Skip to content

terraform-aws-arc-security

Latest Release Last Updated Terraform GitHub Actions

Quality gate

Known Vulnerabilities

Overview

The SourceFuse AWS Reference Architecture (ARC) Terraform module streamlines the management of Security Hub components, enhancing security posture and compliance for AWS environments. This module offers simplified configuration and deployment for Security Hub, optimizing resource allocation and threat detection capabilities.

For more information about this repository and its usage, please see Terraform AWS ARC GitHub SECURITY Module Usage Guide.

Usage

To see a full example, check out the main.tf file in the example folder. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
module "cloud_security" {
  source      = "sourcefuse/arc-security/aws"
  version     = "1.0.2"
  region      = var.region
  environment = var.environment
  namespace   = var.namespace

  enable_inspector    = true
  enable_aws_config   = true
  enable_guard_duty   = true
  enable_security_hub = false

  create_config_iam_role = true

  aws_config_sns_subscribers   = local.aws_config_sns_subscribers
  guard_duty_sns_subscribers   = local.guard_duty_sns_subscribers
  security_hub_sns_subscribers = local.security_hub_sns_subscribers

  aws_config_managed_rules       = var.aws_config_managed_rules
  enabled_security_hub_standards = local.security_hub_standards

  create_inspector_iam_role               = var.create_inspector_iam_role
  inspector_enabled_rules                 = var.inspector_enabled_rules
  inspector_schedule_expression           = var.inspector_schedule_expression
  inspector_assessment_event_subscription = var.inspector_assessment_event_subscription

  tags = module.tags.tags
}

Requirements

Name Version
terraform ~> 1.5
aws >= 5.0

Providers

Name Version
aws 5.46.0

Modules

Name Source Version
aws_config_storage cloudposse/config-storage/aws 1.0.0
config cloudposse/config/aws 1.1.0
guard_duty cloudposse/guardduty/aws 0.5.0
guard_duty_sns_topic cloudposse/sns-topic/aws 0.20.1
inspector ./modules/inspector n/a
security_hub cloudposse/security-hub/aws 0.12.0
securityhub_sns_kms_key cloudposse/kms-key/aws 0.12.2
securityhub_sns_topic cloudposse/sns-topic/aws 0.21.0
sns_guard_duty cloudposse/sns-topic/aws 0.21.0

Resources

Name Type
aws_cloudwatch_event_rule.guard_duty_findings resource
aws_cloudwatch_event_rule.imported_findings resource
aws_cloudwatch_event_target.guard_duty_imported_findings resource
aws_cloudwatch_event_target.security_hub_imported_findings resource
aws_kms_alias.this resource
aws_kms_key.this resource
aws_sns_topic_policy.sns_topic_guard_duty resource
aws_caller_identity.current data source
aws_iam_policy_document.guard_duty_sns_topic_policy data source
aws_iam_policy_document.securityhub_sns_kms_key_policy data source
aws_iam_session_context.current data source
aws_partition.current data source
aws_region.current data source

Inputs

Name Description Type Default Required
aws_config_managed_rules A list of AWS Managed Rules that should be enabled on the account.

See the following for a list of possible rules to enable:
https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html		 
map(object({
    description      = string
    identifier       = string
    input_parameters = any
    tags             = map(string)
    enabled          = bool
  }))
 {} no
aws_config_sns_subscribers A map of subscription configurations for SNS topics

For more information, see:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#argument-reference

protocol:
The protocol to use. The possible values for this are: sqs, sms, lambda, application. (http or https are partially
supported, see link) (email is an option but is unsupported in terraform, see link).
endpoint:
The endpoint to send data to, the contents will vary with the protocol. (see link for more information)
endpoint_auto_confirms:
Boolean indicating whether the end point is capable of auto confirming subscription e.g., PagerDuty. Default is
false
raw_message_delivery:
Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property).
Default is false		 
map(object({
    protocol               = string
    endpoint               = string
    endpoint_auto_confirms = bool
    raw_message_delivery   = bool
  }))
 n/a yes
create_config_iam_role Flag to indicate whether an iam role should be created for aws config. bool false no
enable_aws_config Whether to enable AWS Config bool true no
enable_guard_duty Whether to enable Guard Duty bool true no
enable_inspector Whether to enable Inspector bool true no
enable_inspector_at_orgnanization Whether to enable Inspecter at Org level, if false account_list should be provided bool false no
enable_security_hub Whether to enable Security Hub bool true no
enabled_security_hub_standards A list of standards/rulesets to enable

See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription#argument-reference

The possible values are:

- standards/aws-foundational-security-best-practices/v/1.0.0
- ruleset/cis-aws-foundations-benchmark/v/1.2.0
- standards/pci-dss/v/3.2.1		 list(any) n/a yes
environment ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' string n/a yes
force_destroy (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable bool false no
guard_duty_s3_protection_enabled Flag to indicate whether S3 protection will be turned on in GuardDuty. bool false no
guard_duty_sns_subscribers A map of subscription configurations for SNS topics

For more information, see:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#argument-reference

protocol:
The protocol to use. The possible values for this are: sqs, sms, lambda, application. (http or https are partially
supported, see link) (email is an option but is unsupported in terraform, see link).
endpoint:
The endpoint to send data to, the contents will vary with the protocol. (see link for more information)
endpoint_auto_confirms:
Boolean indicating whether the end point is capable of auto confirming subscription e.g., PagerDuty. Default is
false
raw_message_delivery:
Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property).
Default is false		 
map(object({
    protocol               = string
    endpoint               = string
    endpoint_auto_confirms = bool
    raw_message_delivery   = bool
  }))
 null no
inspector_account_list List of Account for which inspector has to be enabled list(string) n/a yes
inspector_resource_types Type of resources to scan. Valid values are EC2, ECR, LAMBDA and LAMBDA_CODE. At least one item is required. list(string) 
[
  "EC2",
  "ECR"
]
 no
inspector_schedule_expression AWS Schedule Expression to indicate how often the inspector scheduled event shoud run string "rate(7 days)" no
inspector_sns_subscribers A map of subscription configurations for SNS topics

For more information, see:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#argument-reference

protocol:
The protocol to use. The possible values for this are: sqs, sms, lambda, application. (http or https are partially
supported, see link) (email is an option but is unsupported in terraform, see link).
endpoint:
The endpoint to send data to, the contents will vary with the protocol. (see link for more information)
endpoint_auto_confirms:
Boolean indicating whether the end point is capable of auto confirming subscription e.g., PagerDuty. Default is
false
raw_message_delivery:
Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property).
Default is false		 
map(object({
    protocol               = string
    endpoint               = string
    endpoint_auto_confirms = bool
    raw_message_delivery   = bool
  }))
 null no
namespace Namespace for the resources. string n/a yes
region AWS region string "us-east-1" no
security_hub_sns_subscribers A map of subscription configurations for SNS topics

For more information, see:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#argument-reference

protocol:
The protocol to use. The possible values for this are: sqs, sms, lambda, application. (http or https are partially
supported, see link) (email is an option but is unsupported in terraform, see link).
endpoint:
The endpoint to send data to, the contents will vary with the protocol. (see link for more information)
endpoint_auto_confirms:
Boolean indicating whether the end point is capable of auto confirming subscription e.g., PagerDuty. Default is
false
raw_message_delivery:
Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property).
Default is false		 
map(object({
    protocol               = string
    endpoint               = string
    endpoint_auto_confirms = bool
    raw_message_delivery   = bool
  }))
 null no
tags Tags for AWS resources map(string) n/a yes

Outputs

Name Description
aws_config_configuration_recorder_id The ID of the AWS Config Recorder
aws_config_iam_role IAM Role used to make read or write requests to the delivery channel and to describe the AWS resources associated with
the account.
aws_config_sns_topic SNS topic
aws_config_sns_topic_subscriptions SNS topic subscriptions
guard_duty_detector GuardDuty detector
guard_duty_sns_topic SNS topic
guard_duty_sns_topic_subscriptions SNS topic subscriptions
inspector_aws_cloudwatch_event_rule The AWS Inspector event rule
inspector_aws_cloudwatch_event_target The AWS Inspector event target
security_hub_enabled_subscriptions A list of subscriptions that have been enabled
security_hub_sns_topic The SNS topic that was created
security_hub_sns_topic_subscriptions The SNS topic that was created

Git commits

while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch

For Example

1
git commit -m "your commit message #major"
By specifying this , it will bump the version and if you dont specify this in your commit message then by default it will consider patch and will bump that accordingly

Development

Prerequisites

Configurations

  • Configure pre-commit hooks 
    1
    pre-commit install

Tests

  • Tests are available in test directory
  • Configure the dependencies 
    1
2
3
    cd test/
go mod init github.com/sourcefuse/terraform-aws-refarch-<module_name>
go get github.com/gruntwork-io/terratest/modules/terraform
  • Now execute the test
    1
    go test -timeout  30m

Authors

This project is authored by: - SourceFuse