terraform-aws-secure-baseline v0.20 releases: set up your AWS account with the reasonably secure configuration baseline
See Benchmark Compliance to check which items in CIS benchmark are covered.
Identity and Access Management
- Set up the IAM Password Policy.
- Creates separated IAM roles for defining privileges and assigning them to entities such as IAM users and groups.
- Creates an IAM role for contacting AWS support for incident handling.
- Enable AWS Config rules to audit root account status.
Logging & Monitoring
- Enable CloudTrail in all regions and deliver events to CloudWatch Logs.
- CloudTrail logs are encrypted using the AWS Key Management Service.
- All logs are stored in the S3 bucket with access logging enabled.
- Logs are automatically archived into Amazon Glacier after the given period(defaults to 90 days).
- Set up CloudWatch alarms to notify you when critical changes happen in your AWS account.
- Enable AWS Config in all regions to automatically take configuration snapshots.
- Enable SecurityHub and subscribe CIS benchmark standard.
- Remove all rules associated with default route tables, default network ACLs and default security groups in the default VPC in all regions.
- Enable AWS Config rules to audit unrestricted common ports in Security Group rules.
- Enable VPC Flow Logs with the default VPC in all regions.
- Enable GuardDuty in all regions.
- make all roles to be optional (#115)
- add a wildcard suffix to log group ARN (#119)
Copyright (c) 2018 Takashi Nozawa