Skip to content

Commit

Permalink
Move Security Hub Configuration to Central
Browse files Browse the repository at this point in the history
  • Loading branch information
Johan Steenhoven authored and Johan Steenhoven committed Dec 17, 2024
1 parent f35143f commit 3f1d890
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 55 deletions.
9 changes: 9 additions & 0 deletions UPGRADING.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,15 @@

This document captures required refactoring on your part when upgrading to a module version that contains breaking changes.

## Upgrading to v4.1.0

### Behaviour

This version changes the detault [Security Hub configuration to Central](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html). You can change this behaviour by setting `var.aws_security_hub.organization_configuration_type` to `LOCAL`.

This version enables Security Hub Findings Aggregation for all regions. You can change this behauviour by setting `var.aws_security_hub.aggregator_linking_mode` to `ALL_REGIONS_EXCEPT_SPECIFIED` or `SPECIFIED_REGIONS` and providing the list of regions via `var.aws_security_hub.aggregator_specified_regions`


## Upgrading to v4.0.0

> [!WARNING]
Expand Down
59 changes: 24 additions & 35 deletions security_hub.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,6 @@ resource "aws_securityhub_member" "management" {
}
}

resource "aws_securityhub_standards_subscription" "management" {
for_each = toset(local.security_hub_standards_arns)

standards_arn = each.value

depends_on = [aws_securityhub_account.default]
}

// AWS Security Hub - Audit account configuration and enrollment
resource "aws_securityhub_account" "default" {
provider = aws.audit
Expand All @@ -41,33 +33,16 @@ resource "aws_securityhub_account" "default" {
resource "aws_securityhub_organization_configuration" "default" {
provider = aws.audit

auto_enable = var.aws_security_hub.auto_enable_new_accounts
auto_enable_standards = var.aws_security_hub.auto_enable_default_standards ? "DEFAULT" : "NONE"
auto_enable = false
auto_enable_standards = "NONE"

organization_configuration {
configuration_type = var.aws_security_hub.organization_configuration_type
configuration_type = "CENTRAL"
}

depends_on = [aws_securityhub_organization_admin_account.default, aws_securityhub_finding_aggregator.default]
}

resource "aws_securityhub_product_subscription" "default" {
for_each = toset(var.aws_security_hub.product_arns)
provider = aws.audit

product_arn = each.value

depends_on = [aws_securityhub_account.default]
}

resource "aws_securityhub_standards_subscription" "default" {
for_each = toset(local.security_hub_standards_arns)
provider = aws.audit

standards_arn = each.value

depends_on = [aws_securityhub_account.default]
}

resource "aws_cloudwatch_event_rule" "security_hub_findings" {
provider = aws.audit
Expand Down Expand Up @@ -130,13 +105,6 @@ resource "aws_securityhub_member" "logging" {
depends_on = [aws_securityhub_organization_configuration.default]
}

resource "aws_securityhub_standards_subscription" "logging" {
for_each = toset(local.security_hub_standards_arns)
provider = aws.logging

standards_arn = each.value
depends_on = [aws_securityhub_account.default]
}

resource "aws_securityhub_finding_aggregator" "default" {
provider = aws.audit
Expand All @@ -146,3 +114,24 @@ resource "aws_securityhub_finding_aggregator" "default" {

depends_on = [aws_securityhub_account.default]
}

resource "aws_securityhub_configuration_policy" "default" {
name = "mcaf-lz"
description = "MCAF Landing Zone default configuration policy"

configuration_policy {
service_enabled = true
enabled_standard_arns = local.security_hub_standards_arns

security_controls_configuration {
disabled_control_identifiers = []
}
}

depends_on = [aws_securityhub_organization_configuration.default]
}

resource "aws_securityhub_configuration_policy_association" "root" {
target_id = data.aws_organizations_organization.default.id
policy_id = aws_securityhub_configuration_policy.default.id
}
27 changes: 7 additions & 20 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -151,16 +151,13 @@ variable "aws_required_tags" {

variable "aws_security_hub" {
type = object({
aggregator_linking_mode = optional(string, "ALL_REGIONS")
aggregator_specified_regions = optional(list(string), null)
auto_enable_controls = optional(bool, true)
auto_enable_default_standards = optional(bool, false)
auto_enable_new_accounts = optional(bool, true)
control_finding_generator = optional(string, "SECURITY_CONTROL")
create_cis_metric_filters = optional(bool, true)
organization_configuration_type = optional(string, "LOCAL")
product_arns = optional(list(string), [])
standards_arns = optional(list(string), null)
aggregator_linking_mode = optional(string, "ALL_REGIONS")
aggregator_specified_regions = optional(list(string), null)
auto_enable_controls = optional(bool, true)
control_finding_generator = optional(string, "SECURITY_CONTROL")
create_cis_metric_filters = optional(bool, true)
product_arns = optional(list(string), [])
standards_arns = optional(list(string), null)
})
default = {}
description = "AWS Security Hub settings"
Expand All @@ -169,16 +166,6 @@ variable "aws_security_hub" {
condition = contains(["SECURITY_CONTROL", "STANDARD_CONTROL"], var.aws_security_hub.control_finding_generator)
error_message = "The \"control_finding_generator\" variable must be set to either \"SECURITY_CONTROL\" or \"STANDARD_CONTROL\"."
}

validation {
condition = contains(["LOCAL", "CENTRAL"], var.aws_security_hub.organization_configuration_type)
error_message = "Invalid var.aws_security_hub.organization_configuration_type: Must be one of \"LOCAL\" or \"CENTRAL\"."
}

validation {
condition = var.aws_security_hub.organization_configuration_type == "LOCAL" || (var.aws_security_hub.auto_enable_new_accounts == false && var.aws_security_hub.auto_enable_default_standards == false)
error_message = "If var.aws_security_hub.organization_configuration_type is \"CENTRAL\", var.aws_security_hub.auto_enable_new_accounts` must be \"False\" and var.aws_security_hub.auto_enable_default_standards must be \"False\"."
}
}

variable "aws_security_hub_sns_subscription" {
Expand Down

0 comments on commit 3f1d890

Please sign in to comment.