Skip to content

Commit

Permalink
Merge branch 'central_securithub_configuration' of https://github.com…
Browse files Browse the repository at this point in the history
…/schubergphilis/terraform-aws-mcaf-landing-zone into central_securithub_configuration
  • Loading branch information
Johan Steenhoven authored and Johan Steenhoven committed Dec 17, 2024
2 parents 5afe357 + d623e10 commit af592b3
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 5 deletions.
8 changes: 3 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -504,15 +504,13 @@ module "landing_zone" {
| [aws_s3_account_public_access_block.master](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_account_public_access_block) | resource |
| [aws_securityhub_account.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_account) | resource |
| [aws_securityhub_account.management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_account) | resource |
| [aws_securityhub_configuration_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_configuration_policy) | resource |
| [aws_securityhub_configuration_policy_association.root](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_configuration_policy_association) | resource |
| [aws_securityhub_finding_aggregator.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_finding_aggregator) | resource |
| [aws_securityhub_member.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_member) | resource |
| [aws_securityhub_member.management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_member) | resource |
| [aws_securityhub_organization_admin_account.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_organization_admin_account) | resource |
| [aws_securityhub_organization_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_organization_configuration) | resource |
| [aws_securityhub_product_subscription.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_product_subscription) | resource |
| [aws_securityhub_standards_subscription.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource |
| [aws_securityhub_standards_subscription.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource |
| [aws_securityhub_standards_subscription.management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource |
| [aws_sns_topic.iam_activity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
| [aws_sns_topic.security_hub_findings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
| [aws_sns_topic_policy.iam_activity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
Expand Down Expand Up @@ -550,7 +548,7 @@ module "landing_zone" {
| <a name="input_aws_guardduty"></a> [aws\_guardduty](#input\_aws\_guardduty) | AWS GuardDuty settings | <pre>object({<br> enabled = optional(bool, true)<br> finding_publishing_frequency = optional(string, "FIFTEEN_MINUTES")<br> ebs_malware_protection_status = optional(bool, true)<br> eks_audit_logs_status = optional(bool, true)<br> lambda_network_logs_status = optional(bool, true)<br> rds_login_events_status = optional(bool, true)<br> s3_data_events_status = optional(bool, true)<br> runtime_monitoring_status = optional(object({<br> enabled = optional(bool, true)<br> eks_addon_management_status = optional(bool, true)<br> ecs_fargate_agent_management_status = optional(bool, true)<br> ec2_agent_management_status = optional(bool, true)<br> }), {})<br> })</pre> | `{}` | no |
| <a name="input_aws_inspector"></a> [aws\_inspector](#input\_aws\_inspector) | AWS Inspector settings, at least one of the scan options must be enabled | <pre>object({<br> enabled = optional(bool, false)<br> enable_scan_ec2 = optional(bool, true)<br> enable_scan_ecr = optional(bool, true)<br> enable_scan_lambda = optional(bool, true)<br> enable_scan_lambda_code = optional(bool, true)<br> resource_create_timeout = optional(string, "15m")<br> })</pre> | <pre>{<br> "enable_scan_ec2": true,<br> "enable_scan_ecr": true,<br> "enable_scan_lambda": true,<br> "enable_scan_lambda_code": true,<br> "enabled": false,<br> "resource_create_timeout": "15m"<br>}</pre> | no |
| <a name="input_aws_required_tags"></a> [aws\_required\_tags](#input\_aws\_required\_tags) | AWS Required tags settings | <pre>map(list(object({<br> name = string<br> values = optional(list(string))<br> enforced_for = optional(list(string))<br> })))</pre> | `null` | no |
| <a name="input_aws_security_hub"></a> [aws\_security\_hub](#input\_aws\_security\_hub) | AWS Security Hub settings | <pre>object({<br> aggregator_linking_mode = optional(string, "ALL_REGIONS")<br> aggregator_specified_regions = optional(list(string), null)<br> auto_enable_controls = optional(bool, true)<br> auto_enable_default_standards = optional(bool, false)<br> auto_enable_new_accounts = optional(bool, true)<br> control_finding_generator = optional(string, "SECURITY_CONTROL")<br> create_cis_metric_filters = optional(bool, true)<br> organization_configuration_type = optional(string, "LOCAL")<br> product_arns = optional(list(string), [])<br> standards_arns = optional(list(string), null)<br> })</pre> | `{}` | no |
| <a name="input_aws_security_hub"></a> [aws\_security\_hub](#input\_aws\_security\_hub) | AWS Security Hub settings | <pre>object({<br> aggregator_linking_mode = optional(string, "ALL_REGIONS")<br> aggregator_specified_regions = optional(list(string), null)<br> auto_enable_controls = optional(bool, true)<br> control_finding_generator = optional(string, "SECURITY_CONTROL")<br> create_cis_metric_filters = optional(bool, true)<br> product_arns = optional(list(string), [])<br> standards_arns = optional(list(string), null)<br> })</pre> | `{}` | no |
| <a name="input_aws_security_hub_sns_subscription"></a> [aws\_security\_hub\_sns\_subscription](#input\_aws\_security\_hub\_sns\_subscription) | Subscription options for the LandingZone-SecurityHubFindings SNS topic | <pre>map(object({<br> endpoint = string<br> protocol = string<br> }))</pre> | `{}` | no |
| <a name="input_aws_service_control_policies"></a> [aws\_service\_control\_policies](#input\_aws\_service\_control\_policies) | AWS SCP's parameters to disable required/denied policies, set a list of allowed AWS regions, and set principals that are exempt from the restriction | <pre>object({<br> allowed_regions = optional(list(string), [])<br> aws_deny_disabling_security_hub = optional(bool, true)<br> aws_deny_leaving_org = optional(bool, true)<br> aws_deny_root_user_ous = optional(list(string), [])<br> aws_require_imdsv2 = optional(bool, true)<br> principal_exceptions = optional(list(string), [])<br> })</pre> | `{}` | no |
| <a name="input_aws_sso_permission_sets"></a> [aws\_sso\_permission\_sets](#input\_aws\_sso\_permission\_sets) | Map of AWS IAM Identity Center permission sets with AWS accounts and group names that should be granted access to each account | <pre>map(object({<br> assignments = list(map(list(string)))<br> inline_policy = optional(string, null)<br> managed_policy_arns = optional(list(string), [])<br> session_duration = optional(string, "PT4H")<br> }))</pre> | `{}` | no |
Expand Down
4 changes: 4 additions & 0 deletions security_hub.tf
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,8 @@ resource "aws_securityhub_finding_aggregator" "default" {
}

resource "aws_securityhub_configuration_policy" "default" {
provider = aws.audit

name = "mcaf-lz"
description = "MCAF Landing Zone default configuration policy"

Expand All @@ -132,6 +134,8 @@ resource "aws_securityhub_configuration_policy" "default" {
}

resource "aws_securityhub_configuration_policy_association" "root" {
provider = aws.audit

target_id = data.aws_organizations_organization.default.roots[0].id
policy_id = aws_securityhub_configuration_policy.default.id
}

0 comments on commit af592b3

Please sign in to comment.