diff --git a/UPGRADING.md b/UPGRADING.md index 79fa1f8..74325bd 100644 --- a/UPGRADING.md +++ b/UPGRADING.md @@ -2,6 +2,15 @@ This document captures required refactoring on your part when upgrading to a module version that contains breaking changes. +## Upgrading to v4.1.0 + +### Behaviour + +This version changes the detault [Security Hub configuration to Central](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html). You can change this behaviour by setting `var.aws_security_hub.organization_configuration_type` to `LOCAL`. + +This version enables Security Hub Findings Aggregation for all regions. You can change this behauviour by setting `var.aws_security_hub.aggregator_linking_mode` to `ALL_REGIONS_EXCEPT_SPECIFIED` or `SPECIFIED_REGIONS` and providing the list of regions via `var.aws_security_hub.aggregator_specified_regions` + + ## Upgrading to v4.0.0 > [!WARNING] diff --git a/security_hub.tf b/security_hub.tf index 023927d..5b92370 100644 --- a/security_hub.tf +++ b/security_hub.tf @@ -23,14 +23,6 @@ resource "aws_securityhub_member" "management" { } } -resource "aws_securityhub_standards_subscription" "management" { - for_each = toset(local.security_hub_standards_arns) - - standards_arn = each.value - - depends_on = [aws_securityhub_account.default] -} - // AWS Security Hub - Audit account configuration and enrollment resource "aws_securityhub_account" "default" { provider = aws.audit @@ -41,33 +33,16 @@ resource "aws_securityhub_account" "default" { resource "aws_securityhub_organization_configuration" "default" { provider = aws.audit - auto_enable = var.aws_security_hub.auto_enable_new_accounts - auto_enable_standards = var.aws_security_hub.auto_enable_default_standards ? "DEFAULT" : "NONE" + auto_enable = false + auto_enable_standards = "NONE" organization_configuration { - configuration_type = var.aws_security_hub.organization_configuration_type + configuration_type = "CENTRAL" } depends_on = [aws_securityhub_organization_admin_account.default, aws_securityhub_finding_aggregator.default] } -resource "aws_securityhub_product_subscription" "default" { - for_each = toset(var.aws_security_hub.product_arns) - provider = aws.audit - - product_arn = each.value - - depends_on = [aws_securityhub_account.default] -} - -resource "aws_securityhub_standards_subscription" "default" { - for_each = toset(local.security_hub_standards_arns) - provider = aws.audit - - standards_arn = each.value - - depends_on = [aws_securityhub_account.default] -} resource "aws_cloudwatch_event_rule" "security_hub_findings" { provider = aws.audit @@ -130,13 +105,6 @@ resource "aws_securityhub_member" "logging" { depends_on = [aws_securityhub_organization_configuration.default] } -resource "aws_securityhub_standards_subscription" "logging" { - for_each = toset(local.security_hub_standards_arns) - provider = aws.logging - - standards_arn = each.value - depends_on = [aws_securityhub_account.default] -} resource "aws_securityhub_finding_aggregator" "default" { provider = aws.audit @@ -146,3 +114,24 @@ resource "aws_securityhub_finding_aggregator" "default" { depends_on = [aws_securityhub_account.default] } + +resource "aws_securityhub_configuration_policy" "default" { + name = "mcaf-lz" + description = "MCAF Landing Zone default configuration policy" + + configuration_policy { + service_enabled = true + enabled_standard_arns = local.security_hub_standards_arns + + security_controls_configuration { + disabled_control_identifiers = [] + } + } + + depends_on = [aws_securityhub_organization_configuration.default] +} + +resource "aws_securityhub_configuration_policy_association" "root" { + target_id = data.aws_organizations_organization.default.id + policy_id = aws_securityhub_configuration_policy.default.id +} diff --git a/variables.tf b/variables.tf index 3ce407c..eb41d90 100644 --- a/variables.tf +++ b/variables.tf @@ -151,16 +151,13 @@ variable "aws_required_tags" { variable "aws_security_hub" { type = object({ - aggregator_linking_mode = optional(string, "ALL_REGIONS") - aggregator_specified_regions = optional(list(string), null) - auto_enable_controls = optional(bool, true) - auto_enable_default_standards = optional(bool, false) - auto_enable_new_accounts = optional(bool, true) - control_finding_generator = optional(string, "SECURITY_CONTROL") - create_cis_metric_filters = optional(bool, true) - organization_configuration_type = optional(string, "LOCAL") - product_arns = optional(list(string), []) - standards_arns = optional(list(string), null) + aggregator_linking_mode = optional(string, "ALL_REGIONS") + aggregator_specified_regions = optional(list(string), null) + auto_enable_controls = optional(bool, true) + control_finding_generator = optional(string, "SECURITY_CONTROL") + create_cis_metric_filters = optional(bool, true) + product_arns = optional(list(string), []) + standards_arns = optional(list(string), null) }) default = {} description = "AWS Security Hub settings" @@ -169,16 +166,6 @@ variable "aws_security_hub" { condition = contains(["SECURITY_CONTROL", "STANDARD_CONTROL"], var.aws_security_hub.control_finding_generator) error_message = "The \"control_finding_generator\" variable must be set to either \"SECURITY_CONTROL\" or \"STANDARD_CONTROL\"." } - - validation { - condition = contains(["LOCAL", "CENTRAL"], var.aws_security_hub.organization_configuration_type) - error_message = "Invalid var.aws_security_hub.organization_configuration_type: Must be one of \"LOCAL\" or \"CENTRAL\"." - } - - validation { - condition = var.aws_security_hub.organization_configuration_type == "LOCAL" || (var.aws_security_hub.auto_enable_new_accounts == false && var.aws_security_hub.auto_enable_default_standards == false) - error_message = "If var.aws_security_hub.organization_configuration_type is \"CENTRAL\", var.aws_security_hub.auto_enable_new_accounts` must be \"False\" and var.aws_security_hub.auto_enable_default_standards must be \"False\"." - } } variable "aws_security_hub_sns_subscription" {