Enables AWS Config and adds managed config rules with good defaults.
- acm-certificate-expiration-check: Ensure ACM Certificates in your account are marked for expiration within the specified number of days.
- approved-amis-by-tag: Checks whether running instances are using specified AMIs.
- cloudtrail-enabled: Ensure CloudTrail is enabled.
- cloud-trail-encryption-enabled: Ensure CloudTrail is configured to use server side encryption (SSE) with AWS KMS or CMK encryption.
- cloud-trail-log-file-validation-enabled: Checks whether AWS CloudTrail creates a signed digest file with logs.
- multi-region-cloud-trail-enabled: Ensure that there is at least one multi-region AWS CloudTrail enabled.
- cloudwatch-log-group-encryption: Ensure that CloudWatch Logs are encrypted.
- ec2-encrypted-volumes: Evaluates whether EBS volumes that are in an attached state are encrypted.
- ec2-volume-inuse-check: Checks whether EBS volumes are attached to EC2 instances.
- ebs-snapshot-public-restorable-check: Checks whether Amazon Elastic Block Store snapshots are not publicly restorable.
- eip-attached: Checks whether all EIP addresses that are allocated to a VPC are attached to EC2 or in-use ENIs.
- instances-in-vpc: Ensure all EC2 instances run in a VPC.
- vpc-default-security-group-closed: Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic.
- guardduty-enabled-centralized: Checks whether Amazon GuardDuty is enabled in your AWS account and region.
- iam-password-policy: Ensure the account password policy for IAM users meets the specified requirements.
- iam-user-no-policies-check: Ensure that none of your IAM users have policies attached; IAM users must inherit permissions from IAM groups or roles.
- iam-group-has-users-check: Checks whether IAM groups have at least one IAM user.
- root-account-mfa-enabled: Ensure root AWS account has MFA enabled.
- iam-root-access-key: Ensure root AWS account does not have Access Keys.
- required-tags: Checks if resources are deployed with configured tags.
- rds-instance-public-access-check: Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible.
- rds-snapshots-public-prohibited: Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public.
- rds-storage-encrypted: Checks whether storage encryption is enabled for your RDS DB instances.
- s3-bucket-public-write-prohibited: Checks that your S3 buckets do not allow public write access.
- s3-bucket-ssl-requests-only: Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).
Terraform 0.13 and newer. Pin module version to ~> 4.x. Submit pull-requests to master branch.
Terraform 0.12. Pin module version to ~> 3.0. Submit pull-requests to terraform012 branch.
Note: This module sets up AWS IAM Roles and Policies, which are globally namespaced. If you plan to have multiple instances of AWS Config, make sure they have unique values for config_name.
Note: If you use this module in multiple regions, be sure to disable duplicative checks and global resource types.
module "aws_config" {
source = "trussworks/config/aws"
config_name = "my-aws-config"
config_logs_bucket = "my-aws-logs"
}| Name | Version |
|---|---|
| terraform | >= 0.12.7 |
| aws | >= 2.70 |
| Name | Version |
|---|---|
| aws | >= 2.70 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| acm_days_to_expiration | Specify the number of days before the rule flags the ACM Certificate as noncompliant. | number |
14 |
no |
| aggregate_organization | Aggregate compliance data by organization | bool |
false |
no |
| ami_required_tag_key_value | Tag/s key and value which AMI has to have in order to be compliant: Example: key1:value1,key2:value2 | string |
"" |
no |
| check_acm_certificate_expiration_check | Enable acm-certificate-expiration-check rule | bool |
true |
no |
| check_approved_amis_by_tag | Enable approved-amis-by-tag rule | bool |
false |
no |
| check_cloud_trail_encryption | Enable cloud-trail-encryption-enabled rule | bool |
false |
no |
| check_cloud_trail_log_file_validation | Enable cloud-trail-log-file-validation-enabled rule | bool |
false |
no |
| check_cloudtrail_enabled | Enable cloudtrail-enabled rule | bool |
true |
no |
| check_cloudwatch_log_group_encrypted | Enable cloudwatch-log-group-encryption rule | bool |
true |
no |
| check_cw_loggroup_retention_period | Enable cloudwatch-log-group-retention-period-check rule | bool |
false |
no |
| check_ebs_snapshot_public_restorable | Enable ebs-snapshot-public-restorable rule | bool |
true |
no |
| check_ec2_encrypted_volumes | Enable ec2-encrypted-volumes rule | bool |
true |
no |
| check_ec2_imdsv2 | Enable IMDSv2 rule | bool |
false |
no |
| check_ec2_volume_inuse_check | Enable ec2-volume-inuse-check rule | bool |
true |
no |
| check_eip_attached | Enable eip-attached rule | bool |
false |
no |
| check_guard_duty | Enable guardduty-enabled-centralized rule | bool |
false |
no |
| check_iam_group_has_users_check | Enable iam-group-has-users-check rule | bool |
true |
no |
| check_iam_password_policy | Enable iam-password-policy rule | bool |
true |
no |
| check_iam_root_access_key | Enable iam-root-access-key rule | bool |
true |
no |
| check_iam_user_no_policies_check | Enable iam-user-no-policies-check rule | bool |
true |
no |
| check_instances_in_vpc | Enable instances-in-vpc rule | bool |
true |
no |
| check_mfa_enabled_for_iam_console_access | Enable mfa-enabled-for-iam-console-access rule | bool |
false |
no |
| check_multi_region_cloud_trail | Enable multi-region-cloud-trail-enabled rule | bool |
false |
no |
| check_rds_public_access | Enable rds-instance-public-access-check rule | bool |
false |
no |
| check_rds_snapshots_public_prohibited | Enable rds-snapshots-public-prohibited rule | bool |
true |
no |
| check_rds_storage_encrypted | Enable rds-storage-encrypted rule | bool |
true |
no |
| check_required_tags | Enable required-tags rule | bool |
false |
no |
| check_restricted_ssh | Enable restricted-ssh rule | bool |
false |
no |
| check_root_account_mfa_enabled | Enable root-account-mfa-enabled rule | bool |
false |
no |
| check_s3_bucket_public_write_prohibited | Enable s3-bucket-public-write-prohibited rule | bool |
true |
no |
| check_s3_bucket_ssl_requests_only | Enable s3-bucket-ssl-requests-only rule | bool |
true |
no |
| check_vpc_default_security_group_closed | Enable vpc-default-security-group-closed rule | bool |
true |
no |
| config_aggregator_name | The name of the aggregator. | string |
"organization" |
no |
| config_delivery_frequency | The frequency with which AWS Config delivers configuration snapshots. | string |
"Six_Hours" |
no |
| config_logs_bucket | The S3 bucket for AWS Config logs. If you have set enable_config_recorder to false then this can be an empty string. | string |
n/a | yes |
| config_logs_prefix | The S3 prefix for AWS Config logs. | string |
"config" |
no |
| config_max_execution_frequency | The maximum frequency with which AWS Config runs evaluations for a rule. | string |
"TwentyFour_Hours" |
no |
| config_name | The name of the AWS Config instance. | string |
"aws-config" |
no |
| config_sns_topic_arn | An SNS topic to stream configuration changes and notifications to. | string |
null |
no |
| cw_loggroup_retention_period | Retention period for cloudwatch logs in number of days | number |
3653 |
no |
| enable_config_recorder | Enables configuring the AWS Config recorder resources in this module. | bool |
true |
no |
| include_global_resource_types | Specifies whether AWS Config includes all supported types of global resources with the resources that it records. | bool |
true |
no |
| password_max_age | Number of days before password expiration. | number |
90 |
no |
| password_min_length | Password minimum length. | number |
14 |
no |
| password_require_lowercase | Require at least one lowercase character in password. | bool |
true |
no |
| password_require_numbers | Require at least one number in password. | bool |
true |
no |
| password_require_symbols | Require at least one symbol in password. | bool |
true |
no |
| password_require_uppercase | Require at least one uppercase character in password. | bool |
true |
no |
| password_reuse_prevention | Number of passwords before allowing reuse. | number |
24 |
no |
| required_tags | A map of required resource tags. Format is tagNKey, tagNValue, where N is int. Values are optional. | map(string) |
{} |
no |
| required_tags_resource_types | Resource types to check for tags. | list(string) |
[] |
no |
| tags | Tags to apply to AWS Config resources | map(string) |
{} |
no |
| resource_types | A list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail). See relevant part of AWS Docs for available types." | map(string) |
{} |
no |
| Name | Description |
|---|---|
| aws_config_role_arn | The ARN of the AWS config role. |
| aws_config_role_name | The name of the IAM role used by AWS config |
| required_tags_rule_arn | The ARN of the required-tags config rule. |
Version 2.4.0 changed how AWS Config IAM polcies would be attached to IAM roles. When applying the upgrade, you will likely see a race condition resulting in the following error
Error: Provider produced inconsistent result after apply
A second terraform apply should resolve the issue.
Install dependencies (macOS)
brew install pre-commit go terraform terraform-docsTerratest is being used for
automated testing with this module. Tests in the test folder can be run
locally by running the following command:
make testOr with aws-vault:
AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test