Merge pull request #15 from logicly-au/master

Add support for Resource Tagging, NIST and newer versions of CIS
DNXLabs · Jul 25, 2024 · 6cc6fad · 6cc6fad
2 parents e90365c + 7069ae7
commit 6cc6fad
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -37,8 +37,11 @@ The following resources will be created:
 | members | List of member AWS accounts as [{account\_id: '9999', email: '[email protected]'}, {...}] } | `list(any)` | `[]` | no |
 | severity\_list | n/a | `list(any)` | <pre>[<br>  "HIGH",<br>  "CRITICAL"<br>]</pre> | no |
 | subscription\_cis | Enables CIS Foundations Benchmark Standards subscription | `bool` | `false` | no |
+| subscription\_cis\_version | The version of the CIS AWS Foundations Benchmark to subscribe to | `string` | `"3.0.0"` | no |
 | subscription\_foundational | Enables AWS Foundational Security Best Practices subscription | `bool` | `false` | no |
+| subscription\_nist | Enables AWS NIST SP 800-53 subscription | `bool` | `false` | no |
 | subscription\_pci | Enables PCI-DSS Standards subscription | `bool` | `false` | no |
+| subscription\_resource\_tagging | Enables AWS Resource Tagging Standard subscription | `bool` | `false` | no |
 
 ## Outputs
 

diff --git a/_variables.tf b/_variables.tf
@@ -10,12 +10,31 @@ variable "subscription_cis" {
   description = "Enables CIS Foundations Benchmark Standards subscription"
 }
 
+variable "subscription_cis_version" {
+  type        = string
+  nullable    = false
+  default     = "3.0.0"
+  description = "The version of the CIS AWS Foundations Benchmark to subscribe to"
+}
+
 variable "subscription_foundational" {
   type        = bool
   default     = false
   description = "Enables AWS Foundational Security Best Practices subscription"
 }
 
+variable "subscription_resource_tagging" {
+  type        = bool
+  default     = false
+  description = "Enables AWS Resource Tagging Standard subscription"
+}
+
+variable "subscription_nist" {
+  type        = bool
+  default     = false
+  description = "Enables AWS NIST SP 800-53 subscription"
+}
+
 variable "severity_list" {
   type    = list(any)
   default = ["HIGH", "CRITICAL"]

diff --git a/securityhub.tf b/securityhub.tf
@@ -8,9 +8,13 @@ resource "aws_securityhub_standards_subscription" "pci" {
 }
 
 resource "aws_securityhub_standards_subscription" "cis" {
-  count         = var.subscription_cis ? 1 : 0
-  depends_on    = [aws_securityhub_account.default]
-  standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
+  count      = var.subscription_cis ? 1 : 0
+  depends_on = [aws_securityhub_account.default]
+  standards_arn = (
+    var.subscription_cis_version == "1.2.0"
+    ? "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
+    : "arn:aws:securityhub:${data.aws_region.current.name}::standards/cis-aws-foundations-benchmark/v/${var.subscription_cis_version}"
+  )
 }
 
 resource "aws_securityhub_standards_subscription" "foundational" {
@@ -19,6 +23,18 @@ resource "aws_securityhub_standards_subscription" "foundational" {
   standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0"
 }
 
+resource "aws_securityhub_standards_subscription" "resource_tagging" {
+  count         = var.subscription_resource_tagging ? 1 : 0
+  depends_on    = [aws_securityhub_account.default]
+  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-resource-tagging-standard/v/1.0.0"
+}
+
+resource "aws_securityhub_standards_subscription" "nist" {
+  count         = var.subscription_nist ? 1 : 0
+  depends_on    = [aws_securityhub_account.default]
+  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/nist-800-53/v/5.0.0"
+}
+
 resource "aws_securityhub_member" "members" {
   for_each   = { for member in var.members : member.account_id => member }
   depends_on = [aws_securityhub_account.default]