Enables AWS Config, deploys Config rules and creates necessary resources for notifications per region.
- Config Recorder (Recorder + Recorder Status)
- Config Delivery Channel
- Config Rules (multiple)
- Cloudwatch Event Rule
- Cloudwatch Event Target
- SNS Topic
- SNS Topic Policy
- IAM Policy Document
.
├── config.tf # Terraform Base template for AWS config for Celink that can be used to create AWS built-in config rules to monitor the accounts
├── module.tf # The file has the module Standard variables
├── README.md
- EIP_ATTACHED: Checks whether all EIP addresses that are allocated to a VPC are attached to EC2 or in-use ENIs.
- INSTANCES_IN_VPC: Ensure all EC2 instances run in a VPC.
- VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS: Checks whether any security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible. The rule is NON_COMPLIANT when a security group with inbound 0.0.0.0/0 has a port accessible which is not specified in the rule parameters.
- CLOUD_TRAIL_ENABLED: Ensure CloudTrail is enabled.
- CLOUDWATCH_LOG_GROUP_ENCRYPTED: Checks whether a log group in Amazon CloudWatch Logs is encrypted. The rule is NON_COMPLIANT if CloudWatch Logs has a log group without encryption enabled
- ENCRYPTED_VOLUMES: Evaluates whether EBS volumes that are in an attached state are encrypted.
- EC2_VOLUME_INUSE_CHECK: Checks whether EBS volumes are attached to EC2 instances.
- EC2_REQUIRED_TAGS: Checks whether your resources have the tags that you specify.
- IAM_USER_NO_POLICIES_CHECK: Ensure that none of your IAM users have policies attached; IAM users must inherit permissions from IAM groups or roles.
- ROOT_ACCOUNT_MFA_ENABLED: Ensure root AWS account has MFA enabled.
- IAM_ROOT_ACCESS_KEY_CHECK: Ensure root AWS account does not have Access Keys.
- required-tags: Checks if resources are deployed with configured tags.
- RDS_INSTANCE_PUBLIC_ACCESS_CHECK: Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible.
- RDS_STORAGE_ENCRYPTED: Checks whether storage encryption is enabled for your RDS DB instances.
- S3_BUCKET_VERSIONING_ENABLED: Ensures that all of your S3 buckets has versioning enabeled.
- S3_BUCKET_PUBLIC_READ_PROHIBITED: Checks that your S3 buckets do not allow public read access.
- S3_BUCKET_PUBLIC_WRITE_PROHIBITED: Checks that your S3 buckets do not allow public write access.
Terraform 0.13 and newer. Pin module version to ~> 4.x. Submit pull-requests to master branch.
Terraform 0.12. Pin module version to ~> 3.0. Submit pull-requests to terraform012 branch.
Note: This module sets up AWS IAM Roles and Policies, which are globally namespaced. If you plan to have multiple instances of AWS Config, make sure they have unique values for config_name.
Note: If you use this module in multiple regions, be sure to disable duplicative checks and global resource types.
module "aws_config" {
source = "gravicore/terraform-gravicore-modules/aws/aws-config"
}| Name | Version |
|---|---|
| terraform | >= 0.12.7 |
| aws | >= 2.70 |
| template | >= 2.0 |
| Name | Version |
|---|---|
| aws | >= 2.70 |
| template | >= 2.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| check_cloud_trail_encryption | Enable cloud-trail-encryption-enabled rule | bool |
false |
no |
| check_cloud_trail_log_file_validation | Enable cloud-trail-log-file-validation-enabled rule | bool |
false |
no |
| check_cloudtrail_enabled | Enable cloudtrail-enabled rule | bool |
true |
no |
| check_cloudwatch_log_group_encrypted | Enable cloudwatch-log-group-encryption rule | bool |
true |
no |
| check_ec2_encrypted_volumes | Enable ec2-encrypted-volumes rule | bool |
true |
no |
| check_ec2_volume_inuse_check | Enable ec2-volume-inuse-check rule | bool |
true |
no |
| check_eip_attached | Enable eip-attached rule | bool |
false |
no |
| check_iam_root_access_key | Enable iam-root-access-key rule | bool |
true |
no |
| check_iam_user_no_policies_check | Enable iam-user-no-policies-check rule | bool |
true |
no |
| check_instances_in_vpc | Enable instances-in-vpc rule | bool |
true |
no |
| check_mfa_enabled_for_iam_console_access | Enable mfa-enabled-for-iam-console-access rule | bool |
false |
no |
| check_rds_public_access | Enable rds-instance-public-access-check rule | bool |
false |
no |
| check_rds_snapshots_public_prohibited | Enable rds-snapshots-public-prohibited rule | bool |
true |
no |
| check_rds_storage_encrypted | Enable rds-storage-encrypted rule | bool |
true |
no |
| check_required_tags | Enable required-tags rule | bool |
false |
no |
| check_root_account_mfa_enabled | Enable root-account-mfa-enabled rule | bool |
false |
no |
| check_s3_bucket_public_write_prohibited | Enable s3-bucket-public-write-prohibited rule | bool |
true |
no |
| check_s3_bucket_public_read_prohibited | Enable s3-bucket-public-write-prohibited rule | bool |
true |
no |
| check_vpc_default_security_group_closed | Enable vpc-default-security-group-closed rule | bool |
true |
no |
| config_delivery_frequency | The frequency with which AWS Config delivers configuration snapshots. | string |
"Six_Hours" |
no |
| config_logs_bucket | The S3 bucket for AWS Config logs. If you have set enable_config_recorder to false then this can be an empty string. | string |
n/a | yes |
| config_logs_prefix | The S3 prefix for AWS Config logs. | string |
"config" |
no |
| config_name | The name of the AWS Config instance. | string |
"aws-config" |
no |
| config_sns_topic_arn | An SNS topic to stream configuration changes and notifications to. | string |
null |
no |
| enable_config_recorder | Enables configuring the AWS Config recorder resources in this module. | bool |
true |
no |
| required_tags | A map of required resource tags. Format is tagNKey, tagNValue, where N is int. Values are optional. | map(string) |
{} |
no |
| required_tags_resource_types | Resource types to check for tags. | list(string) |
[] |
no |
| tags | Tags to apply to AWS Config resources | map(string) |
{} |
no |