Skip to content

in4it/terraform-aws-cis-controls

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
alerting.tf
alerting.tf
 
 
cloudtrail.tf
cloudtrail.tf
 
 
config.tf
config.tf
 
 
output.tf
output.tf
 
 
password_policy.tf
password_policy.tf
 
 
s3.tf
s3.tf
 
 
variables.tf
variables.tf
 
 
version.tf
version.tf
 
 

Repository files navigation

terraform-aws-cis-controls

AWS CIS Controls module for terraform

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html

Controls covered:

  • 1.1 Avoid the use of the "root" account
  • 1.5 Ensure IAM password policy requires at least one uppercase letter
  • 1.6 Ensure IAM password policy requires at least one lowercase letter
  • 1.7 Ensure IAM password policy requires at least one symbol
  • 1.8 Ensure IAM password policy requires at least one number
  • 1.9 Ensure IAM password policy requires a minimum length of 14 or greater 1.9
  • 1.10 Ensure IAM password policy prevents password reuse
  • 1.11 Ensure IAM password policy expires passwords within 90 days or less
  • 2.1 Ensure CloudTrail is enabled in all Regions
  • 2.2 Ensure CloudTrail log file validation is enabled
  • 2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible
  • 2.4 Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs
  • 2.5 Ensure AWS Config is enabled
  • 2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • 2.7 Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs
  • 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls
  • 3.2 Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
  • 3.3 Ensure a log metric filter and alarm exist for usage of "root" account
  • 3.4 Ensure a log metric filter and alarm exist for IAM policy changes
  • 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes
  • 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
  • 3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
  • 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
  • 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes
  • 3.10 Ensure a log metric filter and alarm exist for security group changes
  • 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
  • 3.12 Ensure a log metric filter and alarm exist for changes to network gateways
  • 3.13 Ensure a log metric filter and alarm exist for route table changes
  • 3.14 Ensure a log metric filter and alarm exist for VPC changes

Inputs

Name Description Type Default Required
sns_arn CIS notifications SNS arn string "individual" yes
s3_enabled Enable S3 Bucket setup for audit logs and CloudTrail "true" no
audit_log_bucket_custom_policy_json Override policy for the audit log bucket. string "" no
config_enabled Enable AWS config setup string "true" no
include_global_resource_types AWS Config include global resource types string "true" no
cloudtrail_log_group_name CloudTrail LogGroup name string "" yes
cloudtrail_event_selector_type CloudTrail event selector string "ALL" no
aws_account_id AWS account ID string "" yes
region AWS Region string "" yes
cloudtrail_kms_policy Override policy for the CloudTrail KMS string "" no
alerting_enabled Enable CloudWatch alarms string "true" no
alarm_namespace CloudWatch alarm namespace string "CISBenchmark" no

About

AWS CIS Controls module for terraform

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

10 stars

Watchers

5 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages