├── Architecture.jpg
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── aws-security-hub-boostrap-and-operationalization
    ├── Architecture.jpg
    ├── README.md
    ├── cis_3-x.tf
    ├── cis_baseline_infrastructure.tf
    ├── cloudwatch-to-firehose.zip
    ├── config.tf
    ├── data.tf
    ├── elasticsearch_siem_extension.tf
    ├── provider.tf
    ├── prowler-integration
    │   └── README.md
    ├── security_hub_siem.tf
    ├── security_services.tf
    └── variables.tf
├── buildspec.yaml
├── provider.tf
├── variables.tf
├── waf-conditions.tf
└── waf-rules.tf


/Architecture.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-security-services-with-terraform/d4c043f6e93f256fedbbaa5becfd247ad992061b/Architecture.jpg


--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | ## Code of Conduct
2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
4 | opensource-codeofconduct@amazon.com with any additional questions or comments.
5 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contributing Guidelines
 2 | 
 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional
 4 | documentation, we greatly value feedback and contributions from our community.
 5 | 
 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary
 7 | information to effectively respond to your bug report or contribution.
 8 | 
 9 | 
10 | ## Reporting Bugs/Feature Requests
11 | 
12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features.
13 | 
14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already
15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful:
16 | 
17 | * A reproducible test case or series of steps
18 | * The version of our code being used
19 | * Any modifications you've made relevant to the bug
20 | * Anything unusual about your environment or deployment
21 | 
22 | 
23 | ## Contributing via Pull Requests
24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that:
25 | 
26 | 1. You are working against the latest source on the *master* branch.
27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already.
28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted.
29 | 
30 | To send us a pull request, please:
31 | 
32 | 1. Fork the repository.
33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change.
34 | 3. Ensure local tests pass.
35 | 4. Commit to your fork using clear commit messages.
36 | 5. Send us a pull request, answering any default questions in the pull request interface.
37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation.
38 | 
39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and
40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/).
41 | 
42 | 
43 | ## Finding contributions to work on
44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start.
45 | 
46 | 
47 | ## Code of Conduct
48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
50 | opensource-codeofconduct@amazon.com with any additional questions or comments.
51 | 
52 | 
53 | ## Security issue notifications
54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue.
55 | 
56 | 
57 | ## Licensing
58 | 
59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution.
60 | 
61 | We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes.
62 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 2 | 
 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of
 4 | this software and associated documentation files (the "Software"), to deal in
 5 | the Software without restriction, including without limitation the rights to
 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 7 | the Software, and to permit persons to whom the Software is furnished to do so.
 8 | 
 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
15 | 
16 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ## How to use CI/CD to deploy and configure AWS security services with Terraform
 2 | 
 3 | This is sample code for the accompanying AWS Security Blog post How to use CI/CD to deploy and configure AWS security services with Terraform. A CodeBuild buildspec.yml and terraform config files to deploy a Global Web ACL & sample rules are provided. Other Terraform config files will be provided to give additional examples, however, the IAM policy provided through the blog will not cover most additional resources and you will need to make modifications. Readme's for each additional solution will live in their sub-folder.
 4 | 
 5 | ### Solutions Architecture
 6 | ![Architecture](https://github.com/aws-samples/aws-security-services-with-terraform/blob/master/Architecture.jpg)
 7 | 1.	Push your artifacts, Terraform configuration files and a build specification to a CodePipeline source
 8 | 2.	CodePipeline automatically invokes CodeBuild and downloads the source files
 9 | 3.	CodeBuild installs and executes Terraform according to our build specification
10 | 4.	Terraform stores our state files in S3 and a record of the deployment in DynamoDB
11 | 5.	Our WAF Web ACL is deployed and ready for use by our application teams
12 | 
13 | ## License
14 | 
15 | This library is licensed under the MIT-0 License. See the LICENSE file.


--------------------------------------------------------------------------------
/aws-security-hub-boostrap-and-operationalization/Architecture.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-security-services-with-terraform/d4c043f6e93f256fedbbaa5becfd247ad992061b/aws-security-hub-boostrap-and-operationalization/Architecture.jpg


--------------------------------------------------------------------------------
/aws-security-hub-boostrap-and-operationalization/README.md:
--------------------------------------------------------------------------------
 1 | ## AWS Security Hub - Bootstrap and Operationalization
 2 | ![Architecture](https://github.com/aws-samples/aws-security-services-with-terraform/blob/master/aws-security-hub-boostrap-and-operationalization/Architecture.jpg)
 3 | 
 4 | * ***NOTE*** These config files have been tested with Terraform v.0.11.14 and AWS Provider v2.46
 5 | 
 6 | The Terraform configuration files within this folder are designed to help customers bootstrap and operationalize Security Hub by enabling downstream services (Config, GuardDuty, Inspector), creating resources that are compliant with AWS CIS Foundations Benchmark controls and extending Security Hub via CloudWatch and Kinesis by consuming all findings into Elasticsearch Service and using Kibana as a Security Information & Event Management (SIEM) tool. All Terraform config files are created seperately to offer modularity (though all variables are within `variables.tf`) if you already have certain resources deployed, or you wanted to craft your own Terraform config files. You can reuse your same `provider.tf` file from the WAF Blog for this solution as well to retain your state in your remote backend.
 7 | 
 8 | ## Required IAM Permissions
 9 | You will need to modify the CodeBuild role created for the WAF Blog to allow it to create all of these resources, which include the below. You need to give Terraform full create/update/read/delete permissions to be able to apply, update, describe and delete your State.
10 | - CloudWatch Events
11 | - CloudWatch Logs
12 | - CloudTrail
13 | - Config
14 | - Cognito
15 | - EC2
16 | - Elasticsearch Service
17 | - GuardDuty
18 | - IAM
19 | - Inspector
20 | - Kinesis Data Streams
21 | - Kinesis Data Firehose
22 | - KMS
23 | - Lambda
24 | - S3
25 | - SNS
26 | - VPC
27 | 
28 | ## Terraform Configuration File Inventory
29 | ### variables.tf
30 | A majority of the variables in this config file are already filled out with `default` values. Comments are added to denote which variables belong to which config file.
31 | 
32 | ### config.tf
33 | This config file will create all resources needed to create and enable an AWS Config recorder, if you already have one the state applied with this config file will fail.
34 | 
35 | **NOTE** You may still need to go through the Config console and hit save for Config to be enabled.
36 | 
37 | ### security_services.tf
38 | This config file will enable a GuardDuty detector, Security Hub (and the AWS CIS Foundations Benchmark), an IAM Access Analyzer detector and create an Inspector template and target group that will target all EC2 instances with all assessment templates.
39 | 
40 | **NOTE** Ensure you replace the value for `aws_inspector_assessment_template.Inspector_Assessment_Template.rules_package_arns` with the proper Variable depending on your region, assessment templates are provided via a Terraform variable `list`, ensure you specify the correct one. If there are regions missing refer to [Amazon Inspector ARNS for Rules Packages](https://docs.aws.amazon.com/inspector/latest/userguide/inspector_rules-arns.html) for more information on creating your own.
41 | 
42 | ### cis_baseline_infrastructure.tf
43 | This config file will create a multi-region CloudTrail trail along with a S3 bucket, CloudWatch Logs group, IAM Password Policy and Server Access Logging S3 Bucket that are all in compliance with CIS 1.x and 2.x controls. Additionally a VPC with private and public subnets, VPC flow logging and an empty default SG (compliant with CIS 4.3) and all IAM roles and policies needed will be created. This will help you be in compliance with CIS and can serve as a baseline for a new environment being created. The amount of AZs that will be created is dependnet on a variable named `Network_Resource_Count`, ensure you do not specify a value higher than the amount of AZs in your Region (i.e. 6 in us-east-1, 3 in us-east-2, etc.)
44 | 
45 | ### cis_3-x.tf
46 | This config file will create a SNS topic and all needed metric filters and alarms needed to be in compliance with CIS 3.x controls. This depends on the CloudWatch group that was created in `cis_baseline_infrastructure.tf`, if you decide to not use that file you will need to specify your own CloudWatch Log Group that CloudTrail publishes to.
47 | 
48 | **NOTE** Due to the way Terraform provisions resources, Email SNS subscriptions are not allowed to be created. **You must manually subscribe and accept an email subscription to the SNS topic for the Security Hub 3.x controls to be compliant.**
49 | 
50 | ### security_hub_siem.tf
51 | This config file will create an ElasticSearch Service domain, Cognito resources (for use for signing into Kibana) and a delivery pipeline that includes a CloudWatch Event Rule, Kinesis Data Stream and Kinesis Data Firehose Delivery Stream to send all findings from Security Hub to Elasticsearch Service for exploration and analysis in Kibana. All necessary IAM roles and event patterns are created in this configuration file, you will need to modify the Firehose resource if you would rather send logs to S3 or to Splunk.
52 | 
53 | ### elasticsearch_siem_extension.tf
54 | This config file creates infrastructure that will send VPC Flow Logs and CloudTrail logs from CloudWatch to the Elasticsearch Service domain created by `security_hub_siem.tf`. This pipeline uses CloudWatch Log subscriptions, Lambda functions, Kinesis Data Firehose Delivery Streams and IAM roles / policies to accomplish the task.
55 | 
56 | **NOTE** See the below section for information on using Scripted fields for converting the CloudWatch Log Epochtime to a timestamp.
57 | 
58 | ## Epochtime to Timestamp via Kibana Script fields
59 | In Kibana, select the indicies for your CloudTrail and VPC Flow logs and select the Script Fields tab and choose **Add scripted field** and configure the following:
60 | **Language**: painless
61 | **Type**: date
62 | **Format**: Date
63 | **Moment.js format pattern**: MMMM Do YYYY, HH:mm:ss.SSS
64 | **Script**: `doc['logEvents.timestamp'].value`
65 | 
66 | Save the field and you should be able to sort by this new field moving forward.
67 | 
68 | ## Troubleshooting
69 | #### Elasticsearch Service timeout
70 | Depending on the amount of nodes, Masters and the instance type Terraform may time out due to how long the Domain takes to deploy. Wait for it to be `Active` in the AWS Management Console and then re-apply state after it has completed to avoid race conditions or orphaned resources.
71 | 
72 | #### Master node support for Elasticsearch Service
73 | Master's were removed (`commit f3f5d259ef53aaee3de0175cb37a2d88d55bfdf2`) from the template due to potential timeouts depending on Region and count of masters. To add them back in, replace the `cluster_config` with the following values. Please note, you will need to also add the reference variables to `variables.tf`:
74 | ```hcl
75 | cluster_config {
76 |     dedicated_master_enabled = true
77 |     zone_awareness_enabled   = true
78 |     instance_type            = "${var.ElasticSearch_Domain_Instance_Type}"
79 |     instance_count           = "${var.ElasticSearch_Domain_Instance_Count}"    
80 |     dedicated_master_type    = "${var.ElasticSearch_Master_Instance_Type}"
81 |     dedicated_master_count   = "${var.ElasticSearch_Master_Instance_Count}"
82 |   }
83 | ```
84 | 
85 | #### Terraform v.0.12.x Support
86 | These Config files are written to v0.11.14, as was supported by the original WAF Terraform CI/CD blog, these will not work for v0.12.x without modifications.
87 | 
88 | #### Error creating <resource>: ValidationException: 
89 | Terraform has been observed throwing validation errors when creating a large amount of resources (this solution is over 100 resources), if you are running in CI/CD release the change again to deploy the missing state. If you are running from your local computer call `terraform apply` again.
90 | 
91 | #### aws_inspector_assessment_template.Inspector_Assessment_Template: NoSuchEntityException
92 | Ensure you are using the Assessment Template variable that matches the region you are deploying to.
93 | 
94 | #### Security Hub has compliance controls with "unknown" results
95 | Due to the way the graph for this whole solution works, Security Hub & the CIS AWS Foundations Benchmark compliance standard may be enabled before a majority of the resources. Some are periodic (3.x rules, namely) and will become Passed after you have subscribed to the SNS topic. If the problem persists after 24 hours, disable and re-enable the standard.
96 | 
97 | ## License
98 | 
99 | This library is licensed under the MIT-0 License. See the LICENSE file.


--------------------------------------------------------------------------------
/aws-security-hub-boostrap-and-operationalization/cis_3-x.tf:
--------------------------------------------------------------------------------
  1 |  # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
  2 |  # SPDX-License-Identifier: MIT-0
  3 |  #
  4 |  # Permission is hereby granted, free of charge, to any person obtaining a copy of this
  5 |  # software and associated documentation files (the "Software"), to deal in the Software
  6 |  # without restriction, including without limitation the rights to use, copy, modify,
  7 |  # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
  8 |  # permit persons to whom the Software is furnished to do so.
  9 |  #
 10 |  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
 11 |  # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
 12 |  # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
 13 |  # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 14 |  # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
 15 |  # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 16 | 
 17 | # SNS topic to receive CIS 3.x alerts
 18 | # You will need to subscribe via email manually as this is unsupported by terraform
 19 | resource "aws_sns_topic" "CIS_Alerts_SNS_Topic" {
 20 |   name_prefix = "${var.CIS_SNS_Prefix}"
 21 | }
 22 | ## These next resources are the CloudWatch Log Metric Filter & associated Alarms to be in compliance with CIS Benchmarks
 23 | resource "aws_cloudwatch_log_metric_filter" "CIS_Unauthorized_API_Calls_Metric_Filter" {
 24 |   name           = "CIS-UnauthorizedAPICalls"
 25 |   pattern        = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }"
 26 |   log_group_name = "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name}"
 27 | 
 28 |   metric_transformation {
 29 |     name      = "CIS-UnauthorizedAPICalls"
 30 |     namespace = "${var.CIS_Metric_Alarm_Namespace}"
 31 |     value     = "1"
 32 |   }
 33 | }
 34 | resource "aws_cloudwatch_metric_alarm" "CIS_Unauthorized_API_Calls_CW_Alarm" {
 35 |   alarm_name                = "CIS-3.1-UnauthorizedAPICalls"
 36 |   comparison_operator       = "GreaterThanOrEqualToThreshold"
 37 |   evaluation_periods        = "1"
 38 |   metric_name               = "${aws_cloudwatch_log_metric_filter.CIS_Unauthorized_API_Calls_Metric_Filter.id}"
 39 |   namespace                 = "${var.CIS_Metric_Alarm_Namespace}"
 40 |   period                    = "300"
 41 |   statistic                 = "Sum"
 42 |   threshold                 = "1"
 43 |   alarm_description         = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity."
 44 |   alarm_actions             = ["${aws_sns_topic.CIS_Alerts_SNS_Topic.arn}"]
 45 |   insufficient_data_actions = []
 46 | }
 47 | resource "aws_cloudwatch_log_metric_filter" "CIS_No_MFA_Console_Signin_Metric_Filter" {
 48 |   name           = "CIS-ConsoleSigninWithoutMFA"
 49 |   pattern        = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }"
 50 |   log_group_name = "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name}"
 51 | 
 52 |   metric_transformation {
 53 |     name      = "CIS-ConsoleSigninWithoutMFA"
 54 |     namespace = "${var.CIS_Metric_Alarm_Namespace}"
 55 |     value     = "1"
 56 |   }
 57 | }
 58 | 
 59 | resource "aws_cloudwatch_metric_alarm" "CIS_No_MFA_Console_Signin_CW_Alarm" {
 60 |   alarm_name                = "CIS-3.2-ConsoleSigninWithoutMFA"
 61 |   comparison_operator       = "GreaterThanOrEqualToThreshold"
 62 |   evaluation_periods        = "1"
 63 |   metric_name               = "${aws_cloudwatch_log_metric_filter.CIS_No_MFA_Console_Signin_Metric_Filter.id}"
 64 |   namespace                 = "${var.CIS_Metric_Alarm_Namespace}"
 65 |   period                    = "300"
 66 |   statistic                 = "Sum"
 67 |   threshold                 = "1"
 68 |   alarm_description         = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA."
 69 |   alarm_actions             = ["${aws_sns_topic.CIS_Alerts_SNS_Topic.arn}"]
 70 |   insufficient_data_actions = []
 71 | }
 72 | 
 73 | resource "aws_cloudwatch_log_metric_filter" "CIS_Root_Account_Use_Metric_Filter" {
 74 |   name           = "CIS-RootAccountUsage"
 75 |   pattern        = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
 76 |   log_group_name = "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name}"
 77 | 
 78 |   metric_transformation {
 79 |     name      = "CIS-RootAccountUsage"
 80 |     namespace = "${var.CIS_Metric_Alarm_Namespace}"
 81 |     value     = "1"
 82 |   }
 83 | }
 84 | 
 85 | resource "aws_cloudwatch_metric_alarm" "CIS_Root_Account_Use_CW_Alarm" {
 86 |   alarm_name                = "CIS-3.3-RootAccountUsage"
 87 |   comparison_operator       = "GreaterThanOrEqualToThreshold"
 88 |   evaluation_periods        = "1"
 89 |   metric_name               = "${aws_cloudwatch_log_metric_filter.CIS_Root_Account_Use_Metric_Filter.id}"
 90 |   namespace                 = "${var.CIS_Metric_Alarm_Namespace}"
 91 |   period                    = "300"
 92 |   statistic                 = "Sum"
 93 |   threshold                 = "1"
 94 |   alarm_description         = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it."
 95 |   alarm_actions             = ["${aws_sns_topic.CIS_Alerts_SNS_Topic.arn}"]
 96 |   insufficient_data_actions = []
 97 | }
 98 | resource "aws_cloudwatch_log_metric_filter" "CIS_IAM_Policy_Change_Metric_Filter" {
 99 |   name           = "CIS-IAMPolicyChanges"
100 |   pattern        = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"
101 |   log_group_name = "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name}"
102 | 
103 |   metric_transformation {
104 |     name      = "CIS-IAMPolicyChanges"
105 |     namespace = "${var.CIS_Metric_Alarm_Namespace}"
106 |     value     = "1"
107 |   }
108 | }
109 | resource "aws_cloudwatch_metric_alarm" "CIS_IAM_Policy_Change_CW_Alarm" {
110 |   alarm_name                = "CIS-3.4-IAMPolicyChanges"
111 |   comparison_operator       = "GreaterThanOrEqualToThreshold"
112 |   evaluation_periods        = "1"
113 |   metric_name               = "${aws_cloudwatch_log_metric_filter.CIS_IAM_Policy_Change_Metric_Filter.id}"
114 |   namespace                 = "${var.CIS_Metric_Alarm_Namespace}"
115 |   period                    = "300"
116 |   statistic                 = "Sum"
117 |   threshold                 = "1"
118 |   alarm_description         = "Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact."
119 |   alarm_actions             = ["${aws_sns_topic.CIS_Alerts_SNS_Topic.arn}"]
120 |   insufficient_data_actions = []
121 | }
122 | resource "aws_cloudwatch_log_metric_filter" "CIS_CloudTrail_Config_Change_Metric_Filter" {
123 |   name           = "CIS-CloudTrailChanges"
124 |   pattern        = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"
125 |   log_group_name = "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name}"
126 | 
127 |   metric_transformation {
128 |     name      = "CIS-CloudTrailChanges"
129 |     namespace = "${var.CIS_Metric_Alarm_Namespace}"
130 |     value     = "1"
131 |   }
132 | }
133 | resource "aws_cloudwatch_metric_alarm" "CIS_CloudTrail_Config_Change_CW_Alarm" {
134 |   alarm_name                = "CIS-3.5-CloudTrailChanges"
135 |   comparison_operator       = "GreaterThanOrEqualToThreshold"
136 |   evaluation_periods        = "1"
137 |   metric_name               = "${aws_cloudwatch_log_metric_filter.CIS_CloudTrail_Config_Change_Metric_Filter.id}"
138 |   namespace                 = "${var.CIS_Metric_Alarm_Namespace}"
139 |   period                    = "300"
140 |   statistic                 = "Sum"
141 |   threshold                 = "1"
142 |   alarm_description         = "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account."
143 |   alarm_actions             = ["${aws_sns_topic.CIS_Alerts_SNS_Topic.arn}"]
144 |   insufficient_data_actions = []
145 | }
146 | resource "aws_cloudwatch_log_metric_filter" "CIS_Console_AuthN_Failure_Metric_Filter" {
147 |   name           = "CIS-ConsoleAuthenticationFailure"
148 |   pattern        = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
149 |   log_group_name = "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name}"
150 | 
151 |   metric_transformation {
152 |     name      = "CIS-ConsoleAuthenticationFailure"
153 |     namespace = "${var.CIS_Metric_Alarm_Namespace}"
154 |     value     = "1"
155 |   }
156 | }
157 | resource "aws_cloudwatch_metric_alarm" "CIS_Console_AuthN_Failure_CW_Alarm" {
158 |   alarm_name                = "CIS-3.6-ConsoleAuthenticationFailure"
159 |   comparison_operator       = "GreaterThanOrEqualToThreshold"
160 |   evaluation_periods        = "1"
161 |   metric_name               = "${aws_cloudwatch_log_metric_filter.CIS_Console_AuthN_Failure_Metric_Filter.id}"
162 |   namespace                 = "${var.CIS_Metric_Alarm_Namespace}"
163 |   period                    = "300"
164 |   statistic                 = "Sum"
165 |   threshold                 = "1"
166 |   alarm_description         = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation."
167 |   alarm_actions             = ["${aws_sns_topic.CIS_Alerts_SNS_Topic.arn}"]
168 |   insufficient_data_actions = []
169 | }
170 | resource "aws_cloudwatch_log_metric_filter" "CIS_Disable_Or_Delete_CMK_Metric_Filter" {
171 |   name           = "CIS-DisableOrDeleteCMK"
172 |   pattern        = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }"
173 |   log_group_name = "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name}"
174 | 
175 |   metric_transformation {
176 |     name      = "CIS-DisableOrDeleteCMK"
177 |     namespace = "${var.CIS_Metric_Alarm_Namespace}"
178 |     value     = "1"
179 |   }
180 | }
181 | resource "aws_cloudwatch_metric_alarm" "CIS_Disable_Or_Delete_CMK_CW_Alarm" {
182 |   alarm_name                = "CIS-3.7-DisableOrDeleteCMK"
183 |   comparison_operator       = "GreaterThanOrEqualToThreshold"
184 |   evaluation_periods        = "1"
185 |   metric_name               = "${aws_cloudwatch_log_metric_filter.CIS_Disable_Or_Delete_CMK_Metric_Filter.id}"
186 |   namespace                 = "${var.CIS_Metric_Alarm_Namespace}"
187 |   period                    = "300"
188 |   statistic                 = "Sum"
189 |   threshold                 = "1"
190 |   alarm_description         = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation."
191 |   alarm_actions             = ["${aws_sns_topic.CIS_Alerts_SNS_Topic.arn}"]
192 |   insufficient_data_actions = []
193 | }
194 | resource "aws_cloudwatch_log_metric_filter" "CIS_S3_Bucket_Policy_Change_Metric_Filter" {
195 |   name           = "CIS-S3BucketPolicyChanges"
196 |   pattern        = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
197 |   log_group_name = "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name}"
198 | 
199 |   metric_transformation {
200 |     name      = "CIS-S3BucketPolicyChanges"
201 |     namespace = "${var.CIS_Metric_Alarm_Namespace}"
202 |     value     = "1"
203 |   }
204 | }
205 | resource "aws_cloudwatch_metric_alarm" "CIS_S3_Bucket_Policy_Change_CW_Alarm" {
206 |   alarm_name                = "CIS-3.8-S3BucketPolicyChanges"
207 |   comparison_operator       = "GreaterThanOrEqualToThreshold"
208 |   evaluation_periods        = "1"
209 |   metric_name               = "${aws_cloudwatch_log_metric_filter.CIS_S3_Bucket_Policy_Change_Metric_Filter.id}"
210 |   namespace                 = "${var.CIS_Metric_Alarm_Namespace}"
211 |   period                    = "300"
212 |   statistic                 = "Sum"
213 |   threshold                 = "1"
214 |   alarm_description         = "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets."
215 |   alarm_actions             = ["${aws_sns_topic.CIS_Alerts_SNS_Topic.arn}"]
216 |   insufficient_data_actions = []
217 | }
218 | resource "aws_cloudwatch_log_metric_filter" "CIS_AWS_Config_Change_Metric_Filter" {
219 |   name           = "CIS-AWSConfigChanges"
220 |   pattern        = "{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }"
221 |   log_group_name = "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name}"
222 | 
223 |   metric_transformation {
224 |     name      = "CIS-AWSConfigChanges"
225 |     namespace = "${var.CIS_Metric_Alarm_Namespace}"
226 |     value     = "1"
227 |   }
228 | }
229 | resource "aws_cloudwatch_metric_alarm" "CIS_AWS_Config_Change_CW_Alarm" {
230 |   alarm_name                = "CIS-3.9-AWSConfigChanges"
231 |   comparison_operator       = "GreaterThanOrEqualToThreshold"
232 |   evaluation_periods        = "1"
233 |   metric_name               = "${aws_cloudwatch_log_metric_filter.CIS_AWS_Config_Change_Metric_Filter.id}"
234 |   namespace                 = "${var.CIS_Metric_Alarm_Namespace}"
235 |   period                    = "300"
236 |   statistic                 = "Sum"
237 |   threshold                 = "1"
238 |   alarm_description         = "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account."
239 |   alarm_actions             = ["${aws_sns_topic.CIS_Alerts_SNS_Topic.arn}"]
240 |   insufficient_data_actions = []
241 | }
242 | resource "aws_cloudwatch_log_metric_filter" "CIS_Security_Group_Changes_Metric_Filter" {
243 |   name           = "CIS-SecurityGroupChanges"
244 |   pattern        = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}"
245 |   log_group_name = "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name}"
246 | 
247 |   metric_transformation {
248 |     name      = "CIS-SecurityGroupChanges"
249 |     namespace = "${var.CIS_Metric_Alarm_Namespace}"
250 |     value     = "1"
251 |   }
252 | }
253 | resource "aws_cloudwatch_metric_alarm" "CIS_Security_Group_Changes_CW_Alarm" {
254 |   alarm_name                = "CIS-3.10-SecurityGroupChanges"
255 |   comparison_operator       = "GreaterThanOrEqualToThreshold"
256 |   evaluation_periods        = "1"
257 |   metric_name               = "${aws_cloudwatch_log_metric_filter.CIS_Security_Group_Changes_Metric_Filter.id}"
258 |   namespace                 = "${var.CIS_Metric_Alarm_Namespace}"
259 |   period                    = "300"
260 |   statistic                 = "Sum"
261 |   threshold                 = "1"
262 |   alarm_description         = "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed."
263 |   alarm_actions             = ["${aws_sns_topic.CIS_Alerts_SNS_Topic.arn}"]
264 |   insufficient_data_actions = []
265 | }
266 | resource "aws_cloudwatch_log_metric_filter" "CIS_Network_ACL_Changes_Metric_Filter" {
267 |   name           = "CIS-NetworkACLChanges"
268 |   pattern        = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"
269 |   log_group_name = "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name}"
270 | 
271 |   metric_transformation {
272 |     name      = "CIS-NetworkACLChanges"
273 |     namespace = "${var.CIS_Metric_Alarm_Namespace}"
274 |     value     = "1"
275 |   }
276 | }
277 | resource "aws_cloudwatch_metric_alarm" "CIS_Network_ACL_Changes_CW_Alarm" {
278 |   alarm_name                = "CIS-3.11-NetworkACLChanges"
279 |   comparison_operator       = "GreaterThanOrEqualToThreshold"
280 |   evaluation_periods        = "1"
281 |   metric_name               = "${aws_cloudwatch_log_metric_filter.CIS_Network_ACL_Changes_Metric_Filter.id}"
282 |   namespace                 = "${var.CIS_Metric_Alarm_Namespace}"
283 |   period                    = "300"
284 |   statistic                 = "Sum"
285 |   threshold                 = "1"
286 |   alarm_description         = "Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed."
287 |   alarm_actions             = ["${aws_sns_topic.CIS_Alerts_SNS_Topic.arn}"]
288 |   insufficient_data_actions = []
289 | }
290 | resource "aws_cloudwatch_log_metric_filter" "CIS_Network_Gateway_Changes_Metric_Filter" {
291 |   name           = "CIS-NetworkGatewayChanges"
292 |   pattern        = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
293 |   log_group_name = "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name}"
294 | 
295 |   metric_transformation {
296 |     name      = "CIS-NetworkGatewayChanges"
297 |     namespace = "${var.CIS_Metric_Alarm_Namespace}"
298 |     value     = "1"
299 |   }
300 | }
301 | resource "aws_cloudwatch_metric_alarm" "CIS_Network_Gateway_Changes_CW_Alarm" {
302 |   alarm_name                = "CIS-3.12-NetworkGatewayChanges"
303 |   comparison_operator       = "GreaterThanOrEqualToThreshold"
304 |   evaluation_periods        = "1"
305 |   metric_name               = "${aws_cloudwatch_log_metric_filter.CIS_Network_Gateway_Changes_Metric_Filter.id}"
306 |   namespace                 = "${var.CIS_Metric_Alarm_Namespace}"
307 |   period                    = "300"
308 |   statistic                 = "Sum"
309 |   threshold                 = "1"
310 |   alarm_description         = "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path."
311 |   alarm_actions             = ["${aws_sns_topic.CIS_Alerts_SNS_Topic.arn}"]
312 |   insufficient_data_actions = []
313 | }
314 | resource "aws_cloudwatch_log_metric_filter" "CIS_Route_Table_Changes_Metric_Filter" {
315 |   name           = "CIS-RouteTableChanges"
316 |   pattern        = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"
317 |   log_group_name = "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name}"
318 | 
319 |   metric_transformation {
320 |     name      = "CIS-RouteTableChanges"
321 |     namespace = "${var.CIS_Metric_Alarm_Namespace}"
322 |     value     = "1"
323 |   }
324 | }
325 | resource "aws_cloudwatch_metric_alarm" "CIS_Route_Table_Changes_CW_Alarm" {
326 |   alarm_name                = "CIS-3.13-RouteTableChanges"
327 |   comparison_operator       = "GreaterThanOrEqualToThreshold"
328 |   evaluation_periods        = "1"
329 |   metric_name               = "${aws_cloudwatch_log_metric_filter.CIS_Route_Table_Changes_Metric_Filter.id}"
330 |   namespace                 = "${var.CIS_Metric_Alarm_Namespace}"
331 |   period                    = "300"
332 |   statistic                 = "Sum"
333 |   threshold                 = "1"
334 |   alarm_description         = "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path."
335 |   alarm_actions             = ["${aws_sns_topic.CIS_Alerts_SNS_Topic.arn}"]
336 |   insufficient_data_actions = []
337 | }
338 | resource "aws_cloudwatch_log_metric_filter" "CIS_VPC_Changes_Metric_Filter" {
339 |   name           = "CIS-VPCChanges"
340 |   pattern        = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"
341 |   log_group_name = "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name}"
342 | 
343 |   metric_transformation {
344 |     name      = "CIS-VPCChanges"
345 |     namespace = "${var.CIS_Metric_Alarm_Namespace}"
346 |     value     = "1"
347 |   }
348 | }
349 | resource "aws_cloudwatch_metric_alarm" "CIS_VPC_Changes_CW_Alarm" {
350 |   alarm_name                = "CIS-3.14-VPCChanges"
351 |   comparison_operator       = "GreaterThanOrEqualToThreshold"
352 |   evaluation_periods        = "1"
353 |   metric_name               = "${aws_cloudwatch_log_metric_filter.CIS_VPC_Changes_Metric_Filter.id}"
354 |   namespace                 = "${var.CIS_Metric_Alarm_Namespace}"
355 |   period                    = "300"
356 |   statistic                 = "Sum"
357 |   threshold                 = "1"
358 |   alarm_description         = "Monitoring changes to VPC will help ensure that all VPC traffic flows through an expected path."
359 |   alarm_actions             = ["${aws_sns_topic.CIS_Alerts_SNS_Topic.arn}"]
360 |   insufficient_data_actions = []
361 | }
362 | 


--------------------------------------------------------------------------------
/aws-security-hub-boostrap-and-operationalization/cis_baseline_infrastructure.tf:
--------------------------------------------------------------------------------
  1 |  # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
  2 |  # SPDX-License-Identifier: MIT-0
  3 |  #
  4 |  # Permission is hereby granted, free of charge, to any person obtaining a copy of this
  5 |  # software and associated documentation files (the "Software"), to deal in the Software
  6 |  # without restriction, including without limitation the rights to use, copy, modify,
  7 |  # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
  8 |  # permit persons to whom the Software is furnished to do so.
  9 |  #
 10 |  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
 11 |  # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
 12 |  # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
 13 |  # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 14 |  # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
 15 |  # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 16 | 
 17 | # create KMS key with default cloudtrail policy
 18 | resource "aws_kms_key" "Cloudtrail_KMS_CMK" {
 19 |   description             = "For CloudTrail - Managed by Terraform"
 20 |   deletion_window_in_days = 7
 21 |   is_enabled              = true
 22 |   enable_key_rotation     = true
 23 |   policy                  = <<POLICY
 24 | {
 25 |     "Version": "2012-10-17",
 26 |     "Id": "Key policy created by CloudTrail",
 27 |     "Statement": [
 28 |         {
 29 |             "Sid": "Enable IAM User Permissions",
 30 |             "Effect": "Allow",
 31 |             "Principal": {"AWS": [
 32 |                 "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
 33 |             ]},
 34 |             "Action": "kms:*",
 35 |             "Resource": "*"
 36 |         },
 37 |         {
 38 |             "Sid": "Allow CloudTrail to encrypt logs",
 39 |             "Effect": "Allow",
 40 |             "Principal": {"Service": ["cloudtrail.amazonaws.com"]},
 41 |             "Action": "kms:GenerateDataKey*",
 42 |             "Resource": "*",
 43 |             "Condition": {"StringLike": {"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"}}
 44 |         },
 45 |         {
 46 |             "Sid": "Allow CloudTrail to describe key",
 47 |             "Effect": "Allow",
 48 |             "Principal": {"Service": ["cloudtrail.amazonaws.com"]},
 49 |             "Action": "kms:DescribeKey",
 50 |             "Resource": "*"
 51 |         },
 52 |         {
 53 |             "Sid": "Allow principals in the account to decrypt log files",
 54 |             "Effect": "Allow",
 55 |             "Principal": {"AWS": "*"},
 56 |             "Action": [
 57 |                 "kms:Decrypt",
 58 |                 "kms:ReEncryptFrom"
 59 |             ],
 60 |             "Resource": "*",
 61 |             "Condition": {
 62 |                 "StringEquals": {"kms:CallerAccount": "${data.aws_caller_identity.current.account_id}"},
 63 |                 "StringLike": {"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"}
 64 |             }
 65 |         },
 66 |         {
 67 |             "Sid": "Allow alias creation during setup",
 68 |             "Effect": "Allow",
 69 |             "Principal": {"AWS": "*"},
 70 |             "Action": "kms:CreateAlias",
 71 |             "Resource": "*",
 72 |             "Condition": {"StringEquals": {
 73 |                 "kms:ViaService": "ec2.${var.AWS_REGION}.amazonaws.com",
 74 |                 "kms:CallerAccount": "${data.aws_caller_identity.current.account_id}"
 75 |             }}
 76 |         },
 77 |         {
 78 |             "Sid": "Enable cross account log decryption",
 79 |             "Effect": "Allow",
 80 |             "Principal": {"AWS": "*"},
 81 |             "Action": [
 82 |                 "kms:Decrypt",
 83 |                 "kms:ReEncryptFrom"
 84 |             ],
 85 |             "Resource": "*",
 86 |             "Condition": {
 87 |                 "StringEquals": {"kms:CallerAccount": "${data.aws_caller_identity.current.account_id}"},
 88 |                 "StringLike": {"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"}
 89 |             }
 90 |         }
 91 |     ]
 92 | }
 93 | POLICY
 94 | }
 95 | # Create IAM Password Policy in accordance with CIS 1.5 - 1.11 controls
 96 | resource "aws_iam_account_password_policy" "CIS_Password_Policy" {
 97 |   minimum_password_length        = 15
 98 |   require_lowercase_characters   = true
 99 |   require_numbers                = true
100 |   require_uppercase_characters   = true
101 |   require_symbols                = true
102 |   allow_users_to_change_password = true
103 |   max_password_age               = 90
104 |   password_reuse_prevention      = 24
105 | }
106 | # Create S3 Bucket for Access logging
107 | resource "aws_s3_bucket" "Server_Access_Log_S3_Bucket" {
108 |   bucket_prefix = "${var.AccessLog_Bucket_Prefix}"
109 |   acl    = "log-delivery-write"
110 |   versioning {
111 |       enabled = true
112 |   }
113 |   server_side_encryption_configuration {
114 |     rule {
115 |       apply_server_side_encryption_by_default {
116 |         sse_algorithm     = "AES256"
117 |       }
118 |     }
119 |   }
120 | }
121 | # create cloudwatch log group for cloudtrail to write to, will be used by 3.x cloudwatch metrics & filters
122 | resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" {
123 |   name = "${var.CIS_CloudTrail_Trail_Name}-log-group"
124 | }
125 | # create IAM role and policy to allow cloudtrail to write logs to cloudwatch
126 | resource "aws_iam_role" "CloudWatch_LogsGroup_IAM_Role" {
127 |   name = "${var.CIS_CloudTrail_Trail_Name}-role"
128 |   assume_role_policy = <<EOF
129 | {
130 |   "Version": "2012-10-17",
131 |   "Statement": [
132 |     {
133 |       "Sid": "",
134 |       "Effect": "Allow",
135 |       "Principal": {
136 |         "Service": "cloudtrail.amazonaws.com"
137 |       },
138 |       "Action": "sts:AssumeRole"
139 |     }
140 |   ]
141 | }
142 | EOF
143 | }
144 | resource "aws_iam_role_policy" "CIS_CloudWatch_LogsGroup_Policy" {
145 |   name   = "${var.CIS_CloudTrail_Trail_Name}-policy"
146 |   role   = "${aws_iam_role.CloudWatch_LogsGroup_IAM_Role.id}"
147 |   policy = <<EOF
148 | {
149 |   "Version": "2012-10-17",
150 |   "Statement": [
151 |     {
152 |       "Action": [
153 |         "logs:CreateLogGroup",
154 |         "logs:CreateLogStream",
155 |         "logs:PutLogEvents",
156 |         "logs:DescribeLogGroups",
157 |         "logs:DescribeLogStreams"
158 |       ],
159 |       "Effect": "Allow",
160 |       "Resource": "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.arn}*"
161 |     }
162 |   ]
163 | }
164 | EOF
165 | }
166 | # create a CloudTrail trail that is compliant with CIS controls (2.1, 2.2, 2.4)
167 | resource "aws_cloudtrail" "CIS_CloudTrail_Trail" { 
168 |   name                          = "${var.CIS_CloudTrail_Trail_Name}" 
169 |   s3_bucket_name                = "${aws_s3_bucket.CIS_CloudTrail_Logs_S3_Bucket.id}"
170 |   include_global_service_events = true
171 |   is_multi_region_trail         = true
172 |   enable_log_file_validation    = true
173 |   kms_key_id                    = "${aws_kms_key.Cloudtrail_KMS_CMK.arn}"
174 |   cloud_watch_logs_group_arn    = "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.arn}"
175 |   cloud_watch_logs_role_arn     = "${aws_iam_role.CloudWatch_LogsGroup_IAM_Role.arn}"
176 |   depends_on                    = ["aws_s3_bucket_policy.CloudTrail_Bucket_Policy"]
177 |   event_selector {
178 |     read_write_type           = "All"
179 |     include_management_events = true
180 |   }
181 | }
182 | # create bucket and bucket policy for CloudTrail logs, compliant with CIS controls (2.3, 2.6)
183 | resource "aws_s3_bucket" "CIS_CloudTrail_Logs_S3_Bucket" {  
184 |   bucket_prefix = "${var.CloudTrail_Bucket_Prefix}" 
185 |   acl           = "private"
186 |   versioning {
187 |       enabled = true
188 |   }
189 |   logging {
190 |     target_bucket = "${aws_s3_bucket.Server_Access_Log_S3_Bucket.id}"
191 |     target_prefix = "cloudtrailaccess/"
192 |   }
193 |   server_side_encryption_configuration {
194 |     rule {
195 |       apply_server_side_encryption_by_default {
196 |         sse_algorithm     = "AES256"
197 |       }
198 |     }
199 |   }
200 | }
201 | resource "aws_s3_bucket_policy" "CloudTrail_Bucket_Policy" {
202 |   bucket = "${aws_s3_bucket.CIS_CloudTrail_Logs_S3_Bucket.id}"
203 |   policy = <<POLICY
204 | {
205 |     "Version": "2012-10-17",
206 |     "Statement": [
207 |         {
208 |             "Sid": "AWSCloudTrailAclCheck20150319",
209 |             "Effect": "Allow",
210 |             "Principal": {"Service": "cloudtrail.amazonaws.com"},
211 |             "Action": "s3:GetBucketAcl",
212 |             "Resource": "${aws_s3_bucket.CIS_CloudTrail_Logs_S3_Bucket.arn}"
213 |         },
214 |         {
215 |             "Sid": "AWSCloudTrailWrite20150319",
216 |             "Effect": "Allow",
217 |             "Principal": {"Service": "cloudtrail.amazonaws.com"},
218 |             "Action": "s3:PutObject",
219 |             "Resource": "${aws_s3_bucket.CIS_CloudTrail_Logs_S3_Bucket.arn}/*",
220 |             "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
221 |         }
222 |     ]
223 | }
224 | POLICY
225 | }
226 | # Creates a reference VPC with private and public subnets
227 | resource "aws_vpc" "CIS_VPC" {
228 |   cidr_block           = "${var.CIS_VPC_CIDR}"
229 |   enable_dns_support   = true
230 |   enable_dns_hostnames = true
231 |   tags {
232 |       Name = "${var.CIS_VPC_Name_Tag}"
233 |   }
234 | }
235 | # create subnets
236 | resource "aws_subnet" "CIS_Public_Subnets" {
237 |   count                   = "${var.Network_Resource_Count}"
238 |   vpc_id                  = "${aws_vpc.CIS_VPC.id}"
239 |   cidr_block              = "${cidrsubnet(aws_vpc.CIS_VPC.cidr_block, 8, var.Network_Resource_Count + count.index)}"
240 |   availability_zone       = "${data.aws_availability_zones.Available_AZ.names[count.index]}"
241 |   map_public_ip_on_launch = true
242 |   tags {
243 |     Name = "${var.CIS_VPC_Name_Tag}-PUB-Subnet-${element(data.aws_availability_zones.Available_AZ.names, count.index)}"
244 |   }
245 | }
246 | resource "aws_subnet" "CIS_Private_Subnets" {
247 |   count             = "${var.Network_Resource_Count}"
248 |   vpc_id            = "${aws_vpc.CIS_VPC.id}"
249 |   cidr_block        = "${cidrsubnet(aws_vpc.CIS_VPC.cidr_block, 8, count.index)}"
250 |   availability_zone = "${data.aws_availability_zones.Available_AZ.names[count.index]}"
251 |   tags {
252 |     Name = "${var.CIS_VPC_Name_Tag}-PRIV-Subnet-${element(data.aws_availability_zones.Available_AZ.names, count.index)}"
253 |   }
254 | }
255 | # attach IGW
256 | resource "aws_internet_gateway" "CIS_IGW" {
257 |   vpc_id = "${aws_vpc.CIS_VPC.id}"
258 |   tags {
259 |       Name = "${var.CIS_VPC_Name_Tag}-IGW"
260 |   }
261 | }
262 | # create route tables, route table associations and nat gateway
263 | resource "aws_route_table" "CIS_Public_RTB" {
264 |   count  = "${var.Network_Resource_Count}"
265 |   vpc_id = "${aws_vpc.CIS_VPC.id}"
266 |   route {
267 |       cidr_block = "0.0.0.0/0"
268 |       gateway_id = "${aws_internet_gateway.CIS_IGW.id}"
269 |   }
270 |   tags {
271 |     Name = "PUB-RTB-${element(aws_subnet.CIS_Public_Subnets.*.id, count.index)}"
272 |   }
273 | }
274 | resource "aws_eip" "NATGW_Elastic_IPs" {
275 |   count      = "${var.Network_Resource_Count}"
276 |   vpc        = true
277 |   depends_on = ["aws_internet_gateway.CIS_IGW"]
278 |   tags {
279 |     Name = "NAT-Gateway-EIP-${element(aws_subnet.CIS_Public_Subnets.*.id, count.index)}"
280 |   }
281 | }
282 | resource "aws_nat_gateway" "CIS_NAT_Gateway" {
283 |   count         = "${var.Network_Resource_Count}"
284 |   subnet_id     = "${element(aws_subnet.CIS_Public_Subnets.*.id, count.index)}"
285 |   allocation_id = "${element(aws_eip.NATGW_Elastic_IPs.*.id, count.index)}"
286 |   tags {
287 |     Name = "NAT-Gateway-${element(aws_subnet.CIS_Public_Subnets.*.id, count.index)}"
288 |   }
289 | }
290 | resource "aws_route_table" "CIS_Private_RTB" {
291 |   count  = "${var.Network_Resource_Count}"
292 |   vpc_id = "${aws_vpc.CIS_VPC.id}"
293 |   route {
294 |     cidr_block = "0.0.0.0/0"
295 |     nat_gateway_id = "${element(aws_nat_gateway.CIS_NAT_Gateway.*.id, count.index)}"
296 |   }
297 |   tags {
298 |     Name = "PRIV-RTB-${element(aws_subnet.CIS_Private_Subnets.*.id, count.index)}"
299 |   }
300 | }
301 | resource "aws_route_table_association" "Public_Subnet_Association" {
302 |   count          = "${var.Network_Resource_Count}"
303 |   subnet_id      = "${element(aws_subnet.CIS_Public_Subnets.*.id, count.index)}"
304 |   route_table_id = "${element(aws_route_table.CIS_Public_RTB.*.id, count.index)}"
305 | }
306 | resource "aws_route_table_association" "Private_Subnet_Association" {
307 |   count          = "${var.Network_Resource_Count}"
308 |   subnet_id      = "${element(aws_subnet.CIS_Private_Subnets.*.id, count.index)}"
309 |   route_table_id = "${element(aws_route_table.CIS_Private_RTB.*.id, count.index)}"
310 | }
311 | # enable flow logging for the vpc
312 | resource "aws_flow_log" "CIS_VPC_Flow_Log" {
313 |   iam_role_arn    = "${aws_iam_role.CIS_FlowLogs_to_CWL_Role.arn}"
314 |   log_destination = "${aws_cloudwatch_log_group.CIS_FlowLogs_CWL_Group.arn}"
315 |   traffic_type    = "ALL"
316 |   vpc_id          = "${aws_vpc.CIS_VPC.id}"
317 | }
318 | resource "aws_cloudwatch_log_group" "CIS_FlowLogs_CWL_Group" {
319 |   name = "${var.CIS_VPC_Name_Tag}-flowlog-group"
320 | }
321 | # create role & policy to allow VPC to send flow logs to cloudwatch
322 | resource "aws_iam_role" "CIS_FlowLogs_to_CWL_Role" {
323 |   name = "${var.CIS_VPC_Name_Tag}-flowlog-role"
324 |   assume_role_policy = <<EOF
325 | {
326 |   "Version": "2012-10-17",
327 |   "Statement": [
328 |     {
329 |       "Sid": "",
330 |       "Effect": "Allow",
331 |       "Principal": {
332 |         "Service": "vpc-flow-logs.amazonaws.com"
333 |       },
334 |       "Action": "sts:AssumeRole"
335 |     }
336 |   ]
337 | }
338 | EOF
339 | }
340 | resource "aws_iam_role_policy" "CIS_FlowLogs_to_CWL_Role_Policy" {
341 |   name = "${var.CIS_VPC_Name_Tag}-flowlog-policy"
342 |   role = "${aws_iam_role.CIS_FlowLogs_to_CWL_Role.id}"
343 |   policy = <<EOF
344 | {
345 |   "Version": "2012-10-17",
346 |   "Statement": [
347 |     {
348 |       "Action": [
349 |         "logs:CreateLogGroup",
350 |         "logs:CreateLogStream",
351 |         "logs:PutLogEvents",
352 |         "logs:DescribeLogGroups",
353 |         "logs:DescribeLogStreams"
354 |       ],
355 |       "Effect": "Allow",
356 |       "Resource": "${aws_cloudwatch_log_group.CIS_FlowLogs_CWL_Group.arn}*"
357 |     }
358 |   ]
359 | }
360 | EOF
361 | }
362 | # remove rules from default SG
363 | resource "aws_default_security_group" "Default_Security_Group" {
364 |   vpc_id = "${aws_vpc.CIS_VPC.id}"
365 |   tags {
366 |     Name = "DEFAULT_DO_NOT_USE"
367 |   }
368 | }
369 | resource "aws_security_group" "CIS_Linux_SG" {
370 |   name        = "cis-linux-sg"
371 |   description = "Allows 443 in and 22 from trusted IP ranges - Managed by Terraform"
372 |   vpc_id      = "${aws_vpc.CIS_VPC.id}"
373 |   ingress {
374 |     from_port   = 22
375 |     to_port     = 22
376 |     protocol    = "tcp"
377 |     cidr_blocks = ["${var.TRUSTED_IP}"]
378 |   }
379 |   ingress {
380 |     from_port   = 443
381 |     to_port     = 443
382 |     protocol    = "tcp"
383 |     cidr_blocks = ["0.0.0.0/0"]
384 |   }
385 |   egress {
386 |     from_port       = 0
387 |     to_port         = 0
388 |     protocol        = "-1"
389 |     cidr_blocks     = ["0.0.0.0/0"]
390 |   }
391 |   tags {
392 |       Name = "${var.CIS_VPC_Name_Tag}-Linux-SG"
393 |   }
394 | }


--------------------------------------------------------------------------------
/aws-security-hub-boostrap-and-operationalization/cloudwatch-to-firehose.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-security-services-with-terraform/d4c043f6e93f256fedbbaa5becfd247ad992061b/aws-security-hub-boostrap-and-operationalization/cloudwatch-to-firehose.zip


--------------------------------------------------------------------------------
/aws-security-hub-boostrap-and-operationalization/config.tf:
--------------------------------------------------------------------------------
  1 |  # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
  2 |  # SPDX-License-Identifier: MIT-0
  3 |  #
  4 |  # Permission is hereby granted, free of charge, to any person obtaining a copy of this
  5 |  # software and associated documentation files (the "Software"), to deal in the Software
  6 |  # without restriction, including without limitation the rights to use, copy, modify,
  7 |  # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
  8 |  # permit persons to whom the Software is furnished to do so.
  9 |  #
 10 |  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
 11 |  # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
 12 |  # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
 13 |  # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 14 |  # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
 15 |  # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 16 | 
 17 | # Create Config Role
 18 | resource "aws_iam_role" "Config_IAM_Role" {
 19 |   name = "Terraform-ConfigRole"
 20 | 
 21 |   assume_role_policy = <<POLICY
 22 | {
 23 |   "Version": "2012-10-17",
 24 |   "Statement": [
 25 |     {
 26 |       "Action": "sts:AssumeRole",
 27 |       "Principal": {
 28 |         "Service": "config.amazonaws.com"
 29 |       },
 30 |       "Effect": "Allow",
 31 |       "Sid": ""
 32 |     }
 33 |   ]
 34 | }
 35 | POLICY
 36 | }
 37 | resource "aws_iam_role_policy_attachment" "Config_Role_Attach_Policy" {
 38 |   role       = "${aws_iam_role.Config_IAM_Role.name}"
 39 |   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
 40 | }
 41 | # Create Config Recorder Bucket
 42 | resource "aws_s3_bucket" "Config_Recorder_Bucket" {
 43 |   bucket_prefix = "${var.Config_Bucket_Prefix}"
 44 |   acl           = "private"
 45 |   versioning {
 46 |     enabled = true
 47 |   }
 48 |   server_side_encryption_configuration {
 49 |     rule {
 50 |       apply_server_side_encryption_by_default {
 51 |         sse_algorithm     = "AES256"
 52 |       }
 53 |     }
 54 |   }
 55 |   lifecycle_rule {
 56 |     enabled = true
 57 |     expiration {
 58 |       days = 365
 59 |     }
 60 |     noncurrent_version_expiration {
 61 |       days = 365
 62 |     }
 63 |   }
 64 | }
 65 | # Default Config bucket access policy
 66 | resource "aws_s3_bucket_policy" "Config_Recorder_Bucket_Policy" {
 67 |   bucket = "${aws_s3_bucket.Config_Recorder_Bucket.id}"
 68 |   policy = <<POLICY
 69 | {
 70 |   "Version": "2012-10-17",
 71 |   "Statement": [
 72 |     {
 73 |       "Sid": "Allow bucket ACL check",
 74 |       "Effect": "Allow",
 75 |       "Principal": {
 76 |         "Service": [
 77 |          "config.amazonaws.com"
 78 |         ]
 79 |       },
 80 |       "Action": "s3:GetBucketAcl",
 81 |       "Resource": "${aws_s3_bucket.Config_Recorder_Bucket.arn}",
 82 |       "Condition": {
 83 |         "Bool": {
 84 |           "aws:SecureTransport": "true"
 85 |         }
 86 |       }
 87 |     },
 88 |     {
 89 |       "Sid": "Allow bucket write",
 90 |       "Effect": "Allow",
 91 |       "Principal": {
 92 |         "Service": [
 93 |          "config.amazonaws.com"
 94 |         ]
 95 |       },
 96 |       "Action": "s3:PutObject",
 97 |       "Resource": "${aws_s3_bucket.Config_Recorder_Bucket.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/Config/*",
 98 |       "Condition": {
 99 |         "StringEquals": {
100 |           "s3:x-amz-acl": "bucket-owner-full-control"
101 |         },
102 |         "Bool": {
103 |           "aws:SecureTransport": "true"
104 |         }
105 |       }
106 |     },
107 |     {
108 |       "Sid": "Require SSL",
109 |       "Effect": "Deny",
110 |       "Principal": {
111 |         "AWS": "*"
112 |       },
113 |       "Action": "s3:*",
114 |       "Resource": "${aws_s3_bucket.Config_Recorder_Bucket.arn}/*",
115 |       "Condition": {
116 |         "Bool": {
117 |           "aws:SecureTransport": "false"
118 |         }
119 |       }
120 |     }
121 |   ]
122 | }
123 | POLICY
124 | }
125 | # Create & Enable Config Recorder
126 | resource "aws_config_configuration_recorder" "Config_Recorder" {
127 |   role_arn = "${aws_iam_role.Config_IAM_Role.arn}"
128 |   recording_group {
129 |     all_supported                 = true
130 |     include_global_resource_types = true
131 |   }
132 | }
133 | resource "aws_config_delivery_channel" "Config_Delivery_Channel" {
134 |   name           = "config-example"
135 |   s3_bucket_name = "${aws_s3_bucket.Config_Recorder_Bucket.bucket}"
136 |   snapshot_delivery_properties {
137 |     delivery_frequency = "${var.Config_Delivery_Frequency}"
138 |   }
139 |   depends_on = ["aws_config_configuration_recorder.Config_Recorder"]
140 | }
141 | resource "aws_config_configuration_recorder_status" "Config_Recorder_Enabled" {
142 |   name       = "${aws_config_configuration_recorder.Config_Recorder.name}"
143 |   is_enabled = true
144 |   depends_on = ["aws_config_delivery_channel.Config_Delivery_Channel"]
145 | }


--------------------------------------------------------------------------------
/aws-security-hub-boostrap-and-operationalization/data.tf:
--------------------------------------------------------------------------------
 1 |  # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 2 |  # SPDX-License-Identifier: MIT-0
 3 |  #
 4 |  # Permission is hereby granted, free of charge, to any person obtaining a copy of this
 5 |  # software and associated documentation files (the "Software"), to deal in the Software
 6 |  # without restriction, including without limitation the rights to use, copy, modify,
 7 |  # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
 8 |  # permit persons to whom the Software is furnished to do so.
 9 |  #
10 |  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
11 |  # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
12 |  # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
13 |  # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
14 |  # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
15 |  # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
16 | 
17 | # Account ID var
18 | data "aws_caller_identity" "current" {}
19 | # Availability Zones var
20 | data "aws_availability_zones" "Available_AZ" {
21 |   state = "available"
22 | }


--------------------------------------------------------------------------------
/aws-security-hub-boostrap-and-operationalization/elasticsearch_siem_extension.tf:
--------------------------------------------------------------------------------
  1 |  # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
  2 |  # SPDX-License-Identifier: MIT-0
  3 |  #
  4 |  # Permission is hereby granted, free of charge, to any person obtaining a copy of this
  5 |  # software and associated documentation files (the "Software"), to deal in the Software
  6 |  # without restriction, including without limitation the rights to use, copy, modify,
  7 |  # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
  8 |  # permit persons to whom the Software is furnished to do so.
  9 |  #
 10 |  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
 11 |  # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
 12 |  # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
 13 |  # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 14 |  # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
 15 |  # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 16 | 
 17 | ###################
 18 | # CLOUDTRAIL LOGS #
 19 | ###################
 20 | # create an IAM role and policy that allows kinesis data firehose to interact with
 21 | # elasticsearch and kinesis data streams
 22 | resource "aws_iam_role" "Cloudtrail_Firehose_Delivery_Role" {
 23 |   name = "cloudtrail-firehose-siem-role"
 24 |   assume_role_policy = <<EOF
 25 | {
 26 |   "Version": "2012-10-17",
 27 |   "Statement": [
 28 |     {
 29 |       "Effect": "Allow",
 30 |       "Principal": {
 31 |         "Service": "firehose.amazonaws.com"
 32 |       },
 33 |       "Action": "sts:AssumeRole",
 34 |       "Condition": {
 35 |         "StringEquals": {
 36 |           "sts:ExternalId":"${data.aws_caller_identity.current.account_id}"
 37 |         }
 38 |       }
 39 |     }
 40 |   ]
 41 | }
 42 | EOF
 43 | }
 44 | resource "aws_iam_role_policy" "Cloudtrail_Firehose_Delivery_Policy" {
 45 |   name   = "cloudtrail-firehose-siem-policy"
 46 |   role   = "${aws_iam_role.Cloudtrail_Firehose_Delivery_Role.id}"
 47 |   policy = <<EOF
 48 | {
 49 |     "Version": "2012-10-17",  
 50 |     "Statement": [    
 51 |         {      
 52 |             "Effect": "Allow",      
 53 |             "Action": [        
 54 |                 "s3:AbortMultipartUpload",        
 55 |                 "s3:GetBucketLocation",        
 56 |                 "s3:GetObject",        
 57 |                 "s3:ListBucket",        
 58 |                 "s3:ListBucketMultipartUploads",
 59 |                 "s3:HeadBucket",       
 60 |                 "s3:PutObject"
 61 |             ],      
 62 |             "Resource": [        
 63 |                 "${aws_s3_bucket.Kinesis_Failed_Logs_Bucket.arn}",
 64 |                 "${aws_s3_bucket.Kinesis_Failed_Logs_Bucket.arn}/*"		    
 65 |             ]    
 66 |         },
 67 |         {
 68 |            "Effect": "Allow",
 69 |            "Action": [
 70 |                "kms:Decrypt",
 71 |                "kms:GenerateDataKey"
 72 |            ],
 73 |            "Resource": [
 74 |                "*"           
 75 |            ]
 76 |         },
 77 |         {
 78 |            "Effect": "Allow",
 79 |            "Action": [
 80 |                "es:DescribeElasticsearchDomain",
 81 |                "es:DescribeElasticsearchDomains",
 82 |                "es:DescribeElasticsearchDomainConfig",
 83 |                "es:ESHttpPost",
 84 |                "es:ESHttpPut"
 85 |            ],
 86 |           "Resource": [
 87 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}",
 88 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/*"
 89 |           ]
 90 |        },
 91 |        {
 92 |           "Effect": "Allow",
 93 |           "Action": [
 94 |               "es:ESHttpGet"
 95 |           ],
 96 |           "Resource": [
 97 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_all/_settings",
 98 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_cluster/stats",
 99 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/index-name*/_mapping/type-name",
100 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_nodes",
101 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_nodes/stats",
102 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_nodes/*/stats",
103 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_stats",
104 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/index-name*/_stats"
105 |           ]
106 |        },        
107 |        {
108 |           "Effect": "Allow",
109 |           "Action": [
110 |               "logs:PutLogEvents",
111 |               "logs:CreateLogStream"
112 |           ],
113 |           "Resource": [
114 |               "${aws_cloudwatch_log_group.Kinesis_Firehose_Errors_LogsGroup.arn}"
115 |           ]
116 |        }
117 |     ]
118 | }
119 | EOF
120 | }
121 | # create kiensis data firehose delivery stream that will read from data stream and send findings to elasticsearch
122 | resource "aws_kinesis_firehose_delivery_stream" "Cloudtrail_Logs_Firehose" {
123 |   name        = "${var.CloudTrail_To_Elastic_Name_Schema}-deliverystream"
124 |   destination = "elasticsearch"
125 |   s3_configuration {
126 |     role_arn           = "${aws_iam_role.Cloudtrail_Firehose_Delivery_Role.arn}"
127 |     bucket_arn         = "${aws_s3_bucket.Kinesis_Failed_Logs_Bucket.arn}"
128 |     prefix             = "cloudtrail-fails"
129 |     buffer_size        = 5
130 |     buffer_interval    = 60
131 |     compression_format = "GZIP"
132 |   }
133 |   elasticsearch_configuration {
134 |     domain_arn = "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}"
135 |     role_arn   = "${aws_iam_role.Cloudtrail_Firehose_Delivery_Role.arn}"
136 |     index_rotation_period = "${var.ElasticSearch_Rotation_Period}"
137 |     index_name = "cloudtrail"
138 |     type_name  = "cloudtrail" ## if you use 7.x elasticsearch version, do not specify this variable
139 |     cloudwatch_logging_options {
140 |         enabled         = true
141 |         log_group_name  = "${aws_cloudwatch_log_group.Kinesis_Firehose_Errors_LogsGroup.name}"
142 |         log_stream_name = "cloudtrail-fails"
143 |     }
144 |   }
145 | }
146 | # create a cloudwatch log stream for KDF to log errors to
147 | resource "aws_cloudwatch_log_stream" "Cloudtrail_Firehose_Errors_LogStream" {
148 |   name           = "cloudtrail-fails"
149 |   log_group_name = "${aws_cloudwatch_log_group.Kinesis_Firehose_Errors_LogsGroup.name}"
150 |   depends_on     = ["aws_cloudwatch_log_group.Kinesis_Firehose_Errors_LogsGroup"]
151 | }
152 | # create a cloudwatch subscription to send cloudtrail logs to lambda
153 | resource "aws_cloudwatch_log_subscription_filter" "Cloudtrail_Logs_Lambda_Subscription" {
154 |   name            = "${var.CloudTrail_To_Elastic_Name_Schema}-subscription"
155 |   log_group_name  = "${aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name}"
156 |   filter_pattern  = "" # leave blank for CT
157 |   destination_arn = "${aws_lambda_function.Cloudtrail_Lambda_To_Firehose_Function.arn}"
158 | }
159 | # create lambda function & execution role to send cloudtrail logs to kinesis data firehose
160 | resource "aws_iam_role" "Cloudtrail_Lambda_To_Firehose_Role" {
161 |   name = "${var.CloudTrail_To_Elastic_Name_Schema}-role"
162 |   assume_role_policy = <<EOF
163 | {
164 |   "Version": "2012-10-17",
165 |   "Statement": [
166 |     {
167 |       "Action": "sts:AssumeRole",
168 |       "Principal": {
169 |         "Service": "lambda.amazonaws.com"
170 |       },
171 |       "Effect": "Allow",
172 |       "Sid": ""
173 |     }
174 |   ]
175 | }
176 | EOF
177 | }
178 | resource "aws_iam_policy" "Cloudtrail_Lambda_To_Firehose_Policy" {
179 |   name = "${var.CloudTrail_To_Elastic_Name_Schema}-policy"
180 |   path = "/"
181 |   description = "For ${var.CloudTrail_To_Elastic_Name_Schema} gives permission to cloudwatch and kinesis firehose - Managed by Terraform"
182 |   policy = <<EOF
183 | {
184 |   "Version": "2012-10-17",
185 |   "Statement": [
186 |     {
187 |       "Action": [
188 |         "logs:CreateLogGroup",
189 |         "logs:CreateLogStream",
190 |         "logs:PutLogEvents"
191 |       ],
192 |       "Resource": "arn:aws:logs:*:*:*",
193 |       "Effect": "Allow"
194 |     },
195 |     {
196 |       "Action": [
197 |         "firehose:PutRecord"
198 |       ],
199 |       "Resource": "${aws_kinesis_firehose_delivery_stream.Cloudtrail_Logs_Firehose.arn}",
200 |       "Effect": "Allow"
201 |     }
202 |   ]
203 | }
204 | EOF
205 | }
206 | 
207 | resource "aws_iam_role_policy_attachment" "Cloudtrail_Lambda_To_Firehose_Policy_Attachment" {
208 |   role = "${aws_iam_role.Cloudtrail_Lambda_To_Firehose_Role.name}"
209 |   policy_arn = "${aws_iam_policy.Cloudtrail_Lambda_To_Firehose_Policy.arn}"
210 | }
211 | resource "aws_lambda_function" "Cloudtrail_Lambda_To_Firehose_Function" {
212 |   filename      = "./cloudwatch-to-firehose.zip"
213 |   description   = "Parses CloudTrail logs from CloudWatch Log Streams and send them to Kinesis Firehose en route to Elasticsearch Service - Managed by Terraform"
214 |   function_name = "${var.CloudTrail_To_Elastic_Name_Schema}-lambda-function"
215 |   role          = "${aws_iam_role.Cloudtrail_Lambda_To_Firehose_Role.arn}"
216 |   handler       = "lambda_function.lambda_handler"
217 |   runtime       = "python3.8"
218 |   timeout       = 30
219 |   memory_size   = 384
220 |   environment {
221 |     variables = {
222 |       FIREHOSE_TARGET = "${aws_kinesis_firehose_delivery_stream.Cloudtrail_Logs_Firehose.name}"
223 |     }
224 |   }
225 |   depends_on   = ["aws_iam_role_policy_attachment.Cloudtrail_Lambda_To_Firehose_Policy_Attachment","aws_kinesis_firehose_delivery_stream.Cloudtrail_Logs_Firehose"]
226 | }
227 | # give permissions for cloudwatch logs to invoke lambda
228 | resource "aws_lambda_permission" "Cloudtrail_Logs_Lambda_Permission" {
229 |   statement_id  = "AllowExecutionFromCloudWatchLogs"
230 |   action        = "lambda:InvokeFunction"
231 |   function_name = "${aws_lambda_function.Cloudtrail_Lambda_To_Firehose_Function.function_name}"
232 |   principal     = "logs.amazonaws.com"
233 | }
234 | #################
235 | # VPC FLOW LOGS #
236 | #################
237 | resource "aws_iam_role" "VPCFlowLogs_Firehose_Delivery_Role" {
238 |   name = "${var.VPCFlowLogs_To_Elastic_Name_Schema}-firehose-siem-role"
239 |   assume_role_policy = <<EOF
240 | {
241 |   "Version": "2012-10-17",
242 |   "Statement": [
243 |     {
244 |       "Effect": "Allow",
245 |       "Principal": {
246 |         "Service": "firehose.amazonaws.com"
247 |       },
248 |       "Action": "sts:AssumeRole",
249 |       "Condition": {
250 |         "StringEquals": {
251 |           "sts:ExternalId":"${data.aws_caller_identity.current.account_id}"
252 |         }
253 |       }
254 |     }
255 |   ]
256 | }
257 | EOF
258 | }
259 | resource "aws_iam_role_policy" "VPCFlowLogs_Firehose_Delivery_Policy" {
260 |   name   = "${var.VPCFlowLogs_To_Elastic_Name_Schema}-firehose-siem-policy"
261 |   role   = "${aws_iam_role.VPCFlowLogs_Firehose_Delivery_Role.id}"
262 |   policy = <<EOF
263 | {
264 |     "Version": "2012-10-17",  
265 |     "Statement": [    
266 |         {      
267 |             "Effect": "Allow",      
268 |             "Action": [        
269 |                 "s3:AbortMultipartUpload",        
270 |                 "s3:GetBucketLocation",        
271 |                 "s3:GetObject",        
272 |                 "s3:ListBucket",        
273 |                 "s3:ListBucketMultipartUploads",
274 |                 "s3:HeadBucket",       
275 |                 "s3:PutObject"
276 |             ],      
277 |             "Resource": [        
278 |                 "${aws_s3_bucket.Kinesis_Failed_Logs_Bucket.arn}",
279 |                 "${aws_s3_bucket.Kinesis_Failed_Logs_Bucket.arn}/*"		    
280 |             ]    
281 |         },
282 |         {
283 |            "Effect": "Allow",
284 |            "Action": [
285 |                "kms:Decrypt",
286 |                "kms:GenerateDataKey"
287 |            ],
288 |            "Resource": [
289 |                "*"           
290 |            ]
291 |         },
292 |         {
293 |            "Effect": "Allow",
294 |            "Action": [
295 |                "es:DescribeElasticsearchDomain",
296 |                "es:DescribeElasticsearchDomains",
297 |                "es:DescribeElasticsearchDomainConfig",
298 |                "es:ESHttpPost",
299 |                "es:ESHttpPut"
300 |            ],
301 |           "Resource": [
302 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}",
303 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/*"
304 |           ]
305 |        },
306 |        {
307 |           "Effect": "Allow",
308 |           "Action": [
309 |               "es:ESHttpGet"
310 |           ],
311 |           "Resource": [
312 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_all/_settings",
313 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_cluster/stats",
314 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/index-name*/_mapping/type-name",
315 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_nodes",
316 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_nodes/stats",
317 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_nodes/*/stats",
318 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_stats",
319 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/index-name*/_stats"
320 |           ]
321 |        },        
322 |        {
323 |           "Effect": "Allow",
324 |           "Action": [
325 |               "logs:PutLogEvents",
326 |               "logs:CreateLogStream"
327 |           ],
328 |           "Resource": [
329 |               "${aws_cloudwatch_log_group.Kinesis_Firehose_Errors_LogsGroup.arn}"
330 |           ]
331 |        }
332 |     ]
333 | }
334 | EOF
335 | }
336 | # create kiensis data firehose delivery stream that will read from data stream and send findings to elasticsearch
337 | resource "aws_kinesis_firehose_delivery_stream" "VPCFlowLogs_Logs_Firehose" {
338 |   name        = "${var.VPCFlowLogs_To_Elastic_Name_Schema}-deliverystream"
339 |   destination = "elasticsearch"
340 |   s3_configuration {
341 |     role_arn           = "${aws_iam_role.VPCFlowLogs_Firehose_Delivery_Role.arn}"
342 |     bucket_arn         = "${aws_s3_bucket.Kinesis_Failed_Logs_Bucket.arn}"
343 |     prefix             = "vpcflowlogs-fails"
344 |     buffer_size        = 5
345 |     buffer_interval    = 60
346 |     compression_format = "GZIP"
347 |   }
348 |   elasticsearch_configuration {
349 |     domain_arn = "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}"
350 |     role_arn   = "${aws_iam_role.VPCFlowLogs_Firehose_Delivery_Role.arn}"
351 |     index_rotation_period = "${var.ElasticSearch_Rotation_Period}"
352 |     index_name = "vpcflowlogs"
353 |     type_name  = "vpcflowlogs" ## if you use 7.x elasticsearch version, do not specify this variable
354 |     cloudwatch_logging_options {
355 |         enabled         = true
356 |         log_group_name  = "${aws_cloudwatch_log_group.Kinesis_Firehose_Errors_LogsGroup.name}"
357 |         log_stream_name = "vpcflowlogs-fails"
358 |     }
359 |   }
360 | }
361 | # create a cloudwatch log stream for KDF to log errors to
362 | resource "aws_cloudwatch_log_stream" "VPCFlowLogs_Firehose_Errors_LogStream" {
363 |   name           = "vpcflowlogs-fails"
364 |   log_group_name = "${aws_cloudwatch_log_group.Kinesis_Firehose_Errors_LogsGroup.name}"
365 |   depends_on     = ["aws_cloudwatch_log_group.Kinesis_Firehose_Errors_LogsGroup"]
366 | }
367 | # create a cloudwatch subscription to send cloudtrail logs to lambda
368 | resource "aws_cloudwatch_log_subscription_filter" "VPCFlowLogs_Logs_Lambda_Subscription" {
369 |   name            = "${var.VPCFlowLogs_To_Elastic_Name_Schema}-subscription"
370 |   log_group_name  = "${aws_cloudwatch_log_group.CIS_FlowLogs_CWL_Group.name}"
371 |   filter_pattern  = "[version, account_id, interface_id, srcaddr != \"-\", dstaddr != \"-\", srcport != \"-\", dstport != \"-\", protocol, packets, bytes, start, end, action, log_status]" # leave blank for CT
372 |   destination_arn = "${aws_lambda_function.VPCFlowLogs_Lambda_To_Firehose_Function.arn}"
373 | }
374 | # create lambda function & execution role to send cloudtrail logs to kinesis data firehose
375 | resource "aws_iam_role" "VPCFlowLogs_Lambda_To_Firehose_Role" {
376 |   name = "${var.VPCFlowLogs_To_Elastic_Name_Schema}-role"
377 |   assume_role_policy = <<EOF
378 | {
379 |   "Version": "2012-10-17",
380 |   "Statement": [
381 |     {
382 |       "Action": "sts:AssumeRole",
383 |       "Principal": {
384 |         "Service": "lambda.amazonaws.com"
385 |       },
386 |       "Effect": "Allow",
387 |       "Sid": ""
388 |     }
389 |   ]
390 | }
391 | EOF
392 | }
393 | resource "aws_iam_policy" "VPCFlowLogs_Lambda_To_Firehose_Policy" {
394 |   name = "${var.VPCFlowLogs_To_Elastic_Name_Schema}-policy"
395 |   path = "/"
396 |   description = "For ${var.VPCFlowLogs_To_Elastic_Name_Schema} gives permission to cloudwatch and kinesis firehose - Managed by Terraform"
397 |   policy = <<EOF
398 | {
399 |   "Version": "2012-10-17",
400 |   "Statement": [
401 |     {
402 |       "Action": [
403 |         "logs:CreateLogGroup",
404 |         "logs:CreateLogStream",
405 |         "logs:PutLogEvents"
406 |       ],
407 |       "Resource": "arn:aws:logs:*:*:*",
408 |       "Effect": "Allow"
409 |     },
410 |     {
411 |       "Action": [
412 |         "firehose:PutRecord"
413 |       ],
414 |       "Resource": "${aws_kinesis_firehose_delivery_stream.VPCFlowLogs_Logs_Firehose.arn}",
415 |       "Effect": "Allow"
416 |     }
417 |   ]
418 | }
419 | EOF
420 | }
421 | 
422 | resource "aws_iam_role_policy_attachment" "VPCFlowLogs_Lambda_To_Firehose_Policy_Attachment" {
423 |   role = "${aws_iam_role.VPCFlowLogs_Lambda_To_Firehose_Role.name}"
424 |   policy_arn = "${aws_iam_policy.VPCFlowLogs_Lambda_To_Firehose_Policy.arn}"
425 | }
426 | resource "aws_lambda_function" "VPCFlowLogs_Lambda_To_Firehose_Function" {
427 |   filename      = "./cloudwatch-to-firehose.zip"
428 |   description   = "Parses VPC Flow logs from CloudWatch Log Streams and send them to Kinesis Firehose en route to Elasticsearch Service - Managed by Terraform"
429 |   function_name = "${var.VPCFlowLogs_To_Elastic_Name_Schema}-lambda-function"
430 |   role          = "${aws_iam_role.VPCFlowLogs_Lambda_To_Firehose_Role.arn}"
431 |   handler       = "lambda_function.lambda_handler"
432 |   runtime       = "python3.8"
433 |   timeout       = 30
434 |   memory_size   = 384
435 |   environment {
436 |     variables = {
437 |       FIREHOSE_TARGET = "${aws_kinesis_firehose_delivery_stream.VPCFlowLogs_Logs_Firehose.name}"
438 |     }
439 |   }
440 |   depends_on   = ["aws_iam_role_policy_attachment.VPCFlowLogs_Lambda_To_Firehose_Policy_Attachment","aws_kinesis_firehose_delivery_stream.VPCFlowLogs_Logs_Firehose"]
441 | }
442 | # give permissions for cloudwatch logs to invoke lambda
443 | resource "aws_lambda_permission" "VPCFlowLogs_Logs_Lambda_Permission" {
444 |   statement_id  = "AllowExecutionFromCloudWatchLogs"
445 |   action        = "lambda:InvokeFunction"
446 |   function_name = "${aws_lambda_function.VPCFlowLogs_Lambda_To_Firehose_Function.function_name}"
447 |   principal     = "logs.amazonaws.com"
448 | }
449 | 


--------------------------------------------------------------------------------
/aws-security-hub-boostrap-and-operationalization/provider.tf:
--------------------------------------------------------------------------------
 1 |  # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 2 |  # SPDX-License-Identifier: MIT-0
 3 |  #
 4 |  # Permission is hereby granted, free of charge, to any person obtaining a copy of this
 5 |  # software and associated documentation files (the "Software"), to deal in the Software
 6 |  # without restriction, including without limitation the rights to use, copy, modify,
 7 |  # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
 8 |  # permit persons to whom the Software is furnished to do so.
 9 |  #
10 |  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
11 |  # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
12 |  # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
13 |  # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
14 |  # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
15 |  # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
16 | 
17 | provider "aws" {
18 |   region     = "${var.AWS_REGION}"
19 | }


--------------------------------------------------------------------------------
/aws-security-hub-boostrap-and-operationalization/prowler-integration/README.md:
--------------------------------------------------------------------------------
 1 | ## AWS Security Hub - Bootstrap and Operationalization: Prowler Integration
 2 | This module is a Terraform re-write of the AWS Security Blog post on [integrating Prowler with Security Hub](https://aws.amazon.com/blogs/security/use-aws-fargate-prowler-send-security-configuration-findings-about-aws-services-security-hub/). The current solution is hosted on this aws-samples [Github](https://github.com/aws-samples/aws-security-hub-prowler-integrations) repo.
 3 | 
 4 | ![Architecture](https://github.com/aws-samples/aws-security-hub-prowler-integrations/blob/master/Architecture.jpg)
 5 | The integration works as follows:
 6 | 1.	A time-based CloudWatch Event will start the Fargate task on a schedule
 7 | 2.	Fargate will pull a Docker image from Amazon Elastic Container Registry (ECR) that contains Prowler and Python scripts used to load an Amazon DynamoDB table.
 8 | 3.	Prowler scans your AWS infrastructure and writes the scan results to a CSV file
 9 | 4.	Python scripts convert the CSV to JSON and load DynamoDB with formatted Prowler findings
10 | 5.	A DynamoDB stream invokes an AWS Lambda function
11 | 6.	Lambda maps Prowler findings into the Amazon Security Finding Format (ASFF) before importing them to Security Hub
12 | 
13 | ## Required IAM Permissions
14 | You will need to modify the CodeBuild role created for the WAF Blog to allow it to create all of these resources, which include the below. You need to give Terraform full create/update/read/delete permissions to be able to apply, update, describe and delete your State.
15 | - CloudWatch Logs
16 | - DynamoDB (and Streams)
17 | - ECS
18 | - ECR
19 | - IAM
20 | - Lambda


--------------------------------------------------------------------------------
/aws-security-hub-boostrap-and-operationalization/security_hub_siem.tf:
--------------------------------------------------------------------------------
  1 |  # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
  2 |  # SPDX-License-Identifier: MIT-0
  3 |  #
  4 |  # Permission is hereby granted, free of charge, to any person obtaining a copy of this
  5 |  # software and associated documentation files (the "Software"), to deal in the Software
  6 |  # without restriction, including without limitation the rights to use, copy, modify,
  7 |  # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
  8 |  # permit persons to whom the Software is furnished to do so.
  9 |  #
 10 |  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
 11 |  # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
 12 |  # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
 13 |  # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 14 |  # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
 15 |  # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 16 | 
 17 | # Create ES Domain with Cognito user pool
 18 | # Not all instances support encryption at rest & node-to-node encryption
 19 | resource "aws_elasticsearch_domain" "Security_Hub_Elasticsearch_Service" {
 20 |   domain_name           = "${var.ElasticSearch_Domain_Name}"
 21 |   elasticsearch_version = "${var.ElasticSearch_Domain_ES_Version}"
 22 |   cluster_config {
 23 |     instance_type       = "${var.ElasticSearch_Domain_Instance_Type}"
 24 |     instance_count      = "${var.ElasticSearch_Domain_Instance_Count}"    
 25 |   }
 26 |   ebs_options {
 27 |       ebs_enabled  = true
 28 |       volume_type  = "gp2"
 29 |       volume_size  = "15"
 30 |   }
 31 |   encrypt_at_rest {
 32 |       enabled = true
 33 |   }
 34 |   node_to_node_encryption {
 35 |       enabled = true
 36 |   }
 37 |   snapshot_options {
 38 |     automated_snapshot_start_hour = 23
 39 |   }
 40 |   cognito_options {
 41 |       enabled          = true
 42 |       user_pool_id     = "${aws_cognito_user_pool.ES_Cognito_User_Pool.id}"
 43 |       identity_pool_id = "${aws_cognito_identity_pool.ES_Cognito_Identity_Pool.id}"
 44 |       role_arn         = "${aws_iam_role.ES_Cognito_Role.arn}"
 45 |   }
 46 |   depends_on           = ["aws_securityhub_account.Security_Hub_Enabled"]
 47 | }
 48 | # this elasticsearch access policy will only allow your account and the IP your specify to access it
 49 | resource "aws_elasticsearch_domain_policy" "Security_Hub_Elasticsearch_Service_Policy" {
 50 |   domain_name = "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.domain_name}"
 51 |   access_policies = <<POLICIES
 52 | {
 53 |   "Version": "2012-10-17",
 54 |   "Statement": [
 55 |     {
 56 |       "Effect": "Allow",
 57 |       "Principal": {
 58 |         "AWS": "*"
 59 |       },
 60 |       "Action": "es:*",
 61 |       "Resource": "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/*",
 62 |       "Condition": {
 63 |         "IpAddress": {
 64 |           "aws:SourceIp": "${var.TRUSTED_IP}"
 65 |         }
 66 |       }
 67 |     }
 68 |   ]
 69 | }
 70 | POLICIES
 71 | }
 72 | # Create cognito user pool with schema and password policy
 73 | resource "aws_cognito_user_pool" "ES_Cognito_User_Pool" {
 74 |   name                       = "${var.ES_Cognito_User_Pool_Name}"
 75 |   email_verification_subject = "${var.ElasticSearch_Domain_Name} Kibana Device Verification Code"
 76 |   email_verification_message = "Please use the following code {####}"
 77 |   alias_attributes           = ["email", "preferred_username"]
 78 |   auto_verified_attributes   = ["email"]
 79 |   admin_create_user_config {
 80 |     allow_admin_create_user_only = false
 81 |   }
 82 |   password_policy {
 83 |       minimum_length    = 14
 84 |       require_lowercase = true
 85 |       require_numbers   = true
 86 |       require_symbols   = true
 87 |       require_uppercase = true
 88 |   }
 89 |   schema {
 90 |     attribute_data_type      = "String"
 91 |     developer_only_attribute = false
 92 |     mutable                  = false
 93 |     name                     = "email"
 94 |     required                 = true
 95 |     string_attribute_constraints {
 96 |       min_length = 7
 97 |       max_length = 64
 98 |     }
 99 |   }
100 | }
101 | # create user pool domain
102 | resource "aws_cognito_user_pool_domain" "ES_Cognito_User_Pool_Domain" {
103 |   domain       = "${var.ES_Cognito_User_Pool_Domain_Name}"
104 |   user_pool_id = "${aws_cognito_user_pool.ES_Cognito_User_Pool.id}"
105 | }
106 | # create identity pool for Cognito
107 | resource "aws_cognito_identity_pool" "ES_Cognito_Identity_Pool" {
108 |   identity_pool_name               = "${var.ES_Cognito_Identity_Pool_Name}"
109 |   allow_unauthenticated_identities = true # MUST BE TRUE FOR KIBANA TO USE THIS
110 |   lifecycle {
111 |     ignore_changes                 = ["*"]
112 |   }
113 | }
114 | # create unauth & auth IAM roles for Cognito
115 | resource "aws_iam_role" "ES_Identity_Pool_Authenticated_Role" {
116 |   name = "${var.ES_Cognito_Identity_Pool_Name}-authenticated-role"
117 |   assume_role_policy = <<EOF
118 | {
119 |   "Version": "2012-10-17",
120 |   "Statement": [
121 |     {
122 |       "Effect": "Allow",
123 |       "Principal": {
124 |         "Federated": "cognito-identity.amazonaws.com"
125 |       },
126 |       "Action": "sts:AssumeRoleWithWebIdentity",
127 |       "Condition": {
128 |         "StringEquals": {
129 |           "cognito-identity.amazonaws.com:aud": "${aws_cognito_identity_pool.ES_Cognito_Identity_Pool.id}"
130 |         },
131 |         "ForAnyValue:StringLike": {
132 |           "cognito-identity.amazonaws.com:amr": "authenticated"
133 |         }
134 |       }
135 |     }
136 |   ]
137 | }
138 | EOF
139 | }
140 | resource "aws_iam_role_policy" "ES_Identity_Pool_Authenticated_Policy" {
141 |   name = "${var.ES_Cognito_Identity_Pool_Name}-authenticated-policy"
142 |   role = "${aws_iam_role.ES_Identity_Pool_Authenticated_Role.id}"
143 |   policy = <<EOF
144 | {
145 |   "Version": "2012-10-17",
146 |   "Statement": [
147 |     {
148 |       "Effect": "Allow",
149 |       "Action": [
150 |         "es:ESHttp*",
151 |         "mobileanalytics:PutEvents",
152 |         "cognito-sync:*",
153 |         "cognito-identity:*"
154 |       ],
155 |       "Resource": [
156 |         "*"
157 |       ]
158 |     }
159 |   ]
160 | }
161 | EOF
162 | }
163 | resource "aws_iam_role" "ES_Identity_Pool_Unauthenticated_Role" {
164 |   name               = "${var.ES_Cognito_Identity_Pool_Name}-unauthenticated-role"
165 |   assume_role_policy = <<EOF
166 | {
167 |   "Version": "2012-10-17",
168 |   "Statement": [
169 |     {
170 |       "Effect": "Allow",
171 |       "Principal": {
172 |         "Federated": "cognito-identity.amazonaws.com"
173 |       },
174 |       "Action": "sts:AssumeRoleWithWebIdentity",
175 |       "Condition": {
176 |         "StringEquals": {
177 |           "cognito-identity.amazonaws.com:aud": "${aws_cognito_identity_pool.ES_Cognito_Identity_Pool.id}"
178 |         },
179 |         "ForAnyValue:StringLike": {
180 |           "cognito-identity.amazonaws.com:amr": "unauthenticated"
181 |         }
182 |       }
183 |     }
184 |   ]
185 | }
186 | EOF
187 | }
188 | resource "aws_iam_role_policy" "ES_Identity_Pool_Unauthenticated_Policy" {
189 |   name   = "${var.ES_Cognito_Identity_Pool_Name}-unauthenticated-policy"
190 |   role   = "${aws_iam_role.ES_Identity_Pool_Unauthenticated_Role.id}"
191 |   policy = <<EOF
192 | {
193 |     "Version": "2012-10-17",
194 |     "Statement": [
195 |         {
196 |             "Effect": "Allow",
197 |             "Action": [
198 |                 "mobileanalytics:PutEvents",
199 |                 "cognito-sync:*"
200 |             ],
201 |             "Resource": [
202 |                 "*"
203 |             ]
204 |         }
205 |     ]
206 | }
207 | EOF
208 | }
209 | resource "aws_cognito_identity_pool_roles_attachment" "ES_ID_Pool_Role_Attachment" {
210 |   identity_pool_id    = "${aws_cognito_identity_pool.ES_Cognito_Identity_Pool.id}"
211 |   roles = {
212 |     "authenticated"   = "${aws_iam_role.ES_Identity_Pool_Authenticated_Role.arn}"
213 |     "unauthenticated" = "${aws_iam_role.ES_Identity_Pool_Unauthenticated_Role.arn}"
214 |   }
215 | }
216 | resource "aws_iam_role" "ES_Cognito_Role" {
217 |   name               = "${var.ElasticSearch_Domain_Name}-cognito-role"
218 |   assume_role_policy = <<EOF
219 | {
220 |   "Version": "2012-10-17",
221 |   "Statement": [
222 |     {
223 |       "Effect": "Allow",
224 |       "Principal": {
225 |         "Service": "es.amazonaws.com"
226 |       },
227 |       "Action": "sts:AssumeRole"
228 |     }
229 |   ]
230 | }
231 | EOF
232 | }
233 | resource "aws_iam_role_policy" "ES_Cognito_Policy" {
234 |   name   = "${var.ElasticSearch_Domain_Name}-cognito-policy"
235 |   role   = "${aws_iam_role.ES_Cognito_Role.id}"
236 |   policy = <<EOF
237 | {
238 |     "Version": "2012-10-17",
239 |     "Statement": [
240 |         {
241 |             "Effect": "Allow",
242 |             "Action": [
243 |                 "cognito-idp:DescribeUserPool",
244 |                 "cognito-idp:CreateUserPoolClient",
245 |                 "cognito-idp:DeleteUserPoolClient",
246 |                 "cognito-idp:DescribeUserPoolClient",
247 |                 "cognito-idp:AdminInitiateAuth",
248 |                 "cognito-idp:AdminUserGlobalSignOut",
249 |                 "cognito-idp:ListUserPoolClients",
250 |                 "cognito-identity:DescribeIdentityPool",
251 |                 "cognito-identity:UpdateIdentityPool",
252 |                 "cognito-identity:SetIdentityPoolRoles",
253 |                 "cognito-identity:GetIdentityPoolRoles"
254 |             ],
255 |             "Resource": "*"
256 |         },
257 |         {
258 |             "Effect": "Allow",
259 |             "Action": "iam:PassRole",
260 |             "Resource": "*",
261 |             "Condition": {
262 |                 "StringEqualsIfExists": {
263 |                     "iam:PassedToService": "cognito-identity.amazonaws.com"
264 |                 }
265 |             }
266 |         }
267 |     ]
268 | }
269 | EOF
270 | }
271 | # create cloudwatch event iam role to invoke kinesis data streams
272 | resource "aws_iam_role" "CWE_Kinesis_Role" {
273 |   name               = "security-hub-to-elasticsearch-event-role"
274 |   assume_role_policy = <<EOF
275 | {
276 |   "Version": "2012-10-17",
277 |   "Statement": [
278 |     {
279 |       "Effect": "Allow",
280 |       "Principal": {
281 |         "Service": "events.amazonaws.com"
282 |       },
283 |       "Action": "sts:AssumeRole"
284 |     }
285 |   ]
286 | }
287 | EOF
288 | }
289 | resource "aws_iam_role_policy" "CWE_Kinesis_Policy" {
290 |   name   = "security-hub-to-elasticsearch-event-policy"
291 |   role   = "${aws_iam_role.CWE_Kinesis_Role.id}"
292 |   policy = <<EOF
293 | {
294 |     "Version": "2012-10-17",
295 |     "Statement": [
296 |         {
297 |             "Effect": "Allow",
298 |             "Action": [
299 |                 "kinesis:PutRecord",
300 |                 "kinesis:PutRecords"
301 |             ],
302 |             "Resource": [
303 |                 "${aws_kinesis_stream.Security_Hub_Kinesis_Stream.arn}"
304 |             ]
305 |         }
306 |     ]
307 | }
308 | EOF
309 | }
310 | # create cloudwatch event that will export all findings from security hub
311 | resource "aws_cloudwatch_event_rule" "Security_Hub_To_Elastic" {
312 |   name          = "security-hub-to-elasticsearch"
313 |   description   = "Sends all Security Hub findings to Elasticsearch Service"
314 |   role_arn      = "${aws_iam_role.CWE_Kinesis_Role.arn}"
315 |   event_pattern = <<PATTERN
316 | {
317 |   "source": [
318 |     "aws.securityhub"
319 |   ],
320 |   "detail-type": [
321 |     "Security Hub Findings - Imported"
322 |   ]
323 | }
324 | PATTERN
325 | }
326 | # create a cloudwatch event target that will send all security hub findings to a kinesis data stream
327 | resource "aws_cloudwatch_event_target" "CWE_KinesisDataStream_Target" {
328 |   rule      = "${aws_cloudwatch_event_rule.Security_Hub_To_Elastic.name}"
329 |   target_id = "SendToKDS"
330 |   arn       = "${aws_kinesis_stream.Security_Hub_Kinesis_Stream.arn}"
331 | }
332 | # create kinesis data stream to write security hub findings to firehose delivery stream
333 | resource "aws_kinesis_stream" "Security_Hub_Kinesis_Stream" {
334 |   name                      = "securityhub-kinesis-stream"
335 |   shard_count               = 5
336 |   retention_period          = 24
337 |   enforce_consumer_deletion = true
338 |   encryption_type           = "KMS"
339 |   kms_key_id                = "alias/aws/kinesis"
340 | }
341 | # create an s3 bucket to receive failed records from kinesis data firehose
342 | resource "aws_s3_bucket" "Kinesis_Failed_Logs_Bucket" {
343 |   bucket_prefix = "${var.KDF_Bucket_Prefix}"
344 |   acl           = "private"
345 |   versioning {
346 |     enabled = true
347 |   }
348 |   server_side_encryption_configuration {
349 |     rule {
350 |       apply_server_side_encryption_by_default {
351 |         sse_algorithm     = "AES256"
352 |       }
353 |     }
354 |   }
355 |   lifecycle_rule {
356 |     enabled = true
357 |     expiration {
358 |       days = 365
359 |     }
360 |     noncurrent_version_expiration {
361 |       days = 365
362 |     }
363 |   }
364 | }
365 | # create an IAM role and policy that allows kinesis data firehose to interact with
366 | # elasticsearch and kinesis data streams
367 | resource "aws_iam_role" "Firehose_Delivery_Role" {
368 |   name = "securityhub-firehose-siem-role"
369 |   assume_role_policy = <<EOF
370 | {
371 |   "Version": "2012-10-17",
372 |   "Statement": [
373 |     {
374 |       "Effect": "Allow",
375 |       "Principal": {
376 |         "Service": "firehose.amazonaws.com"
377 |       },
378 |       "Action": "sts:AssumeRole",
379 |       "Condition": {
380 |         "StringEquals": {
381 |           "sts:ExternalId":"${data.aws_caller_identity.current.account_id}"
382 |         }
383 |       }
384 |     }
385 |   ]
386 | }
387 | EOF
388 | }
389 | resource "aws_iam_role_policy" "Firehose_Delivery_Policy" {
390 |   name   = "securityhub-firehose-siem-policy"
391 |   role   = "${aws_iam_role.Firehose_Delivery_Role.id}"
392 |   policy = <<EOF
393 | {
394 |     "Version": "2012-10-17",  
395 |     "Statement": [    
396 |         {      
397 |             "Effect": "Allow",      
398 |             "Action": [        
399 |                 "s3:AbortMultipartUpload",        
400 |                 "s3:GetBucketLocation",        
401 |                 "s3:GetObject",
402 |                 "s3:HeadBucket",        
403 |                 "s3:ListBucket",        
404 |                 "s3:ListBucketMultipartUploads",        
405 |                 "s3:PutObject"
406 |             ],      
407 |             "Resource": [        
408 |                 "${aws_s3_bucket.Kinesis_Failed_Logs_Bucket.arn}",
409 |                 "${aws_s3_bucket.Kinesis_Failed_Logs_Bucket.arn}/*"		    
410 |             ]    
411 |         },
412 |         {
413 |            "Effect": "Allow",
414 |            "Action": [
415 |                "kms:Decrypt",
416 |                "kms:GenerateDataKey"
417 |            ],
418 |            "Resource": [
419 |                "*"           
420 |            ]
421 |         },
422 |         {
423 |            "Effect": "Allow",
424 |            "Action": [
425 |                "es:DescribeElasticsearchDomain",
426 |                "es:DescribeElasticsearchDomains",
427 |                "es:DescribeElasticsearchDomainConfig",
428 |                "es:ESHttpPost",
429 |                "es:ESHttpPut"
430 |            ],
431 |           "Resource": [
432 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}",
433 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/*"
434 |           ]
435 |        },
436 |        {
437 |           "Effect": "Allow",
438 |           "Action": [
439 |               "es:ESHttpGet"
440 |           ],
441 |           "Resource": [
442 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_all/_settings",
443 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_cluster/stats",
444 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/index-name*/_mapping/type-name",
445 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_nodes",
446 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_nodes/stats",
447 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_nodes/*/stats",
448 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/_stats",
449 |               "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}/index-name*/_stats"
450 |           ]
451 |        },        
452 |        {
453 |           "Effect": "Allow",
454 |           "Action": [
455 |               "kinesis:DescribeStream",
456 |               "kinesis:GetShardIterator",
457 |               "kinesis:GetRecords"
458 |           ],
459 |           "Resource": "${aws_kinesis_stream.Security_Hub_Kinesis_Stream.arn}"
460 |        },
461 |        {
462 |           "Effect": "Allow",
463 |           "Action": [
464 |               "logs:PutLogEvents",
465 |               "logs:CreateLogGroup",
466 |               "logs:CreateLogStream"
467 |           ],
468 |           "Resource": [
469 |               "${aws_cloudwatch_log_group.Kinesis_Firehose_Errors_LogsGroup.arn}*"
470 |           ]
471 |        }
472 |     ]
473 | }
474 | EOF
475 | }
476 | # create kiensis data firehose delivery stream that will read from data stream and send findings to elasticsearch
477 | # will also create an additional cloudwatch log group and log stream for firehose to write error logs to
478 | resource "aws_kinesis_firehose_delivery_stream" "Security_Hub_SIEM_KDF" {
479 |   name        = "securityhub-siem-deliverystream"
480 |   destination = "elasticsearch"
481 |   kinesis_source_configuration {
482 |       kinesis_stream_arn = "${aws_kinesis_stream.Security_Hub_Kinesis_Stream.arn}"
483 |       role_arn           = "${aws_iam_role.Firehose_Delivery_Role.arn}"
484 |     }
485 |   s3_configuration {
486 |     role_arn           = "${aws_iam_role.Firehose_Delivery_Role.arn}"
487 |     bucket_arn         = "${aws_s3_bucket.Kinesis_Failed_Logs_Bucket.arn}"
488 |     buffer_size        = 5
489 |     buffer_interval    = 60
490 |     compression_format = "GZIP"
491 |   }
492 |   elasticsearch_configuration {
493 |     domain_arn            = "${aws_elasticsearch_domain.Security_Hub_Elasticsearch_Service.arn}"
494 |     role_arn              = "${aws_iam_role.Firehose_Delivery_Role.arn}"
495 |     index_rotation_period = "${var.ElasticSearch_Rotation_Period}"
496 |     index_name            = "securityhub-findings"
497 |     type_name             = "ASFF" ## if you use 7.x elasticsearch version, do not specify this variable
498 |     cloudwatch_logging_options {
499 |         enabled         = true
500 |         log_group_name  = "${aws_cloudwatch_log_group.Kinesis_Firehose_Errors_LogsGroup.name}"
501 |         log_stream_name = "sechub-log-fails"
502 |     }
503 |   }
504 |   depends_on = ["aws_cloudwatch_log_group.Kinesis_Firehose_Errors_LogsGroup"]
505 | }
506 | resource "aws_cloudwatch_log_group" "Kinesis_Firehose_Errors_LogsGroup" {
507 |   name = "Firehose/errors"
508 | }
509 | resource "aws_cloudwatch_log_stream" "Kinesis_Firehose_Errors_LogStream" {
510 |   name           = "sechub-log-fails"
511 |   log_group_name = "${aws_cloudwatch_log_group.Kinesis_Firehose_Errors_LogsGroup.name}"
512 |   depends_on     = ["aws_cloudwatch_log_group.Kinesis_Firehose_Errors_LogsGroup"]
513 | }


--------------------------------------------------------------------------------
/aws-security-hub-boostrap-and-operationalization/security_services.tf:
--------------------------------------------------------------------------------
 1 |  # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 2 |  # SPDX-License-Identifier: MIT-0
 3 |  #
 4 |  # Permission is hereby granted, free of charge, to any person obtaining a copy of this
 5 |  # software and associated documentation files (the "Software"), to deal in the Software
 6 |  # without restriction, including without limitation the rights to use, copy, modify,
 7 |  # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
 8 |  # permit persons to whom the Software is furnished to do so.
 9 |  #
10 |  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
11 |  # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
12 |  # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
13 |  # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
14 |  # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
15 |  # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
16 | 
17 | # Enable GuardDuty
18 | resource "aws_guardduty_detector" "GuardDuty_Detector" {
19 |   enable                       = true
20 |   finding_publishing_frequency = "${var.GuardDuty_Finding_Publishing_Frequency}"
21 |   depends_on                   = ["aws_securityhub_account.Security_Hub_Enabled"]
22 | }
23 | # Enable Security Hub
24 | resource "aws_securityhub_account" "Security_Hub_Enabled" {
25 |   depends_on = ["aws_config_configuration_recorder_status.Config_Recorder_Enabled"]
26 | }
27 | # Enable CIS standard
28 | resource "aws_securityhub_standards_subscription" "Security_Hub_CIS_Standard_Subscription" {
29 |   depends_on    = ["aws_securityhub_account.Security_Hub_Enabled"]
30 |   standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
31 | }
32 | # Enable PCI-DSS standard
33 | resource "aws_securityhub_standards_subscription" "Security_Hub_PCIDSS_Standard_Subscription" {
34 |   depends_on    = ["aws_securityhub_account.Security_Hub_Enabled"]
35 |   standards_arn = "arn:aws:securityhub:${var.AWS_REGION}::standards/pci-dss/v/3.2.1"
36 | }
37 | # create IAM access analyzer
38 | resource "aws_accessanalyzer_analyzer" "IAA" {
39 |   analyzer_name = "terraformanalyzer"
40 |   depends_on    = ["aws_securityhub_account.Security_Hub_Enabled"]
41 | }
42 | # Create Inspector assessment that targets all Instances 
43 | resource "aws_inspector_assessment_target" "Inspector_Assessment_Target_All" {
44 |   name = "target-all-instances"
45 | }
46 | # Change rule package Variables dependent on location
47 | resource "aws_inspector_assessment_template" "Inspector_Assessment_Template" {
48 |   name               = "all-assessments-template"
49 |   duration           = 3600
50 |   target_arn         = "${aws_inspector_assessment_target.Inspector_Assessment_Target_All.arn}"
51 |   rules_package_arns = "${var.Inspector_Assessment_Rules_Packages_APSoutheast2}"
52 | }


--------------------------------------------------------------------------------
/aws-security-hub-boostrap-and-operationalization/variables.tf:
--------------------------------------------------------------------------------
  1 |  # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
  2 |  # SPDX-License-Identifier: MIT-0
  3 |  #
  4 |  # Permission is hereby granted, free of charge, to any person obtaining a copy of this
  5 |  # software and associated documentation files (the "Software"), to deal in the Software
  6 |  # without restriction, including without limitation the rights to use, copy, modify,
  7 |  # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
  8 |  # permit persons to whom the Software is furnished to do so.
  9 |  #
 10 |  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
 11 |  # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
 12 |  # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
 13 |  # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 14 |  # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
 15 |  # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 16 | 
 17 | ######################
 18 | # GLOBAL variables
 19 | ######################
 20 | variable "AWS_REGION" {
 21 |   default = "us-east-1"
 22 | }
 23 | variable "TRUSTED_IP" {
 24 |   description = "Used to populate Elasticsearch SourceIP condition and VPC SSH security group"
 25 |   default     = "/32"
 26 | }
 27 | ######################
 28 | # config.tf variables
 29 | ######################
 30 | variable "Config_Bucket_Prefix" {
 31 |   default = "config-bucket"
 32 | }
 33 | variable "Config_Delivery_Frequency" {
 34 |   default = "One_Hour"
 35 | }
 36 | #################################
 37 | # security_services.tf variables
 38 | #################################
 39 | variable "GuardDuty_Finding_Publishing_Frequency" {
 40 |   default = "FIFTEEN_MINUTES"
 41 | }
 42 | # US East (N. Virginia)
 43 | variable "Inspector_Assessment_Rules_Packages_USEast1" {
 44 |   type        = "list"
 45 |   description = "All Inspector Assessment Rules for Target All Group"
 46 |   default = [
 47 |    "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7", // NIST Common Vulnerability & Exposures (CVEs)
 48 |    "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8", // CIS OS Security Configuration Benchmark
 49 |    "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-R01qwB5Q", // AWS Security Best Practices
 50 |    "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-PmNV0Tcd", // Network Reachability
 51 |    ]
 52 | }
 53 | # US East (Ohio)
 54 | variable "Inspector_Assessment_Rules_Packages_USEast2" {
 55 |   type        = "list"
 56 |   description = "All Inspector Assessment Rules for Target All Group"
 57 |   default = [
 58 |    "arn:aws:inspector:us-east-2:646659390643:rulespackage/0-JnA8Zp85", // NIST Common Vulnerability & Exposures (CVEs)
 59 |    "arn:aws:inspector:us-east-2:646659390643:rulespackage/0-m8r61nnh", // CIS OS Security Configuration Benchmark
 60 |    "arn:aws:inspector:us-east-2:646659390643:rulespackage/0-AxKmMHPX", // AWS Security Best Practices
 61 |    "arn:aws:inspector:us-east-2:646659390643:rulespackage/0-cE4kTR30", // Network Reachability
 62 |    ]
 63 | }
 64 | # US West (N. California)
 65 | variable "Inspector_Assessment_Rules_Packages_USWest1" {
 66 |   type        = "list"
 67 |   description = "All Inspector Assessment Rules for Target All Group"
 68 |   default = [
 69 |    "arn:aws:inspector:us-west-1:166987590008:rulespackage/0-TKgzoVOa", // NIST Common Vulnerability & Exposures (CVEs)
 70 |    "arn:aws:inspector:us-west-1:166987590008:rulespackage/0-xUY8iRqX", // CIS OS Security Configuration Benchmark
 71 |    "arn:aws:inspector:us-west-1:166987590008:rulespackage/0-TxmXimXF", // AWS Security Best Practices
 72 |    "arn:aws:inspector:us-west-1:166987590008:rulespackage/0-byoQRFYm", // Network Reachability
 73 |   ]
 74 | }
 75 | # US West (Oregon)
 76 | variable "Inspector_Assessment_Rules_Packages_USWest2" {
 77 |   type        = "list"
 78 |   description = "All Inspector Assessment Rules for Target All Group"
 79 |   default = [
 80 |    "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p", // NIST Common Vulnerability & Exposures (CVEs)
 81 |    "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-H5hpSawc", // CIS OS Security Configuration Benchmark
 82 |    "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-JJOtZiqQ", // AWS Security Best Practices
 83 |    "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-rD1z6dpl", // Network Reachability
 84 |    ]
 85 | }
 86 | # Asia Pacific (Mumbai)
 87 | variable "Inspector_Assessment_Rules_Packages_APSouth1" {
 88 |   type        = "list"
 89 |   description = "All Inspector Assessment Rules for Target All Group"
 90 |   default = [
 91 |    "arn:aws:inspector:ap-south-1:162588757376:rulespackage/0-LqnJE9dO", // NIST Common Vulnerability & Exposures (CVEs)
 92 |    "arn:aws:inspector:ap-south-1:162588757376:rulespackage/0-PSUlX14m", // CIS OS Security Configuration Benchmark
 93 |    "arn:aws:inspector:ap-south-1:162588757376:rulespackage/0-fs0IZZBj", // AWS Security Best Practices
 94 |    "arn:aws:inspector:ap-south-1:162588757376:rulespackage/0-YxKfjFu1", // Network Reachability
 95 |   ]
 96 | }
 97 | # Asia Pacific (Seoul)
 98 | variable "Inspector_Assessment_Rules_Packages_APNortheast2" {
 99 |   type        = "list"
100 |   description = "All Inspector Assessment Rules for Target All Group"
101 |   default = [
102 |    "arn:aws:inspector:ap-northeast-2:526946625049:rulespackage/0-PoGHMznc", // NIST Common Vulnerability & Exposures (CVEs)
103 |    "arn:aws:inspector:ap-northeast-2:526946625049:rulespackage/0-T9srhg1z", // CIS OS Security Configuration Benchmark
104 |    "arn:aws:inspector:ap-northeast-2:526946625049:rulespackage/0-2WRpmi4n", // AWS Security Best Practices
105 |    "arn:aws:inspector:ap-northeast-2:526946625049:rulespackage/0-s3OmLzhL", // Network Reachability
106 |   ]
107 | }
108 | # Asia Pacific (Sydney)
109 | 
110 | variable "Inspector_Assessment_Rules_Packages_APSoutheast2" {
111 |   type        = "list"
112 |   description = "All Inspector Assessment Rules for Target All Group"
113 |   default = [
114 |    "arn:aws:inspector:ap-southeast-2:454640832652:rulespackage/0-D5TGAxiR", // NIST Common Vulnerability & Exposures (CVEs)
115 |    "arn:aws:inspector:ap-southeast-2:454640832652:rulespackage/0-Vkd2Vxjq", // CIS OS Security Configuration Benchmark
116 |    "arn:aws:inspector:ap-southeast-2:454640832652:rulespackage/0-asL6HRgN", // AWS Security Best Practices
117 |    "arn:aws:inspector:ap-southeast-2:454640832652:rulespackage/0-FLcuV4Gz", // Network Reachability
118 |   ]
119 | }
120 | # Asia Pacific (Tokyo)
121 | variable "Inspector_Assessment_Rules_Packages_APNortheast1" {
122 |   type        = "list"
123 |   description = "All Inspector Assessment Rules for Target All Group"
124 |   default = [
125 |    "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-gHP9oWNT", // NIST Common Vulnerability & Exposures (CVEs)
126 |    "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu", // CIS OS Security Configuration Benchmark
127 |    "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq", // AWS Security Best Practices
128 |    "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-YI95DVd7", // Network Reachability
129 |   ]
130 | }
131 | # Europe (Frankfurt)
132 | variable "Inspector_Assessment_Rules_Packages_EUCentral1" {
133 |   type        = "list"
134 |   description = "All Inspector Assessment Rules for Target All Group"
135 |   default = [
136 |    "arn:aws:inspector:eu-central-1:537503971621:rulespackage/0-wNqHa8M9", // NIST Common Vulnerability & Exposures (CVEs)
137 |    "arn:aws:inspector:eu-central-1:537503971621:rulespackage/0-nZrAVuv8", // CIS OS Security Configuration Benchmark
138 |    "arn:aws:inspector:eu-central-1:537503971621:rulespackage/0-ZujVHEPB", // AWS Security Best Practices
139 |    "arn:aws:inspector:eu-central-1:537503971621:rulespackage/0-6yunpJ91", // Network Reachability
140 |   ]
141 | }
142 | # Europe (Ireland)
143 | variable "Inspector_Assessment_Rules_Packages_EUWest1" {
144 |   type        = "list"
145 |   description = "All Inspector Assessment Rules for Target All Group"
146 |   default = [
147 |    "arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-ubA5XvBh", // NIST Common Vulnerability & Exposures (CVEs)
148 |    "arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-sJBhCr0F", // CIS OS Security Configuration Benchmark
149 |    "arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-SnojL3Z6", // AWS Security Best Practices
150 |    "arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-SPzU33xe", // Network Reachability
151 |   ]
152 | }
153 | # Europe (London)
154 | variable "Inspector_Assessment_Rules_Packages_EUWest2" {
155 |   type        = "list"
156 |   description = "All Inspector Assessment Rules for Target All Group"
157 |   default = [
158 |    "arn:aws:inspector:eu-west-2:146838936955:rulespackage/0-kZGCqcE1", // NIST Common Vulnerability & Exposures (CVEs)
159 |    "arn:aws:inspector:eu-west-2:146838936955:rulespackage/0-IeCjwf1W", // CIS OS Security Configuration Benchmark
160 |    "arn:aws:inspector:eu-west-2:146838936955:rulespackage/0-XApUiSaP", // AWS Security Best Practices
161 |    "arn:aws:inspector:eu-west-2:146838936955:rulespackage/0-AizSYyNq", // Network Reachability
162 |   ]
163 | }
164 | # Europe (Stockholm)
165 | variable "Inspector_Assessment_Rules_Packages_EUNorth1" {
166 |   type        = "list"
167 |   description = "All Inspector Assessment Rules for Target All Group"
168 |   default = [
169 |    "arn:aws:inspector:eu-north-1:453420244670:rulespackage/0-IgdgIewd", // NIST Common Vulnerability & Exposures (CVEs)
170 |    "arn:aws:inspector:eu-north-1:453420244670:rulespackage/0-Yn8jlX7f", // CIS OS Security Configuration Benchmark
171 |    "arn:aws:inspector:eu-north-1:453420244670:rulespackage/0-HfBQSbSf", // AWS Security Best Practices
172 |    "arn:aws:inspector:eu-north-1:453420244670:rulespackage/0-52Sn74uu", // Network Reachability
173 |   ]
174 | }
175 | #################################
176 | # security_hub_siem.tf variables
177 | #################################
178 | variable "ES_Cognito_User_Pool_Name" {
179 |   default = "elastic-kibanausers"
180 | }
181 | variable "ES_Cognito_User_Pool_Domain_Name" {
182 |   default = ""
183 | }
184 | variable "ES_Cognito_Identity_Pool_Name" {
185 |   default = "elastickibanaidp"
186 | }
187 | variable "ElasticSearch_Domain_Name" {
188 |   default = "securityhub-siem"
189 | }
190 | variable "ElasticSearch_Domain_ES_Version" {
191 |   default = "6.8"
192 | }
193 | variable "ElasticSearch_Domain_Instance_Type" {
194 |   default = "c4.large.elasticsearch"
195 | }
196 | variable "ElasticSearch_Domain_Instance_Count" {
197 |   default = "1"
198 | }
199 | variable "KDF_Bucket_Prefix" {
200 |   default = "elastic-kdf-logs-bucket"
201 | }
202 | variable "ElasticSearch_Rotation_Period" {
203 |   default = "OneMonth"
204 | }
205 | ###########################################
206 | # cis_baseline_infrastructure.tf variables
207 | ###########################################
208 | variable "AccessLog_Bucket_Prefix" {
209 |   default = "cis-accesslogs-bucket"
210 | }
211 | variable "CIS_CloudTrail_Trail_Name" {
212 |   default = "cis-cloudtrail"
213 | }
214 | variable "CloudTrail_Bucket_Prefix" {
215 |   default = "cis-cloudtrail-logs-bucket"
216 | }
217 | variable "Network_Resource_Count" {
218 |   default     = 1
219 |   description = "Amount of Network Resources Provisioned e.g. Subnets and Route Tables - Adjust for Regional AZ Count"
220 | }
221 | variable "CIS_VPC_CIDR" {
222 |   default = "10.100.0.0/16"
223 | }
224 | variable "CIS_VPC_Name_Tag" {
225 |   default = "CIS_VPC"
226 | }
227 | #######################
228 | # cis_3-x.tf variables
229 | #######################
230 | variable "CIS_SNS_Prefix" {
231 |   default = "cis-3x-alarms"
232 | }
233 | variable "CIS_Metric_Alarm_Namespace" {
234 |   default = "LogMetrics"
235 | }
236 | ############################################
237 | # elasticsearch_siem_extension.tf variables 
238 | ############################################
239 | variable "CloudTrail_To_Elastic_Name_Schema" {
240 |   default = "cloudtrail-to-elastic"
241 | }
242 | variable "VPCFlowLogs_To_Elastic_Name_Schema" {
243 |   default = "vpc-flowlogs-to-elastic"
244 | }


--------------------------------------------------------------------------------
/buildspec.yaml:
--------------------------------------------------------------------------------
 1 |  # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 2 |  # SPDX-License-Identifier: MIT-0
 3 |  #
 4 |  # Permission is hereby granted, free of charge, to any person obtaining a copy of this
 5 |  # software and associated documentation files (the "Software"), to deal in the Software
 6 |  # without restriction, including without limitation the rights to use, copy, modify,
 7 |  # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
 8 |  # permit persons to whom the Software is furnished to do so.
 9 |  #
10 |  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
11 |  # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
12 |  # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
13 |  # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
14 |  # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
15 |  # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
16 | 
17 | version: 0.2
18 | 
19 | phases:
20 | 
21 |   install:
22 |     commands:
23 |       - "apt install unzip -y"
24 |       - "wget https://releases.hashicorp.com/terraform/0.11.14/terraform_0.11.14_linux_amd64.zip"
25 |       - "unzip terraform_0.11.14_linux_amd64.zip"
26 |       - "mv terraform /usr/local/bin/"
27 |   pre_build:
28 |     commands:
29 |       - terraform init
30 | 
31 |   build:
32 |     commands:
33 |       - terraform $TF_COMMAND -auto-approve
34 | 
35 |   post_build:
36 |     commands:
37 |       - echo terraform $TF_COMMAND completed on `date`


--------------------------------------------------------------------------------
/provider.tf:
--------------------------------------------------------------------------------
 1 |  # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 2 |  # SPDX-License-Identifier: MIT-0
 3 |  #
 4 |  # Permission is hereby granted, free of charge, to any person obtaining a copy of this
 5 |  # software and associated documentation files (the "Software"), to deal in the Software
 6 |  # without restriction, including without limitation the rights to use, copy, modify,
 7 |  # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
 8 |  # permit persons to whom the Software is furnished to do so.
 9 |  #
10 |  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
11 |  # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
12 |  # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
13 |  # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
14 |  # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
15 |  # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
16 | 
17 | 
18 | ## Specifies the Region your Terraform Provider will server
19 | provider "aws" {
20 |   region = "us-east-1"
21 | }
22 | ## Specifies the S3 Bucket and DynamoDB table used for the durable backend and state locking
23 | 
24 | terraform {
25 |     backend "s3" {
26 |       encrypt = true
27 |       bucket = "my_s3_bucket_name"
28 |       dynamodb_table = "my_dynamo_table_name"
29 |       key = "path/path/terraform.tfstate"
30 |       region = "us-east-1"
31 |   }
32 | }


--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
 1 |  # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 2 |  # SPDX-License-Identifier: MIT-0
 3 |  #
 4 |  # Permission is hereby granted, free of charge, to any person obtaining a copy of this
 5 |  # software and associated documentation files (the "Software"), to deal in the Software
 6 |  # without restriction, including without limitation the rights to use, copy, modify,
 7 |  # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
 8 |  # permit persons to whom the Software is furnished to do so.
 9 |  #
10 |  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
11 |  # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
12 |  # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
13 |  # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
14 |  # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
15 |  # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
16 | 
17 | 
18 | #################################
19 | ## waf-conditions.tf Variables ##
20 | #################################
21 | variable "AWS_Security_Blog_Blacklist_IPSet_Name" {
22 |   default = "devsecopsblacklistipset"
23 | }
24 | variable "AWS_Security_Blog_SQLI_Match_Set_Name" {
25 |   default = "devsecopssqlimatchset"
26 | }
27 | 
28 | ############################
29 | ## waf-rules.tf Variables ##
30 | ############################
31 | variable "AWS_Security_Blog_IP_Blacklist_Rule_Name" {
32 |   default = "devsecopsblacklistrule"
33 | }
34 | variable "AWS_Security_Blog_SQL_Injection_Rule_Name" {
35 |   default = "devsecopssqlirule"
36 | }
37 | variable "AWS_Security_Blog_Blacklist_WACL_Name" {
38 |   default = "devsecopswebacl"
39 | }


--------------------------------------------------------------------------------
/waf-conditions.tf:
--------------------------------------------------------------------------------
 1 |  # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 2 |  # SPDX-License-Identifier: MIT-0
 3 |  #
 4 |  # Permission is hereby granted, free of charge, to any person obtaining a copy of this
 5 |  # software and associated documentation files (the "Software"), to deal in the Software
 6 |  # without restriction, including without limitation the rights to use, copy, modify,
 7 |  # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
 8 |  # permit persons to whom the Software is furnished to do so.
 9 |  #
10 |  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
11 |  # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
12 |  # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
13 |  # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
14 |  # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
15 |  # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
16 | 
17 | 
18 | ## Creates a WAF IP Set to be used as a Blacklist for a WAF Rule to add to the Web ACL
19 | ## Value can be replaced with a Variable or a Static Value of an EIP within the customer VPC
20 | ## to test functionality of the WAF blocking access via IP
21 | resource "aws_waf_ipset" "AWS_Security_Blog_Blacklist_IPSet" {
22 |   name = "${var.AWS_Security_Blog_Blacklist_IPSet_Name}"
23 |   ip_set_descriptors {
24 |     type  = "IPV4"
25 |     value = "10.0.0.99/32"
26 |   }
27 | }
28 | ## Creates SQL Injection match condition with multiple filters based on AWS best practices
29 | ## reccomendations from the Mitigated OWASP Top 10 with AWS WAF White Paper
30 | resource "aws_waf_sql_injection_match_set" "AWS_Security_Blog_SQLI_Match_Set" {
31 |   name = "${var.AWS_Security_Blog_SQLI_Match_Set_Name}"
32 |   sql_injection_match_tuples {
33 |     text_transformation = "HTML_ENTITY_DECODE"
34 |     field_to_match {
35 |       type = "QUERY_STRING"
36 |     }
37 |   }
38 |   sql_injection_match_tuples {
39 |     text_transformation = "URL_DECODE"
40 |     field_to_match {
41 |       type = "QUERY_STRING"
42 |     }
43 |   }
44 |   sql_injection_match_tuples {
45 |     text_transformation = "HTML_ENTITY_DECODE"
46 |     field_to_match {
47 |       type = "URI"
48 |     }
49 |   }
50 |   sql_injection_match_tuples {
51 |     text_transformation = "URL_DECODE"
52 |     field_to_match {
53 |       type = "URI"
54 |     }
55 |   }
56 |   sql_injection_match_tuples {
57 |     text_transformation = "HTML_ENTITY_DECODE"
58 |     field_to_match {
59 |       type = "BODY"
60 |     }
61 |   }
62 |   sql_injection_match_tuples {
63 |     text_transformation = "URL_DECODE"
64 |     field_to_match {
65 |       type = "BODY"
66 |     }
67 |   }  
68 |   sql_injection_match_tuples {
69 |     text_transformation = "HTML_ENTITY_DECODE"
70 |     field_to_match {
71 |       type = "HEADER"
72 |       data = "Cookie"
73 |     }
74 |   }
75 |   sql_injection_match_tuples {
76 |     text_transformation = "URL_DECODE"
77 |     field_to_match {
78 |       type = "HEADER"
79 |       data = "Cookie"
80 |     }
81 |   }
82 |   sql_injection_match_tuples {
83 |     text_transformation = "HTML_ENTITY_DECODE"
84 |     field_to_match {
85 |       type = "HEADER"
86 |       data = "Authorization"
87 |     }
88 |   }
89 |   sql_injection_match_tuples {
90 |     text_transformation = "URL_DECODE"
91 |     field_to_match {
92 |       type = "HEADER"
93 |       data = "Authorization"
94 |     }
95 |   }
96 | }


--------------------------------------------------------------------------------
/waf-rules.tf:
--------------------------------------------------------------------------------
 1 |  # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 2 |  # SPDX-License-Identifier: MIT-0
 3 |  #
 4 |  # Permission is hereby granted, free of charge, to any person obtaining a copy of this
 5 |  # software and associated documentation files (the "Software"), to deal in the Software
 6 |  # without restriction, including without limitation the rights to use, copy, modify,
 7 |  # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
 8 |  # permit persons to whom the Software is furnished to do so.
 9 |  #
10 |  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
11 |  # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
12 |  # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
13 |  # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
14 |  # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
15 |  # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
16 | 
17 | 
18 | ## Creates an AWS WAF Rule to Blacklist the IP Address specified in the IPSet Condition
19 | resource "aws_waf_rule" "AWS_Security_Blog_IP_Blacklist_Rule" {
20 |   name        = "${var.AWS_Security_Blog_IP_Blacklist_Rule_Name}"
21 |   metric_name = "${var.AWS_Security_Blog_IP_Blacklist_Rule_Name}"
22 |   predicates {
23 |     data_id = "${aws_waf_ipset.AWS_Security_Blog_Blacklist_IPSet.id}"
24 |     negated = false
25 |     type    = "IPMatch"
26 |   }
27 | }
28 | ## Creates an AWS WAF Rule matched against Conditions listed in the SQL Injection Condition Match Set
29 | resource "aws_waf_rule" "AWS_Security_Blog_SQL_Injection_Rule" {
30 |   name        = "${var.AWS_Security_Blog_SQL_Injection_Rule_Name}"
31 |   metric_name = "${var.AWS_Security_Blog_SQL_Injection_Rule_Name}"
32 |   predicates{
33 |     data_id = "${aws_waf_sql_injection_match_set.AWS_Security_Blog_SQLI_Match_Set.id}"
34 |     negated = false
35 |     type = "SqlInjectionMatch"
36 |   }
37 | }
38 | ## Creates an AWS WAF Web ACL that will Block traffic originiating from the Blacklist, as well as block traffic
39 | ## that matches any SQL Injection methods. Logs are sent to a Kinesis Data Firehose for further processing and investigation
40 | resource "aws_waf_web_acl" "AWS_Security_Blog_Blacklist_WACL" {
41 |   name        = "${var.AWS_Security_Blog_Blacklist_WACL_Name}"
42 |   metric_name = "${var.AWS_Security_Blog_Blacklist_WACL_Name}"
43 |   default_action {
44 |     type = "ALLOW"
45 |   }
46 |   rules {
47 |     action {
48 |       type = "BLOCK"
49 |     }
50 |     priority = 1
51 |     rule_id  = "${aws_waf_rule.AWS_Security_Blog_SQL_Injection_Rule.id}"
52 |     type     = "REGULAR"
53 |   }
54 |   rules {
55 |     action {
56 |       type = "BLOCK"
57 |     }
58 |     priority = 2
59 |     rule_id  = "${aws_waf_rule.AWS_Security_Blog_IP_Blacklist_Rule.id}"
60 |     type     = "REGULAR"
61 |   }
62 | }


--------------------------------------------------------------------------------