Feature: Add AWS Security Hub configuration layer

binbashar · May 30, 2024 · c121fda · c121fda
1 parent de79ba6
commit c121fda
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 0 deletions.
diff --git a/security/us-east-1/security-hub/README.md b/security/us-east-1/security-hub/README.md
@@ -0,0 +1,46 @@
+# AWS Security Hub Configuration
+
+This directory contains the Terraform configuration files for setting up AWS Security Hub in the `us-east-1` region.
+
+## Overview
+
+AWS Security Hub provides a comprehensive view of your high-priority security alerts and compliance status across your AWS accounts. This configuration enables the default security standards: AWS Foundational Security Best Practices v1.0.0 and CIS AWS Foundations Benchmark v1.2.0.
+
+## Configuration
+
+- `config.tf`: This file contains the AWS provider settings and the backend configuration for Terraform.
+- `security_hub.tf`: This file contains the resource configuration for AWS Security Hub.
+
+    - `enable_default_standards`: Specifies whether to enable the default security standards.
+    - `auto_enable_controls`: This property determines whether new security controls are automatically enabled as they become available
+    - `control_finding_generator`: Specifies whether the calling account has consolidated control findings turned on. `SECURITY_CONTROL` or `STANDARD_CONTROL`
+
+## Usage
+
+To manage this layer, follow these steps:
+
+1. Move into the `le-tf-infra-aws/security/us-east-1/security-hub` directory:
+
+    ```bash
+    cd le-tf-infra-aws/security/us-east-1/security-hub
+    ```
+
+1. Initialize the Terraform configuration:
+
+    ```bash
+    leverage terraform init --skip-validation
+    ```
+
+1. Plan the infrastructure changes:
+
+    ```bash
+    leverage terraform plan
+    ```
+
+1. Apply the infrastructure changes:
+
+    ```bash
+    leverage terraform apply
+    ```
+
+1. Verify that the security hub layer has been provisioned successfully.
diff --git a/security/us-east-1/security-hub/common-variables.tf b/security/us-east-1/security-hub/common-variables.tf
@@ -0,0 +1 @@
+../../../config/common-variables.tf
diff --git a/security/us-east-1/security-hub/config.tf b/security/us-east-1/security-hub/config.tf
@@ -0,0 +1,23 @@
+#=============================#
+# AWS Provider Settings       #
+#=============================#
+provider "aws" {
+  region  = var.region
+  profile = var.profile
+}
+
+#=============================#
+# Backend Config (partial)    #
+#=============================#
+terraform {
+  required_version = "~> 1.2"
+
+  required_providers {
+    aws = "~> 4.10"
+  }
+
+  backend "s3" {
+    key = "legacy/us-east-1/security-hub/terraform.tfstate"
+  }
+}
+
diff --git a/security/us-east-1/security-hub/security_hub.tf b/security/us-east-1/security-hub/security_hub.tf
@@ -0,0 +1,8 @@
+# Enable the security standards that Security Hub has designated as default: 
+# AWS Foundational Security Best Practices v1.0.0 and CIS AWS Foundations Benchmark v1.2.0
+
+resource "aws_securityhub_account" "default" {
+  enable_default_standards  = true
+  auto_enable_controls      = true
+  control_finding_generator = "SECURITY_CONTROL"
+}