Pass in empty list to disable creation of the IAM groups.

[
"ssh-grunt-sudo-users"
]

The name to be used for the IAM Group that enables its members to SSH as a non-sudo user into any server configured with the ssh-grunt Gruntwork module. Pass in multiple to configure multiple different IAM groups to control different groupings of access at the server level. Pass in empty list to disable creation of the IAM groups.

[
"ssh-grunt-users"
]
iam_groups_for_cross_account_accesslist(object(…))optional

This variable is used to create groups that allow IAM users to assume roles in your other AWS accounts. It should be a list of objects, where each object has the fields 'group_name', which will be used as the name of the IAM group, and 'iam_role_arns', which is a list of ARNs of IAM Roles that you can assume when part of that group. For each entry in the list of objects, we will create an IAM group that allows users to assume the given IAM role(s) in the other AWS account. This allows you to define all your IAM users in one account (e.g. the users account) and to grant them access to certain IAM roles in other accounts (e.g. the stage, prod, audit accounts).

list(object({
group_name = string
iam_role_arns = list(string)
}))
[]
Example
   default = [
{
group_name = "stage-full-access"
iam_role_arns = ["arn:aws:iam::123445678910:role/mgmt-full-access"]
},
{
group_name = "prod-read-only-access"
iam_role_arns = [
"arn:aws:iam::9876543210:role/prod-read-only-ec2-access",
"arn:aws:iam::9876543210:role/prod-read-only-rds-access"
]
}
]

Allow users to change their own password.

true

Password expiration requires administrator reset.

false

Number of days before password expiration.

30

Password minimum length.

16

Number of passwords before allowing reuse.

5

Require at least one lowercase character in password.

true

Require at least one number in password.

true

Require at least one symbol in password.

true

Require at least one uppercase character in password.

true

The name to be used for the IAM Policy that grants IAM Users the permissions to manage their own IAM User account.

"iam-user-self-mgmt"
iam_role_tagsmap(string)optional

The tags to apply to all the IAM role resources.

{}

Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, '443,1020-1025'.

"443"

Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, '500,1020-1025'.

null
kms_cmk_global_tagsmap(string)optional

A map of tags to apply to all KMS Keys to be created. In this map variable, the key is the tag name and the value is the tag value.

{}

You can use this variable to create account-level KMS Customer Master Keys (CMKs) for encrypting and decrypting data. This variable should be a map where the keys are the names of the CMK and the values are an object that defines the configuration for that CMK. See the comment below for the configuration options you can set for each key.

Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
{}
Details

Each entry in the map supports the following attributes:

OPTIONAL (defaults to value of corresponding module input):
- region string : The region (e.g., us-west-2) where the key should be created. If null or
omitted, the key will be created in all enabled regions. Any keys
targeting an opted out region or invalid region string will show up in the
invalid_cmk_inputs output.
- replica_regions list(string) : The regions (e.g., us-west-2) where the key should be replicated using the
multi-region KMS key feature of AWS
(https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html).
When the special region "*" is included (e.g., replica_regions = ["*"]),
the key will be replicated in all enabled regions. This is different from
creating the key in every region using region = null - when creating
the key in every region, a new different key is provisioned for each region.
With replica_regions, the same key is replicated in every region such that
it can decrypt the same encrypted data in each region.
- cmk_administrator_iam_arns list(string) : A list of IAM ARNs for users who should be given
administrator access to this CMK (e.g.
arn:aws:iam::<aws-account-id>:user/<iam-user-arn>).
- cmk_user_iam_arns list(object[CMKUser]) : A list of IAM ARNs for users who should be given
permissions to use this CMK (e.g.
arn:aws:iam::<aws-account-id>:user/<iam-user-arn>).
- cmk_read_only_user_iam_arns list(object[CMKUser]) : A list of IAM ARNs for users who should be given
read-only (decrypt-only) permissions to use this CMK (e.g.
arn:aws:iam::<aws-account-id>:user/<iam-user-arn>).
- cmk_external_user_iam_arns list(string) : A list of IAM ARNs for users from external AWS accounts
- cmk_describe_only_user_iam_arns list(object[CMKUser]) : A list of IAM ARNs for users who should be given
describe-only (kms:DescribeKey) permissions to use this CMK (e.g.
arn:aws:iam::<aws-account-id>:user/<iam-user-arn>). This is
useful for deploying services that depend on the
key (e.g., Cloudtrail) in other accounts, to trade
key aliases for CMK ARNs.
who should be given permissions to use this CMK (e.g.
arn:aws:iam::<aws-account-id>:root).
- allow_manage_key_permissions_with_iam bool : If true, both the CMK's Key Policy and IAM Policies
(permissions) can be used to grant permissions on the CMK.
If false, only the CMK's Key Policy can be used to grant
permissions on the CMK. False is more secure (and
generally preferred), but true is more flexible and
convenient.
- deletion_window_in_days number : The number of days to keep this KMS Master Key around after it has been
marked for deletion.
- tags map(string) : A map of tags to apply to the KMS Key to be created. In this map
variable, the key is the tag name and the value is the tag value. Note
that this map is merged with var.global_tags, and can be used to override
tags specified in that variable.
- enable_key_rotation bool : Whether or not to enable automatic annual rotation of the KMS key.
- spec string : Specifies whether the key contains a symmetric key or an asymmetric key
pair and the encryption algorithms or signing algorithms that the key
supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096,
ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1.
- cmk_service_principals list(object[ServicePrincipal]) : A list of Service Principals that should be given
permissions to use this CMK (e.g. s3.amazonaws.com). See
below for the structure of the object that should be passed
in.

Structure of ServicePrincipal object:
- name string : The name of the service principal (e.g.: s3.amazonaws.com).
- actions list(string) : The list of actions that the given service principal is allowed to
perform (e.g. ["kms:DescribeKey", "kms:GenerateDataKey"]).
- conditions list(object[Condition]) : (Optional) List of conditions to apply to the permissions for the service
principal. Use this to apply conditions on the permissions for
accessing the KMS key (e.g., only allow access for certain encryption
contexts). The condition object accepts the same fields as the condition
block on the IAM policy document (See
https://www.terraform.io/docs/providers/aws/d/iam_policy_document.htmlcondition).
Structure of CMKUser object:
- name list(string) : The list of names of the AWS principal (e.g.: arn:aws:iam::0000000000:user/dev).
- conditions list(object[Condition]) : (Optional) List of conditions to apply to the permissions for the CMK User
Use this to apply conditions on the permissions for accessing the KMS key
(e.g., only allow access for certain encryption contexts).
The condition object accepts the same fields as the condition
block on the IAM policy document (See
https://www.terraform.io/docs/providers/aws/d/iam_policy_document.htmlcondition).
Example:
kms_customer_master_keys = {
cmk-stage = {
region = "us-west-1"
cmk_administrator_iam_arns = ["arn:aws:iam::0000000000:user/admin"]
cmk_user_iam_arns = [
{
name = ["arn:aws:iam::0000000000:user/dev"]
conditions = []
}
]
cmk_read_only_user_iam_arns = [
{
name = ["arn:aws:iam::0000000000:user/qa"]
conditions = []
}
]
cmk_describe_only_user_iam_arns = [
{
name = ["arn:aws:iam::0000000000:user/qa"]
conditions = []
}
]
cmk_external_user_iam_arns = ["arn:aws:iam::1111111111:user/root"]
cmk_service_principals = [
{
name = "s3.amazonaws.com"
actions = ["kms:Encrypt"]
conditions = []
}
]
}
cmk-prod = {
region = "us-east-1"
cmk_administrator_iam_arns = ["arn:aws:iam::0000000000:user/admin"]
cmk_user_iam_arns = [
{
name = ["arn:aws:iam::0000000000:user/prod"]
conditions = []
}
]
allow_manage_key_permissions_with_iam = true
Override the default value for all keys configured with var.default_deletion_window_in_days
deletion_window_in_days = 7

Set extra tags on the CMK for prod
tags = {
Environment = "prod"
}
}
}

kms_grant_regionsmap(string)optional

The map of names of KMS grants to the region where the key resides in. There should be a one to one mapping between entries in this map and the entries of the kms_grants map. This is used to workaround a terraform limitation where the for_each value can not depend on resources.

{}
kms_grantsmap(object(…))optional

Create the specified KMS grants to allow entities to use the KMS key without modifying the KMS policy or IAM. This is necessary to allow AWS services (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of grant name to grant properties. The name must be unique per account.

map(object({
# ARN of the KMS CMK that the grant applies to. Note that the region is introspected based on the ARN.
kms_cmk_arn = string

# The principal that is given permission to perform the operations that the grant permits. This must be in ARN
# format. For example, the grantee principal for ASG is:
# arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
grantee_principal = string

# A list of operations that the grant permits. The permitted values are:
# Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant,
# RetireGrant, DescribeKey
granted_operations = list(string)
}))
{}
Details

The principal that is given permission to perform the operations that the grant permits. This must be in ARN
format. For example, the grantee principal for ASG is:
arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling

Details

A list of operations that the grant permits. The permitted values are:
Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant,
RetireGrant, DescribeKey

The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for people to use, such as allow-read-only-access-from-other-accounts. For IAM roles that are intended for machine users, such as allow-auto-deploy-from-other-accounts, see max_session_duration_machine_users.

43200

The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for machine users, such as allow-auto-deploy-from-other-accounts. For IAM roles that are intended for human users, such as allow-read-only-access-from-other-accounts, see max_session_duration_human_users.

3600
organization_configuration_featuresmap(object(…))optional

Map of organization configuration features to enable, where key is the feature name and value is feature configuration. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature

map(object({
auto_enable = string
additional_configuration = list(object({
name = string
auto_enable = string
}))
}))
{}

Force the user to reset their password on initial login. Only used for users with create_login_profile set to true.

true

KMS key ID or ARN used to encrypt the storage. Used for configuring the RDS storage encryption config rule.

null
recording_modeobject(…)optional

The mode for AWS Config to record configuration changes.

recording_frequency: The frequency with which AWS Config records configuration changes (service defaults to CONTINUOUS).

  • CONTINUOUS
  • DAILY

You can also override the recording frequency for specific resource types. recording_mode_override: description: A description for the override. recording_frequency: The frequency with which AWS Config records configuration changes for the specified resource types.

  • CONTINUOUS
  • DAILY resource_types: A list of resource types for which AWS Config records configuration changes. For example, AWS::EC2::Instance.

See the following for more information: https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html

recording_mode = &#123;
recording_frequency = 'DAILY'
recording_mode_override = &#123;
description = 'Override for specific resource types'
recording_frequency = 'CONTINUOUS'
resource_types = ['AWS::EC2::Instance']
&#125;
&#125;
object({
recording_frequency = string
recording_mode_override = optional(object({
description = string
recording_frequency = string
resource_types = list(string)
}))
})
null
service_linked_rolesset(string)optional

Create service-linked roles for this set of services. You should pass in the URLs of the services, but without the protocol (e.g., http://) in front: e.g., use elasticbeanstalk.amazonaws.com for Elastic Beanstalk or es.amazonaws.com for Amazon Elasticsearch. Service-linked roles are predefined by the service, can typically only be assumed by that service, and include all the permissions that the service requires to call other AWS services on your behalf. You can typically only create one such role per AWS account, which is why this parameter exists in the account baseline. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html for the list of services that support service-linked roles.

[]

Should we create the IAM Group for auto-deploy? Allows automated deployment by granting the permissions specified in auto_deploy_permissions. (true or false)

false

Should we create the IAM Group for billing? Allows read-write access to billing features only. (true or false)

false

Should we create the IAM Group for access to all external AWS accounts?

true

Should we create the IAM Group for developers? The permissions of that group are specified via iam_group_developers_permitted_services. (true or false)

false

Should we create the IAM Group for full access? Allows full access to all AWS resources. (true or false)

true

Should we create the IAM Group for IAM administrator access? Allows users to manage all IAM entities, effectively granting administrator access. (true or false)

false

Should we create the IAM Group for logs? Allows read access to CloudTrail, AWS Config, and CloudWatch. If cloudtrail_kms_key_arn is set, will also give decrypt access to a KMS CMK. (true or false)

false

Should we create the IAM Group for read-only? Allows read-only access to all AWS resources. (true or false)

false

Should we create the IAM Group for support? Allows support access (AWSupportAccess). (true or false)

false

Should we create the IAM Group for use-existing-iam-roles? Allow launching AWS resources with existing IAM Roles, but no ability to create new IAM Roles. (true or false)

false

Should we create the IAM Group for user self-management? Allows users to manage their own IAM user accounts, but not other IAM users. (true or false)

true
should_require_mfabooloptional

Should we require that all IAM Users use Multi-Factor Authentication for both AWS API calls and the AWS Web Console? (true or false)

true

When true, all IAM policies will be managed as dedicated policies rather than inline policies attached to the IAM roles. Dedicated managed policies are friendlier to automated policy checkers, which may scan a single resource for findings. As such, it is important to avoid inline policies when targeting compliance with various security standards.

true
usersanyoptional

A map of users to create. The keys are the user names and the values are an object with the optional keys 'groups' (a list of IAM groups to add the user to), 'tags' (a map of tags to apply to the user), 'pgp_key' (either a base-64 encoded PGP public key, or a keybase username in the form keybase:username, used to encrypt the user's credentials; required if create_login_profile or create_access_keys is true), 'create_login_profile' (if set to true, create a password to login to the AWS Web Console), 'create_access_keys' (if set to true, create access keys for the user), 'path' (the path), and 'permissions_boundary' (the ARN of the policy that is used to set the permissions boundary for the user).

Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
{}
Example
   users = {
alice = {
groups = ["user-self-mgmt", "developers", "ssh-sudo-users"]
}

bob = {
path = "/"
groups = ["user-self-mgmt", "ops", "admins"]
tags = {
foo = "bar"
}
}

carol = {
groups = ["user-self-mgmt", "developers", "ssh-users"]
pgp_key = "keybase:carol_on_keybase"
create_login_profile = true
create_access_keys = true
}
}

Details

Ideally, this would be a map of (string, object), but object does not support optional properties, and we want
users to be able to specify, say, tags for some users, but not for others. We can't use a map(any) either, as that
would require the values to all have the same type, and due to optional parameters, that wouldn't work either. So,
we have to lamely fall back to any.