- Enable VPC Flow Logs with the default VPC in all regions.
- Remove all rules associated with default route tables, default network ACLs and default security groups in the default VPC in all regions.
- Disable automatic public IP assignments in default subnets.
| Name | Version |
|---|---|
| terraform | >= 1.1.4 |
| aws | >= 4.3 |
| Name | Version |
|---|---|
| aws | >= 4.3 |
| Name | Description | Type | Required |
|---|---|---|---|
| enable_flow_logs | The boolean flag whether to enable VPC Flow Logs in the default VPC | bool |
no |
| flow_logs_destination_type | The type of the logging destination. Valid values: cloud-watch-logs, s3 | string |
no |
| flow_logs_iam_role_arn | The ARN of the IAM Role which will be used by VPC Flow Logs if vpc_log_destination_type is cloud-watch-logs. | string |
no |
| flow_logs_log_group_name | The name of CloudWatch Logs group to which VPC Flow Logs are delivered if vpc_log_destination_type is cloud-watch-logs. | string |
no |
| flow_logs_retention_in_days | Number of days to retain logs if vpc_log_destination_type is cloud-watch-logs. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | number |
no |
| flow_logs_s3_arn | The ARN of the S3 bucket to which VPC Flow Logs are delivered if vpc_log_destination_type is s3. | string |
no |
| flow_logs_s3_key_prefix | The prefix used when VPC Flow Logs delivers logs to the S3 bucket. | string |
no |
| tags | Specifies object tags key and value. This applies to all resources created by this module. | map(string) |
no |
| Name | Description |
|---|---|
| default_network_acl | The default network ACL. |
| default_route_table | The default route table. |
| default_security_group | The default security group. |
| default_vpc | The default VPC. |
| vpc_flow_logs_group | The CloudWatch Logs log group which stores VPC Flow Logs. |