/terraform-aws-config

Enables AWS Config and adds managed config rules with good defaults.

Primary LanguageHCLBSD 3-Clause "New" or "Revised" LicenseBSD-3-Clause

AWS Config Terraform module

Enables AWS Config and adds managed config rules with good defaults.

Supported AWS Config Rules

ACM

  • acm-certificate-expiration-check: Ensure ACM Certificates in your account are marked for expiration within the specified number of days.

AMI

  • approved-amis-by-tag: Checks whether running instances are using specified AMIs.

CloudTrail

  • cloudtrail-enabled: Ensure CloudTrail is enabled.
  • cloud-trail-encryption-enabled: Ensure CloudTrail is configured to use server side encryption (SSE) with AWS KMS or CMK encryption.
  • cloud-trail-log-file-validation-enabled: Checks whether AWS CloudTrail creates a signed digest file with logs.
  • multi-region-cloud-trail-enabled: Ensure that there is at least one multi-region AWS CloudTrail enabled.

CloudWatch Logs

  • cloudwatch-log-group-encryption: Ensure that CloudWatch Logs are encrypted.

EC2

  • ec2-encrypted-volumes: Evaluates whether EBS volumes that are in an attached state are encrypted.
  • ec2-volume-inuse-check: Checks whether EBS volumes are attached to EC2 instances.
  • ebs-snapshot-public-restorable-check: Checks whether Amazon Elastic Block Store snapshots are not publicly restorable.

VPC

  • eip-attached: Checks whether all EIP addresses that are allocated to a VPC are attached to EC2 or in-use ENIs.
  • instances-in-vpc: Ensure all EC2 instances run in a VPC.
  • vpc-default-security-group-closed: Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic.

GuardDuty

  • guardduty-enabled-centralized: Checks whether Amazon GuardDuty is enabled in your AWS account and region.

IAM

  • iam-password-policy: Ensure the account password policy for IAM users meets the specified requirements.
  • iam-user-no-policies-check: Ensure that none of your IAM users have policies attached; IAM users must inherit permissions from IAM groups or roles.
  • iam-group-has-users-check: Checks whether IAM groups have at least one IAM user.
  • root-account-mfa-enabled: Ensure root AWS account has MFA enabled.
  • iam-root-access-key: Ensure root AWS account does not have Access Keys.

Tagging

  • required-tags: Checks if resources are deployed with configured tags.

RDS

  • rds-instance-public-access-check: Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible.
  • rds-snapshots-public-prohibited: Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public.
  • rds-storage-encrypted: Checks whether storage encryption is enabled for your RDS DB instances.

S3

  • s3-bucket-public-write-prohibited: Checks that your S3 buckets do not allow public write access.
  • s3-bucket-ssl-requests-only: Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).

Terraform Versions

Terraform 0.13 and newer. Pin module version to ~> 4.x. Submit pull-requests to master branch.

Terraform 0.12. Pin module version to ~> 3.0. Submit pull-requests to terraform012 branch.

Usage

Note: This module sets up AWS IAM Roles and Policies, which are globally namespaced. If you plan to have multiple instances of AWS Config, make sure they have unique values for config_name.

Note: If you use this module in multiple regions, be sure to disable duplicative checks and global resource types.

module "aws_config" {
  source = "trussworks/config/aws"

  config_name        = "my-aws-config"
  config_logs_bucket = "my-aws-logs"
}

Requirements

Name Version
terraform >= 0.12.7
aws >= 2.70
template >= 2.0

Providers

Name Version
aws >= 2.70
template >= 2.0

Inputs

Name Description Type Default Required
acm_days_to_expiration Specify the number of days before the rule flags the ACM Certificate as noncompliant. number 14 no
aggregate_organization Aggregate compliance data by organization bool false no
ami_required_tag_key_value Tag/s key and value which AMI has to have in order to be compliant: Example: key1:value1,key2:value2 string "" no
check_acm_certificate_expiration_check Enable acm-certificate-expiration-check rule bool true no
check_approved_amis_by_tag Enable approved-amis-by-tag rule bool false no
check_cloud_trail_encryption Enable cloud-trail-encryption-enabled rule bool false no
check_cloud_trail_log_file_validation Enable cloud-trail-log-file-validation-enabled rule bool false no
check_cloudtrail_enabled Enable cloudtrail-enabled rule bool true no
check_cloudwatch_log_group_encrypted Enable cloudwatch-log-group-encryption rule bool true no
check_ebs_snapshot_public_restorable Enable ebs-snapshot-public-restorable rule bool true no
check_ec2_encrypted_volumes Enable ec2-encrypted-volumes rule bool true no
check_ec2_volume_inuse_check Enable ec2-volume-inuse-check rule bool true no
check_eip_attached Enable eip-attached rule bool false no
check_guard_duty Enable guardduty-enabled-centralized rule bool false no
check_iam_group_has_users_check Enable iam-group-has-users-check rule bool true no
check_iam_password_policy Enable iam-password-policy rule bool true no
check_iam_root_access_key Enable iam-root-access-key rule bool true no
check_iam_user_no_policies_check Enable iam-user-no-policies-check rule bool true no
check_instances_in_vpc Enable instances-in-vpc rule bool true no
check_mfa_enabled_for_iam_console_access Enable mfa-enabled-for-iam-console-access rule bool false no
check_multi_region_cloud_trail Enable multi-region-cloud-trail-enabled rule bool false no
check_rds_public_access Enable rds-instance-public-access-check rule bool false no
check_rds_snapshots_public_prohibited Enable rds-snapshots-public-prohibited rule bool true no
check_rds_storage_encrypted Enable rds-storage-encrypted rule bool true no
check_required_tags Enable required-tags rule bool false no
check_restricted_ssh Enable restricted-ssh rule bool false no
check_root_account_mfa_enabled Enable root-account-mfa-enabled rule bool false no
check_s3_bucket_public_write_prohibited Enable s3-bucket-public-write-prohibited rule bool true no
check_s3_bucket_ssl_requests_only Enable s3-bucket-ssl-requests-only rule bool true no
check_vpc_default_security_group_closed Enable vpc-default-security-group-closed rule bool true no
config_aggregator_name The name of the aggregator. string "organization" no
config_delivery_frequency The frequency with which AWS Config delivers configuration snapshots. string "Six_Hours" no
config_logs_bucket The S3 bucket for AWS Config logs. If you have set enable_config_recorder to false then this can be an empty string. string n/a yes
config_logs_prefix The S3 prefix for AWS Config logs. string "config" no
config_max_execution_frequency The maximum frequency with which AWS Config runs evaluations for a rule. string "TwentyFour_Hours" no
config_name The name of the AWS Config instance. string "aws-config" no
config_sns_topic_arn An SNS topic to stream configuration changes and notifications to. string null no
enable_config_recorder Enables configuring the AWS Config recorder resources in this module. bool true no
include_global_resource_types Specifies whether AWS Config includes all supported types of global resources with the resources that it records. bool true no
password_max_age Number of days before password expiration. number 90 no
password_min_length Password minimum length. number 14 no
password_require_lowercase Require at least one lowercase character in password. bool true no
password_require_numbers Require at least one number in password. bool true no
password_require_symbols Require at least one symbol in password. bool true no
password_require_uppercase Require at least one uppercase character in password. bool true no
password_reuse_prevention Number of passwords before allowing reuse. number 24 no
required_tags A map of required resource tags. Format is tagNKey, tagNValue, where N is int. Values are optional. map(string) {} no
required_tags_resource_types Resource types to check for tags. list(string) [] no
tags Tags to apply to AWS Config resources map(string) {} no

Outputs

Name Description
aws_config_role_arn The ARN of the AWS config role.
aws_config_role_name The name of the IAM role used by AWS config
required_tags_rule_arn The ARN of the required-tags config rule.

Upgrade Paths

Upgrading from 2.3.0 to 2.4.x

Version 2.4.0 changed how AWS Config IAM polcies would be attached to IAM roles. When applying the upgrade, you will likely see a race condition resulting in the following error

Error: Provider produced inconsistent result after apply

A second terraform apply should resolve the issue.

Developer Setup

Install dependencies (macOS)

brew install pre-commit go terraform terraform-docs

Testing

Terratest is being used for automated testing with this module. Tests in the test folder can be run locally by running the following command:

make test

Or with aws-vault:

AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test