terraform-aws-secure-baseline v2.1 releases: set up your AWS account with the reasonably secure configuration baseline
See Benchmark Compliance to check which items in the CIS benchmark are covered.
Identity and Access Management
- Set up the IAM Password Policy.
- Creates separated IAM roles for defining privileges and assigning them to entities such as IAM users and groups.
- Creates an IAM role for contacting AWS support for incident handling.
- Enable AWS Config rules to audit root account status.
Logging & Monitoring
- Enable CloudTrail in all regions and deliver events to CloudWatch Logs.
- CloudTrail logs are encrypted using the AWS Key Management Service.
- All logs are stored in the S3 bucket with access logging enabled.
- Logs are automatically archived into Amazon Glacier after the given period(defaults to 90 days).
- Set up CloudWatch alarms to notify you when critical changes happen in your AWS account.
- Enable AWS Config in all regions to automatically take configuration snapshots.
- Enable SecurityHub and subscribe to CIS benchmark standard.
- Remove all rules associated with default route tables, default network ACLs and default security groups in the default VPC in all regions.
- Enable AWS Config rules to audit unrestricted common ports in Security Group rules.
- Enable VPC Flow Logs with the default VPC in all regions.
- Enable GuardDuty in all regions.
- enable CIS benchmark v1.4.0 standard (#308) (bb724cd)
- make audit log bucket access logs bucket name customizable (#303) (07dc101)
Copyright (c) 2018 Takashi Nozawa