├── .gitignore
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── main.tf
└── modules
    ├── hardening-global
        ├── cloudtrail.tf
        ├── config.tf
        ├── flowlogs.tf
        ├── main.tf
        ├── outputs.tf
        ├── password.tf
        └── variables.tf
    └── hardening-region
        ├── config.tf
        ├── flowlogs.tf
        ├── main.tf
        ├── outputs.tf
        ├── variables.tf
        └── vpc.tf


/.gitignore:
--------------------------------------------------------------------------------
1 | .terraform
2 | *.tfstate
3 | *.tfstate.backup
4 | *.tfvars
5 | 
6 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing
2 | 
3 | All contributions and suggestions are welcome!
4 | 
5 | * If you want to report a bug, or suggest a feature, please go to the GitHub "Issues" page.
6 | * If you want to contribute to the codebase, feel free to open a Pull Request.


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2019 Kiratech SpA
 2 | 
 3 | Permission is hereby granted, free of charge, to any person obtaining a copy
 4 | of this software and associated documentation files (the "Software"), to deal
 5 | in the Software without restriction, including without limitation the rights
 6 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 7 | copies of the Software, and to permit persons to whom the Software is
 8 | furnished to do so, subject to the following conditions:
 9 | 
10 | The above copyright notice and this permission notice shall be included in
11 | all copies or substantial portions of the Software.
12 | 
13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
19 | THE SOFTWARE.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # terraform-aws-hardening
 2 | 
 3 | This repository contains a Terraform module providing a secure baseline for a newly created [Amazon Web Services](https://aws.amazon.com) account. AWS accounts default settings are more oriented towards easiness of use rather than applying the recommended secure best practices. `terraform-aws-hardening` is implemented as a set of Terraform configurations applying the best practices to all AWS regions.
 4 | 
 5 | **Make sure to use it only on accounts not containing any user-created resource (servers, databases, VPCs, etc.) as it has been tested only on newly created accounts**
 6 | 
 7 | The tool is heavily inspired by the [AWS Benchmarks - CIS Amazon Web Services Foundations v1.2.0](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf) and by the automated tool [CloudSploit](https://cloudsploit.com/). However, this tool does not guarantee a full compliance for an existing account: it operates only on newly created accounts by providing saner defaults. Again: do not use it on accounts that are not brand new (i.e., not containing user-created objects or data).
 8 | 
 9 | As today, applying this tool gets you a 100% green score on CloudSploit for a newly created AWS account.
10 | 
11 | ## Features
12 | This is the list of features provided by this module. When applicable, the relevant CIS Benchmark section is provided. Some of the features are not included in the [AWS free tier](https://aws.amazon.com/free/).
13 | 
14 | * Identity and Access Management
15 |     * Ensure credentials unused for 90 days or greater are disabled (`CIS 1.3`)
16 |     * Ensure IAM password policy requires at least one uppercase letter (`CIS 1.5`)
17 |     * Ensure IAM password policy require at least one lowercase letter (`CIS 1.6`)
18 |     * Ensure IAM password policy require at least one symbol (`CIS 1.7`)
19 |     * Ensure IAM password policy require at least one number (`CIS 1.8`)
20 |     * Ensure IAM password policy requires minimum length of 14 or greater (`CIS 1.9`)
21 |     * Ensure IAM password policy prevents password reuse (`CIS 1.10`)
22 |     * Ensure IAM password policy expires passwords within 90 days or less (`CIS 1.11`)
23 | * Logging
24 |     * Ensure CloudTrail is enabled in all regions (`CIS 2.1`)
25 |     * Ensure CloudTrail log file validation is enabled (`CIS 2.2`)
26 |     * Ensure the S3 bucket CloudTrail logs to is not publicly accessible (`CIS 2.3`)
27 |     * Ensure CloudTrail trails are integrated with CloudWatch Logs (`CIS 2.4`)
28 |     * Ensure AWS Config is enabled in all regions (`CIS 2.5`)
29 |     * Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (`CIS 2.6`)
30 |     * Ensure CloudTrail logs are encrypted at rest using KMS CMKs (`CIS 2.7`)
31 |     * Ensure rotation for customer created CMKs is enabled (`CIS 2.8`)
32 |     * Ensure VPC flow logging is enabled in all VPCs (`CIS 2.9`) *Only for the default VPC on each supported region*
33 | * Networking
34 |     * Ensure the default security group of every VPC restricts all traffic (`CIS 4.3`) *Only for the default VPC on each supported region*
35 | 
36 | ## How it works
37 | 
38 | ### Requirements
39 | * [Terraform](https://learn.hashicorp.com/terraform/getting-started/install.html) >= 0.11
40 | 
41 | ### Usage
42 | Copy and paste into your Terraform configuration, and run `terraform init`:
43 | ```
44 | module "aws-hardening" {
45 |   source = "github.com/kiratech/terraform-aws-hardening"
46 | }
47 | ```
48 | 
49 | ## Contributing
50 | Contributions are very welcome! Check out the [Guidelines](CONTRIBUTING.md) for instructions.
51 | 
52 | ## License
53 | This project is licensed under the terms of the **MIT** license. Check out the full license [here](LICENSE).
54 | 


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
  1 | ## Global account hardening
  2 | module "aws-global" {
  3 |   aws_region = "us-east-1"
  4 |   source     = "modules/hardening-global"
  5 | }
  6 | 
  7 | ## Region-specific hardening
  8 | ## List taken from: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html
  9 | 
 10 | module "aws-us-east-2" {
 11 |   aws_region            = "us-east-2"
 12 |   aws_config_bucket     = "${module.aws-global.aws_config_bucket}"
 13 |   aws_config_role_arn   = "${module.aws-global.aws_config_role_arn}"
 14 |   aws_flowlogs_role_arn = "${module.aws-global.aws_flowlogs_role_arn}"
 15 |   source                = "modules/hardening-region"
 16 | }
 17 | 
 18 | module "aws-us-east-1" {
 19 |   aws_region            = "us-east-1"
 20 |   aws_config_bucket     = "${module.aws-global.aws_config_bucket}"
 21 |   aws_config_role_arn   = "${module.aws-global.aws_config_role_arn}"
 22 |   aws_flowlogs_role_arn = "${module.aws-global.aws_flowlogs_role_arn}"
 23 |   source                = "modules/hardening-region"
 24 | }
 25 | 
 26 | module "aws-us-west-1" {
 27 |   aws_region            = "us-west-1"
 28 |   aws_config_bucket     = "${module.aws-global.aws_config_bucket}"
 29 |   aws_config_role_arn   = "${module.aws-global.aws_config_role_arn}"
 30 |   aws_flowlogs_role_arn = "${module.aws-global.aws_flowlogs_role_arn}"
 31 |   source                = "modules/hardening-region"
 32 | }
 33 | 
 34 | module "aws-us-west-2" {
 35 |   aws_region            = "us-west-2"
 36 |   aws_config_bucket     = "${module.aws-global.aws_config_bucket}"
 37 |   aws_config_role_arn   = "${module.aws-global.aws_config_role_arn}"
 38 |   aws_flowlogs_role_arn = "${module.aws-global.aws_flowlogs_role_arn}"
 39 |   source                = "modules/hardening-region"
 40 | }
 41 | 
 42 | module "aws-ap-south-1" {
 43 |   aws_region            = "ap-south-1"
 44 |   aws_config_bucket     = "${module.aws-global.aws_config_bucket}"
 45 |   aws_config_role_arn   = "${module.aws-global.aws_config_role_arn}"
 46 |   aws_flowlogs_role_arn = "${module.aws-global.aws_flowlogs_role_arn}"
 47 |   source                = "modules/hardening-region"
 48 | }
 49 | 
 50 | module "aws-ap-northeast-2" {
 51 |   aws_region            = "ap-northeast-2"
 52 |   aws_config_bucket     = "${module.aws-global.aws_config_bucket}"
 53 |   aws_config_role_arn   = "${module.aws-global.aws_config_role_arn}"
 54 |   aws_flowlogs_role_arn = "${module.aws-global.aws_flowlogs_role_arn}"
 55 |   source                = "modules/hardening-region"
 56 | }
 57 | 
 58 | module "aws-ap-southeast-1" {
 59 |   aws_region            = "ap-southeast-1"
 60 |   aws_config_bucket     = "${module.aws-global.aws_config_bucket}"
 61 |   aws_config_role_arn   = "${module.aws-global.aws_config_role_arn}"
 62 |   aws_flowlogs_role_arn = "${module.aws-global.aws_flowlogs_role_arn}"
 63 |   source                = "modules/hardening-region"
 64 | }
 65 | 
 66 | module "aws-ap-southeast-2" {
 67 |   aws_region            = "ap-southeast-2"
 68 |   aws_config_bucket     = "${module.aws-global.aws_config_bucket}"
 69 |   aws_config_role_arn   = "${module.aws-global.aws_config_role_arn}"
 70 |   aws_flowlogs_role_arn = "${module.aws-global.aws_flowlogs_role_arn}"
 71 |   source                = "modules/hardening-region"
 72 | }
 73 | 
 74 | module "aws-ap-northeast-1" {
 75 |   aws_region            = "ap-northeast-1"
 76 |   aws_config_bucket     = "${module.aws-global.aws_config_bucket}"
 77 |   aws_config_role_arn   = "${module.aws-global.aws_config_role_arn}"
 78 |   aws_flowlogs_role_arn = "${module.aws-global.aws_flowlogs_role_arn}"
 79 |   source                = "modules/hardening-region"
 80 | }
 81 | 
 82 | module "aws-ca-central-1" {
 83 |   aws_region            = "ca-central-1"
 84 |   aws_config_bucket     = "${module.aws-global.aws_config_bucket}"
 85 |   aws_config_role_arn   = "${module.aws-global.aws_config_role_arn}"
 86 |   aws_flowlogs_role_arn = "${module.aws-global.aws_flowlogs_role_arn}"
 87 |   source                = "modules/hardening-region"
 88 | }
 89 | 
 90 | module "aws-eu-central-1" {
 91 |   aws_region            = "eu-central-1"
 92 |   aws_config_bucket     = "${module.aws-global.aws_config_bucket}"
 93 |   aws_config_role_arn   = "${module.aws-global.aws_config_role_arn}"
 94 |   aws_flowlogs_role_arn = "${module.aws-global.aws_flowlogs_role_arn}"
 95 |   source                = "modules/hardening-region"
 96 | }
 97 | 
 98 | module "aws-eu-west-1" {
 99 |   aws_region            = "eu-west-1"
100 |   aws_config_bucket     = "${module.aws-global.aws_config_bucket}"
101 |   aws_config_role_arn   = "${module.aws-global.aws_config_role_arn}"
102 |   aws_flowlogs_role_arn = "${module.aws-global.aws_flowlogs_role_arn}"
103 |   source                = "modules/hardening-region"
104 | }
105 | 
106 | module "aws-eu-west-2" {
107 |   aws_region            = "eu-west-2"
108 |   aws_config_bucket     = "${module.aws-global.aws_config_bucket}"
109 |   aws_config_role_arn   = "${module.aws-global.aws_config_role_arn}"
110 |   aws_flowlogs_role_arn = "${module.aws-global.aws_flowlogs_role_arn}"
111 |   source                = "modules/hardening-region"
112 | }
113 | 
114 | module "aws-eu-west-3" {
115 |   aws_region            = "eu-west-3"
116 |   aws_config_bucket     = "${module.aws-global.aws_config_bucket}"
117 |   aws_config_role_arn   = "${module.aws-global.aws_config_role_arn}"
118 |   aws_flowlogs_role_arn = "${module.aws-global.aws_flowlogs_role_arn}"
119 |   source                = "modules/hardening-region"
120 | }
121 | 
122 | module "aws-eu-north-1" {
123 |   aws_region            = "eu-north-1"
124 |   aws_config_bucket     = "${module.aws-global.aws_config_bucket}"
125 |   aws_config_role_arn   = "${module.aws-global.aws_config_role_arn}"
126 |   aws_flowlogs_role_arn = "${module.aws-global.aws_flowlogs_role_arn}"
127 |   source                = "modules/hardening-region"
128 | }
129 | 
130 | module "aws-sa-east-1" {
131 |   aws_region            = "sa-east-1"
132 |   aws_config_bucket     = "${module.aws-global.aws_config_bucket}"
133 |   aws_config_role_arn   = "${module.aws-global.aws_config_role_arn}"
134 |   aws_flowlogs_role_arn = "${module.aws-global.aws_flowlogs_role_arn}"
135 |   source                = "modules/hardening-region"
136 | }
137 | 
138 | #module "aws-ap-northeast-3" {
139 | #    aws_region = "ap-northeast-3"
140 | #    source = "hardening-region"
141 | #}
142 | 
143 | 


--------------------------------------------------------------------------------
/modules/hardening-global/cloudtrail.tf:
--------------------------------------------------------------------------------
  1 | # Bucket for CloudTrail storage
  2 | resource "aws_s3_bucket" "cloudtrail" {
  3 |   bucket = "cloudtrail-${data.aws_caller_identity.current.account_id}"
  4 | 
  5 |   logging {
  6 |     target_bucket = "${aws_s3_bucket.cloudtrail_logging.id}"
  7 |     target_prefix = "cloudtrail/"
  8 |   }
  9 | 
 10 |   versioning {
 11 |     enabled = true
 12 |   }
 13 | }
 14 | 
 15 | # Bucket for Cloudtrail storage logging
 16 | resource "aws_s3_bucket" "cloudtrail_logging" {
 17 |   bucket = "cloudtrail-logging-${data.aws_caller_identity.current.account_id}"
 18 |   acl    = "log-delivery-write"
 19 | 
 20 |   versioning {
 21 |     enabled = true
 22 |   }
 23 | }
 24 | 
 25 | # Cloudtrail bucket policy
 26 | resource "aws_s3_bucket_policy" "cloudtrail" {
 27 |   bucket = "${aws_s3_bucket.cloudtrail.id}"
 28 | 
 29 |   policy = <<POLICY
 30 | {
 31 |     "Version": "2012-10-17",
 32 |     "Statement": [
 33 |         {
 34 |             "Sid": "AWSCloudTrailWrite",
 35 |             "Effect": "Allow",
 36 |             "Principal": {
 37 |               "Service": "cloudtrail.amazonaws.com"
 38 |             },
 39 |             "Action": "s3:PutObject",
 40 |             "Resource": "arn:aws:s3:::${aws_s3_bucket.cloudtrail.id}/*",
 41 |             "Condition": {
 42 |               "StringEquals": {
 43 |                 "s3:x-amz-acl": "bucket-owner-full-control"
 44 |               }
 45 |             }
 46 |         },
 47 |         {
 48 |             "Sid": "AWSCloudTrailAclCheck",
 49 |             "Effect": "Allow",
 50 |             "Principal": {
 51 |               "Service": "cloudtrail.amazonaws.com"
 52 |             },
 53 |             "Action": "s3:GetBucketAcl",
 54 |             "Resource": "arn:aws:s3:::${aws_s3_bucket.cloudtrail.id}"
 55 |         }
 56 |     ]
 57 | }
 58 | POLICY
 59 | }
 60 | 
 61 | # CloudWatch Log group for CloudTrail
 62 | resource "aws_cloudwatch_log_group" "cloudtrail" {
 63 |   name              = "cloudtrail/default"
 64 |   retention_in_days = 365
 65 | }
 66 | 
 67 | # IAM role for CloudTrail -> CloudWatch
 68 | resource "aws_iam_role" "cloudtrail_cloudwatch" {
 69 |   name = "cloudtrail_cloudwatch"
 70 | 
 71 |   assume_role_policy = <<EOF
 72 | {
 73 |     "Version": "2012-10-17",
 74 |     "Statement":[
 75 |         {
 76 |             "Sid": "",
 77 |             "Effect": "Allow",
 78 |             "Principal": {
 79 |                 "Service": "cloudtrail.amazonaws.com"
 80 |             },
 81 |             "Action": "sts:AssumeRole"
 82 |         }
 83 |     ]
 84 | }
 85 | EOF
 86 | }
 87 | 
 88 | resource "aws_iam_policy" "cloudtrail_cloudwatch" {
 89 |   name = "cloudtrail_cloudwatch"
 90 |   path = "/"
 91 | 
 92 |   policy = <<EOF
 93 | {
 94 |     "Version": "2012-10-17",
 95 |     "Statement": [
 96 |         {
 97 |             "Sid": "AWSCloudTrailCreateLogStream20141101",
 98 |             "Effect": "Allow",
 99 |             "Action": [
100 |                 "logs:CreateLogStream"
101 |             ],
102 |             "Resource": [
103 |                 "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:${aws_cloudwatch_log_group.cloudtrail.name}:log-stream:${data.aws_caller_identity.current.account_id}_CloudTrail_us-east-1*"
104 |             ]
105 |         },
106 |         {
107 |             "Sid": "AWSCloudTrailPutLogEvents20141101",
108 |             "Effect": "Allow",
109 |             "Action": [
110 |                 "logs:PutLogEvents"
111 |             ],
112 |             "Resource": [
113 |                 "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:${aws_cloudwatch_log_group.cloudtrail.name}:log-stream:${data.aws_caller_identity.current.account_id}_CloudTrail_us-east-1*"
114 |             ]
115 |         }
116 |     ]
117 | }
118 | EOF
119 | }
120 | 
121 | resource "aws_iam_role_policy_attachment" "cloudtrail_cloudwatch" {
122 |   role       = "${aws_iam_role.cloudtrail_cloudwatch.name}"
123 |   policy_arn = "${aws_iam_policy.cloudtrail_cloudwatch.arn}"
124 | }
125 | 
126 | resource "aws_cloudtrail" "default" {
127 |   name                          = "default-trail"
128 |   s3_bucket_name                = "${aws_s3_bucket.cloudtrail.id}"
129 |   s3_key_prefix                 = "default"
130 |   enable_logging                = true
131 |   include_global_service_events = true
132 |   is_multi_region_trail         = true
133 |   enable_log_file_validation    = true
134 |   cloud_watch_logs_role_arn     = "${aws_iam_role.cloudtrail_cloudwatch.arn}"
135 |   cloud_watch_logs_group_arn    = "${aws_cloudwatch_log_group.cloudtrail.arn}"
136 |   kms_key_id                    = "${aws_kms_key.cloudtrail.arn}"
137 | }
138 | 
139 | # KMS key for CloudTrail log encryption
140 | resource "aws_kms_key" "cloudtrail" {
141 |   description             = "CloudTrail KMS key"
142 |   deletion_window_in_days = 30
143 |   enable_key_rotation     = true
144 | 
145 |   policy = <<EOF
146 | {
147 |     "Version": "2012-10-17",
148 |     "Id": "CloudTrail KMS Key Policy",
149 |     "Statement": [
150 |         {
151 |             "Sid": "Enable IAM User Permissions",
152 |             "Effect": "Allow",
153 |             "Principal": {"AWS": [
154 |                 "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
155 |             ]},
156 |             "Action": "kms:*",
157 |             "Resource": "*"
158 |         },
159 |         {
160 |             "Sid": "Allow CloudTrail to encrypt logs",
161 |             "Effect": "Allow",
162 |             "Principal": {"Service": ["cloudtrail.amazonaws.com"]},
163 |             "Action": "kms:GenerateDataKey*",
164 |             "Resource": "*",
165 |             "Condition": {"StringLike": {"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"}}
166 |         },
167 |         {
168 |             "Sid": "Allow CloudTrail to describe key",
169 |             "Effect": "Allow",
170 |             "Principal": {"Service": ["cloudtrail.amazonaws.com"]},
171 |             "Action": "kms:DescribeKey",
172 |             "Resource": "*"
173 |         },
174 |         {
175 |             "Sid": "Allow principals in the account to decrypt log files",
176 |             "Effect": "Allow",
177 |             "Principal": {"AWS": "*"},
178 |             "Action": [
179 |                 "kms:Decrypt",
180 |                 "kms:ReEncryptFrom"
181 |             ],
182 |             "Resource": "*",
183 |             "Condition": {
184 |                 "StringEquals": {"kms:CallerAccount": "${data.aws_caller_identity.current.account_id}"},
185 |                 "StringLike": {"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"}
186 |             }
187 |         },
188 |         {
189 |             "Sid": "Allow alias creation during setup",
190 |             "Effect": "Allow",
191 |             "Principal": {"AWS": "*"},
192 |             "Action": "kms:CreateAlias",
193 |             "Resource": "*",
194 |             "Condition": {"StringEquals": {
195 |                 "kms:ViaService": "ec2.region.amazonaws.com",
196 |                 "kms:CallerAccount": "${data.aws_caller_identity.current.account_id}"
197 |             }}
198 |         }
199 |     ]
200 | }
201 | EOF
202 | }
203 | 
204 | resource "aws_kms_alias" "cloudtrail" {
205 |   name          = "alias/cloudtrail"
206 |   target_key_id = "${aws_kms_key.cloudtrail.key_id}"
207 | }
208 | 


--------------------------------------------------------------------------------
/modules/hardening-global/config.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_s3_bucket" "aws_config" {
 2 |   bucket = "aws-config-${data.aws_caller_identity.current.account_id}"
 3 | 
 4 |   versioning {
 5 |     enabled = true
 6 |   }
 7 | }
 8 | 
 9 | resource "aws_iam_role" "aws_config" {
10 |   name = "aws-config"
11 | 
12 |   assume_role_policy = <<POLICY
13 | {
14 |   "Version": "2012-10-17",
15 |   "Statement": [
16 |     {
17 |       "Action": "sts:AssumeRole",
18 |       "Principal": {
19 |         "Service": "config.amazonaws.com"
20 |       },
21 |       "Effect": "Allow",
22 |       "Sid": ""
23 |     }
24 |   ]
25 | }
26 | POLICY
27 | }
28 | 
29 | resource "aws_iam_role_policy" "aws_config" {
30 |   name = "aws-config-delivery"
31 |   role = "${aws_iam_role.aws_config.id}"
32 | 
33 |   policy = <<POLICY
34 | {
35 |   "Version": "2012-10-17",
36 |   "Statement": [
37 |     {
38 |       "Action": [
39 |         "s3:*"
40 |       ],
41 |       "Effect": "Allow",
42 |       "Resource": [
43 |         "${aws_s3_bucket.aws_config.arn}",
44 |         "${aws_s3_bucket.aws_config.arn}/*"
45 |       ]
46 |     }
47 |   ]
48 | }
49 | POLICY
50 | }
51 | 
52 | resource "aws_iam_role_policy_attachment" "aws_config" {
53 |   role       = "${aws_iam_role.aws_config.name}"
54 |   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
55 | }
56 | 


--------------------------------------------------------------------------------
/modules/hardening-global/flowlogs.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_iam_role" "flowlogs" {
 2 |   name = "flowlog"
 3 | 
 4 |   assume_role_policy = <<EOF
 5 | {
 6 |   "Version": "2012-10-17",
 7 |   "Statement": [
 8 |     {
 9 |       "Sid": "",
10 |       "Effect": "Allow",
11 |       "Principal": {
12 |         "Service": "vpc-flow-logs.amazonaws.com"
13 |       },
14 |       "Action": "sts:AssumeRole"
15 |     }
16 |   ]
17 | }
18 | EOF
19 | }
20 | 
21 | resource "aws_iam_role_policy" "flowlogs" {
22 |   name = "flowlogs-policy"
23 |   role = "${aws_iam_role.flowlogs.id}"
24 | 
25 |   policy = <<EOF
26 | {
27 |   "Version": "2012-10-17",
28 |   "Statement": [
29 |     {
30 |       "Action": [
31 |         "logs:CreateLogGroup",
32 |         "logs:CreateLogStream",
33 |         "logs:PutLogEvents",
34 |         "logs:DescribeLogGroups",
35 |         "logs:DescribeLogStreams"
36 |       ],
37 |       "Effect": "Allow",
38 |       "Resource": "*"
39 |     }
40 |   ]
41 | }
42 | EOF
43 | }
44 | 


--------------------------------------------------------------------------------
/modules/hardening-global/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_version = ">= 0.11"
 3 | }
 4 | 
 5 | data "aws_caller_identity" "current" {}
 6 | 
 7 | provider "aws" {
 8 |   region  = "${var.aws_region}"
 9 |   version = "~> 1.58.0"
10 | }
11 | 


--------------------------------------------------------------------------------
/modules/hardening-global/outputs.tf:
--------------------------------------------------------------------------------
 1 | output aws_config_bucket {
 2 |   value       = "${aws_s3_bucket.aws_config.bucket}"
 3 |   description = "The name of the S3 bucket used as AWS Config storage"
 4 | }
 5 | 
 6 | output aws_config_role_arn {
 7 |   value       = "${aws_iam_role.aws_config.arn}"
 8 |   description = "The ARN of the AWS Config role"
 9 | }
10 | 
11 | output aws_flowlogs_role_arn {
12 |   value       = "${aws_iam_role.flowlogs.arn}"
13 |   description = "The ARN of the VPC FlowLogs role"
14 | }
15 | 


--------------------------------------------------------------------------------
/modules/hardening-global/password.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_iam_account_password_policy" "strict" {
 2 |   allow_users_to_change_password = true
 3 |   require_uppercase_characters   = true
 4 |   require_lowercase_characters   = true
 5 |   require_symbols                = true
 6 |   require_numbers                = true
 7 |   minimum_password_length        = 14
 8 |   password_reuse_prevention      = 24
 9 |   max_password_age               = 90
10 |   hard_expiry                    = true
11 | }
12 | 


--------------------------------------------------------------------------------
/modules/hardening-global/variables.tf:
--------------------------------------------------------------------------------
1 | variable "aws_region" {
2 |     type = "string"
3 |     default = "us-east-1"
4 |     description = "The name of the AWS region"
5 | }
6 | 


--------------------------------------------------------------------------------
/modules/hardening-region/config.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_config_delivery_channel" "default" {
 2 |   name           = "default"
 3 |   depends_on     = ["aws_config_configuration_recorder.default"]
 4 |   s3_bucket_name = "${var.aws_config_bucket}"
 5 |   s3_key_prefix  = "config"
 6 | }
 7 | 
 8 | resource "aws_config_configuration_recorder" "default" {
 9 |   name     = "default"
10 |   role_arn = "${var.aws_config_role_arn}"
11 | 
12 |   # Includes global resources (on a single region Config object)
13 |   recording_group {
14 |     include_global_resource_types = "${var.aws_region == "us-east-1" ? true : false }"
15 |     all_supported                 = true
16 |   }
17 | }
18 | 
19 | resource "aws_config_configuration_recorder_status" "default" {
20 |   name       = "${aws_config_configuration_recorder.default.name}"
21 |   is_enabled = true
22 |   depends_on = ["aws_config_delivery_channel.default"]
23 | }
24 | 


--------------------------------------------------------------------------------
/modules/hardening-region/flowlogs.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_flow_log" "default" {
 2 |   log_destination = "${aws_cloudwatch_log_group.flowlogs_default.arn}"
 3 |   iam_role_arn    = "${var.aws_flowlogs_role_arn}"
 4 |   vpc_id          = "${aws_default_vpc.default.id}"
 5 |   traffic_type    = "REJECT"
 6 | }
 7 | 
 8 | resource "aws_cloudwatch_log_group" "flowlogs_default" {
 9 |   name              = "default-vpc-flowlogs"
10 |   retention_in_days = 365
11 | }
12 | 


--------------------------------------------------------------------------------
/modules/hardening-region/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_version = ">= 0.11"
 3 | }
 4 | 
 5 | data "aws_caller_identity" "current" {}
 6 | 
 7 | provider "aws" {
 8 |   region  = "${var.aws_region}"
 9 |   version = "~> 1.58.0"
10 | }
11 | 


--------------------------------------------------------------------------------
/modules/hardening-region/outputs.tf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kiratech/terraform-aws-hardening/a9c0ae57e79febb1095ad1d9dadcf5c4bc290418/modules/hardening-region/outputs.tf


--------------------------------------------------------------------------------
/modules/hardening-region/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "aws_region" {
 2 |   type        = "string"
 3 |   description = "The name of the AWS region"
 4 | }
 5 | 
 6 | variable "aws_config_bucket" {
 7 |   type        = "string"
 8 |   description = "The name of the S3 bucket used as AWS Config storage"
 9 | }
10 | 
11 | variable "aws_config_role_arn" {
12 |   type        = "string"
13 |   description = "The ARN of the AWS Config role"
14 | }
15 | 
16 | variable "aws_flowlogs_role_arn" {
17 |   type        = "string"
18 |   description = "The ARN of the VPC FlowLogs role"
19 | }
20 | 


--------------------------------------------------------------------------------
/modules/hardening-region/vpc.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_default_vpc" "default" {
 2 |   tags {
 3 |     Name = "Default VPC"
 4 |   }
 5 | }
 6 | 
 7 | # When Terraform adopts a security group, it removes all ingress and egress rules
 8 | # This is consistent with the security best-practics of removing AWS default ingress and egress rules
 9 | resource "aws_default_security_group" "default" {
10 |   vpc_id = "${aws_default_vpc.default.id}"
11 | }
12 | 


--------------------------------------------------------------------------------