Skip to content

aws-ia/terraform-aws-security-hub

Repository files navigation

Terraform Module for AWS Security Hub

Terraform module that creates AWS Security Hub resources.

Usage

Standalone

module "security_hub" {
  source = "../../../"

  enable_default_standards  = false
  control_finding_generator = "STANDARD_CONTROL"
  auto_enable_controls      = true

  product_config = [{
    enable = true
    arn    = "arn:aws:securityhub:${data.aws_region.current.name}::product/aws/guardduty"
  }]

  standards_config = {
    aws_foundational_security_best_practices = {
      enable = true
      status = "ENABLED"
    }
    cis_aws_foundations_benchmark_v120 = {
      enable = false
    }
    cis_aws_foundations_benchmark_v140 = {
      enable = true
      status = "ENABLED"
    }
    nist_sp_800_53_rev5 = {
      enable = false
    }
    pci_dss = {
      enable = false
    }
  }

  action_target = [{
    name        = "Send to Amazon SNS"
    identifier  = "SendToSNS"
    description = "This is a custom action to send findings to SNS Topic"
  }]

}

resource "aws_securityhub_standards_control" "ensure_iam_password_policy_prevents_password_reuse" {
  standards_control_arn = "arn:aws:securityhub:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:control/cis-aws-foundations-benchmark/v/1.4.0/1.10"
  control_status        = "DISABLED"
  disabled_reason       = "Password policies are managed by external resource"

  depends_on = [module.security_hub]
}

resource "aws_securityhub_insight" "this" {
  filters {
    created_at {
      date_range {
        unit  = "DAYS"
        value = 7
      }
    }
    network_source_ipv4 {
      cidr = "10.0.0.0/16"
    }
    criticality {
      gte = "80"
    }
    resource_tags {
      comparison = "EQUALS"
      key        = "Environment"
      value      = "Development"
    }
  }

  group_by_attribute = "AwsAccountId"

  name = "insight"

  depends_on = [module.standalone_security_hub]
}

Organizations

module "delegated_admin" {
  source = "aws-ia/terraform-aws-security-hub/aws//modules/organizations_admin/"

  admin_account_id      = data.aws_caller_identity.current.account_id
  auto_enable_standards = "DEFAULT"

  depends_on = [module.security_hub]
}

module "member_account" {
  source = "aws-ia/terraform-aws-security-hub/aws//modules/organizations_member/"

  providers = {
    aws        = aws
    aws.member = aws.member
  }

  member_config = [{
    account_id = "281190191734"
    email      = "[email protected]"
    invite     = false
  }]

  depends_on = [module.security_hub]
}

module "security_hub" {
  source = "aws-ia/terraform-aws-security-hub"

  enable_default_standards  = false
  control_finding_generator = "STANDARD_CONTROL"
  auto_enable_controls      = true

  product_config = [{
    enable = true
    arn    = "arn:aws:securityhub:${data.aws_region.current.name}::product/aws/guardduty"
  }]

  standards_config = {
    aws_foundational_security_best_practices = {
      enable = true
      status = "ENABLED"
    }
    cis_aws_foundations_benchmark_v120 = {
      enable = false
    }
    cis_aws_foundations_benchmark_v140 = {
      enable = true
      status = "ENABLED"
    }
    nist_sp_800_53_rev5 = {
      enable = false
    }
    pci_dss = {
      enable = false
    }
  }

  action_target = [{
    name        = "Send to Amazon SNS"
    identifier  = "SendToSNS"
    description = "This is a custom action to send findings to SNS Topic"
  }]
}

resource "aws_securityhub_insight" "this" {
  filters {
    aws_account_id {
      comparison = "EQUALS"
      value      = "123456789012"
    }
    aws_account_id {
      comparison = "EQUALS"
      value      = "098765432109"
    }
    created_at {
      date_range {
        unit  = "DAYS"
        value = 7
      }
    }
    network_source_ipv4 {
      cidr = "10.0.0.0/16"
    }
    criticality {
      gte = "80"
    }
    resource_tags {
      comparison = "EQUALS"
      key        = "Environment"
      value      = "Development"
    }
  }

  group_by_attribute = "AwsAccountId"

  name = "insight-per-account-id"

  depends_on = [module.security_hub]
}

Overview Diagrams

Standalone

standalone-diagram

Organizations

organizations-diagram

Terraform Module

Requirements

Name Version
terraform >= 1.0.0
aws >= 4.47
time >= 0.9

Providers

Name Version
aws >= 4.47
time >= 0.9

Modules

No modules.

Resources

Name Type
aws_securityhub_account.this resource
aws_securityhub_action_target.this resource
aws_securityhub_finding_aggregator.this resource
aws_securityhub_product_subscription.this resource
aws_securityhub_standards_subscription.this resource
time_sleep.wait_securityhub_enable resource
aws_region.current data source

Inputs

Name Description Type Default Required
action_target Creates Security Hub custom action.
name - The description for the custom action target.
identifier - The ID for the custom action target.
description - The name of the custom action target.
list(object({
name = string
identifier = string
description = string
}))
[] no
auto_enable_controls Whether to automatically enable new controls when they are added to standards that are enabled. By default, this is set to true, and new controls are enabled automatically. To not automatically enable new controls, set this to false. bool true no
control_finding_generator Updates whether the calling account has consolidated control findings turned on. If the value for this field is set to SECURITY_CONTROL, Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards. If the value for this field is set to STANDARD_CONTROL, Security Hub generates separate findings for a control check when the check applies to multiple enabled standards. For accounts that are part of an organization, this value can only be updated in the administrator account. string "STANDARD_CONTROL" no
enable_default_standards Whether to enable the security standards that Security Hub has designated as automatically enabled including: AWS Foundational Security Best Practices v1.0.0 and CIS AWS Foundations Benchmark v1.2.0. Defaults to true. bool true no
linking_mode Indicates whether to aggregate findings from all of the available Regions or from a specified list. The options are ALL_REGIONS, ALL_REGIONS_EXCEPT_SPECIFIED or SPECIFIED_REGIONS. When ALL_REGIONS or ALL_REGIONS_EXCEPT_SPECIFIED are used, Security Hub will automatically aggregate findings from new Regions as Security Hub supports them and you opt into them. string "ALL_REGIONS" no
product_config The ARN of the product that generates findings that you want to import into Security Hub.
list(object({
enable = bool
arn = string
}))
null no
specified_regions List of regions to include or exclude (required if linking_mode is set to ALL_REGIONS_EXCEPT_SPECIFIED or SPECIFIED_REGIONS) list(string) null no
standards_config aws_foundational_security_best_practices - AWS Foundational Security Best Practices
cis_aws_foundations_benchmark_v120 - CIS AWS Foundations Benchmark v1.2.0
cis_aws_foundations_benchmark_v140 - CIS AWS Foundations Benchmark v1.4.0
nist_sp_800_53_rev5 - NIST SP 800-53 Rev. 5
pci_dss - PCI DSS
object({
aws_foundational_security_best_practices = object({
enable = bool
status = optional(string)
disabled_reason = optional(string)
})
cis_aws_foundations_benchmark_v120 = object({
enable = bool
status = optional(string)
disabled_reason = optional(string)
})
cis_aws_foundations_benchmark_v140 = object({
enable = bool
status = optional(string)
disabled_reason = optional(string)
})
nist_sp_800_53_rev5 = object({
enable = bool
status = optional(string)
disabled_reason = optional(string)
})
pci_dss = object({
enable = bool
status = optional(string)
disabled_reason = optional(string)
})
})
{
"aws_foundational_security_best_practices": {
"enable": true,
"status": "ENABLED"
},
"cis_aws_foundations_benchmark_v120": {
"enable": true,
"status": "ENABLED"
},
"cis_aws_foundations_benchmark_v140": {
"enable": false
},
"nist_sp_800_53_rev5": {
"enable": false
},
"pci_dss": {
"enable": false
}
}
no

Outputs

Name Description
action_target Security Hub custome action targets.
finding_aggregator Security Hub finding aggregator configuration.
product_subscription Security Hub products subscriptions.
securityhub_account Security Hub AWS account configuration.
standards_subscription Security Hub compliance standards subscriptions.