Skip to content
This repository has been archived by the owner on Aug 12, 2021. It is now read-only.

Terraform module to setup and manage various components of the AWS Landing Zone.

License

Notifications You must be signed in to change notification settings

plentific/terraform-aws-mcaf-landing-zone

 
 

Repository files navigation

terraform-aws-mcaf-landing-zone

Terraform module to setup and manage various components of the SBP AWS Landing Zone.

Overview of Landing Zone tools & services:

The SBP AWS Landing Zone consists of 3 repositories:

Basic configuration

module "landing_zone" {
  source             = "github.com/schubergphilis/terraform-aws-mcaf-landing-zone?ref=VERSION"
  tags               = var.tags

  control_tower_account_ids = {
    audit   = "012345678902"
    logging = "012345678903"
  }
}

Detailed configuration

AWS CloudTrail

By default, all CloudTrail logs will be stored in a S3 bucket in the logging account of your AWS Organization. However, this module also supports creating an additional CloudTrail configuration to publish logs to any S3 bucket chosen by you. This trail will be set at the Organization level, meaning that logs from all accounts will be published to the provided bucket.

NOTE: Before enabling this feature, make sure that the bucket policy authorizing CloudTrail to deliver logs is in place and that you have enabled trusted access between AWS Organizations and CloudTrail. If these two steps are not in place, Terraform will fail to create the trail.

Example:

additional_auditing_trail = {
  name   = "additional_auditing_trail"
  bucket = "bucket_name"
}

AWS Config Rules

This module provisions by default a set of basic AWS Config Rules. In order to add extra rules, a list of rule identifiers can be passed via the variable aws_config using the attribute rule_identifiers.

If you would like to authorize other accounts to aggregate AWS Config data, the account IDs and regions can also be passed via the variable aws_config using the attributes aggregator_account_ids and aggregator_regions respectively.

NOTE: This module already authorizes the audit account to aggregate Config data from all other accounts in the organization, so there is no need to specify the audit account ID in the aggregator_account_ids list.

Example:

aws_config = {
  aggregator_account_ids = ["123456789012"]
  aggregator_regions     = ["eu-west-1"]
  rule_identifiers       = ["ACCESS_KEYS_ROTATED", "ALB_WAF_ENABLED"]
}

AWS GuardDuty

This module supports enabling GuardDuty at the organization level which means that all new accounts that are created in, or added to, the organization are added as a member accounts of the audit account GuardDuty detector.

This feature can be controlled via the aws_guardduty variable and is enabled by default. With aws_guardduty_s3_protection you control if you want to have GuardDuty protecting S3, it is turned on by default.

Note: In case you are migrating an existing AWS organization to this module, all existing accounts except for the master and logging accounts have to be enabled like explained here.

AWS SSO

This module supports managing AWS SSO resources to control user access to all accounts belonging to the AWS Organization.

This feature can be controlled via the aws_sso_permission_sets variable by passing a map (key-value pair) where every key corresponds to an AWS SSO Permission Set name and the value follows the structure below:

  • assignments: list of maps (key-value pair) of AWS Account IDs as keys and a list of AWS SSO Group names that should have access to the account using the permission set defined
  • inline_policy: valid IAM policy in JSON format (maximum length of 10240 characters)
  • session_duration: length of time in the ISO-8601 standard

Example:

  aws_sso_permission_sets = {
    PlatformAdmin = {
      inline_policy = file("${path.module}/template_files/sso/platform_admin.json")
      session_duration = "PT2H"

      assignments = [
        {
          for account in [ 123456789012, 012456789012 ] : account => [
            okta_group.aws["AWSPlatformAdmins"].name
          ]
        },
        {
          for account in [ 925556789012 ] : account => [
            okta_group.aws["AWSPlatformUsers"].name
          ]
        }
      ]
    }
    PlatformUser = {
      session_duration = "PT12H"

      assignments = [
        {
          for account in [ 123456789012, 012456789012 ] : account => [
            okta_group.aws["AWSPlatformAdmins"].name,
            okta_group.aws["AWSPlatformUsers"].name
          ]
        }
      ]

      inline_policy = jsonencode(
        {
          Version = "2012-10-17",
          Statement = concat(
            [
              {
                Effect   = "Allow",
                Action   = "support:*",
                Resource = "*"
              }
            ],
            jsondecode(data.aws_iam_policy.lambda_readonly.policy).Statement
          )
        }
      )
    }
  }

Datadog Integration

This module supports an optional Datadog-AWS integration. This integration makes it easier for you to forward metrics and logs from your AWS account to Datadog.

In order to enable the integration, you can pass an object to the variable datadog containing the following attributes:

In case you don't want to use the integration, you can configure the Datadog provider like in the example below:

provider "datadog" {
  validate = false
}

This should prevent the provider from asking you for a Datadog API Key and allow the module to be provisioned without the integration resources.

Monitoring IAM Activity

By default, this module monitors and notifies activities performed by the root user of all core accounts and AWS SSO Roles. All notifications will be sent to the SNS Topic LandingZone-IAMActivity in the audit account.

These are the type of events that will be monitored:

  • Any activity made by the root user of the account.
  • Any manual changes made by AWS SSO roles (read-only operations and console logins are not taken into account).

In case you would like to disable this functionality, you can set the variable monitor_iam_activity to false.

Organizations Policies

Service Control Policies (SCPs)

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. See this page for an introduction to SCPs and the value they add.

This module allows using various SCPs as described below. We try to adhere to best practices of not attaching SCPs to the root of the organisation when possible; in the event you need to pass a list of OU names, be sure to have the exact name as the matching is case sensitive.

Deny ability to leave Organization

Enabling this SCP removes a member account's ability to leave the AWS organisation.

This is SCP is enabled by default, but can be disabled by setting aws_deny_leaving_org variable to false.

Require the use of Instance Metadata Service Version 2

By default, all EC2s still allow access to the original metadata service, which means that if an attacker finds an EC2 running a proxy or WAF, or finds and SSRF vulnerability, they likely can steal the IAM role of the EC2. By enforcing IMDSv2, you can mitigate that risk. Be aware that this potentially could break some applications that have not yet been updated to work with the new IMDSv2.

This is SCP is enabled by default, but can be disabled by setting aws_require_imdsv2 variable to false.

Restricting AWS Regions

If you would like to define which AWS Regions can be used in your AWS Organization, you can pass a list of region names to the variable aws_region_restrictions using the allowed attribute. This will trigger this module to deploy a Service Control Policy (SCP) designed by AWS and attach it to the root of your AWS Organization.

In case you would like to exempt specific IAM entities from the region restriction, you can pass a list of ARN patterns using the exceptions attribute. This can be useful for roles used by AWS ControlTower, for example, to avoid preventing it from managing all regions properly.

Example:

aws_region_restrictions = {
  allowed    = ["eu-west-1"]
  exceptions = ["arn:aws:iam::*:role/RoleAllowedToBypassRegionRestrictions"]
}

Restricting Root User Access

If you would like to restrict the root user's ability to log into accounts in an OU, you can pass a list of OU names to the aws_deny_root_user_ous variable.

Example showing SCP applied to all OUs except the Root OU:

data "aws_organizations_organization" "default" {}

data "aws_organizations_organizational_units" "default" {
  parent_id = data.aws_organizations_organization.default.roots[0].id
}

module "landing_zone" {
  ...

  aws_deny_root_user_ous = [
    for ou in data.aws_organizations_organizational_units.default.children : ou.name if ou.name != "Root"
  ]

Tag Policies

Tag policies are a type of policy that can help you standardize tags across resources in your organization's accounts. In a tag policy, you specify tagging rules applicable to resources when they are tagged. See this page for an introduction to tag policies and the value they add.

If you would like to enforce certain tags in an OU, you can pass a map of OU names containing the tags to the aws_required_tags variable. Be sure to pass the exact OU name as the matching is case sensitive. If the OU provided does not match any existing OU the tag policy is not created.

Example:

module "landing_zone" {
  ...

  aws_required_tags = {
    "Production" = [
      {
        name   = "Tag1"
        values = ["A", "B"]
      }
    ]
    "Non-Production" = [
      {
        name   = "Tag2"
        values = ["A", "B"]
      }
    ]
  }

SNS topic subscription

Topic Name Variable Content
aws-controltower-AggregateSecurityNotifications aws_config_sns_subscription Aggregated AWS Config notifications
LandingZone-SecurityHubFindings aws_security_hub_sns_subscription Aggregated Security Hub findings
LandingZone-IAMActivity monitor_iam_activity_sns_subscription IAM activity findings

Example for https protocol and specified webhook endpoint:

module "landing_zone" {
  ...
  
  aws_config_sns_subscription = {
    endpoint = "https://app.datadoghq.com/intake/webhook/sns?api_key=qwerty0123456789"
    protocol = "https"
  }
}

Requirements

Name Version
terraform >= 0.13
aws >= 3.24.0

Providers

Name Version
aws >= 3.24.0
aws.audit >= 3.24.0
aws.logging >= 3.24.0

Inputs

Name Description Type Default Required
control_tower_account_ids Control Tower core account IDs
object({
audit = string
logging = string
})
n/a yes
tags Map of tags map(string) n/a yes
additional_auditing_trail CloudTrail configuration for additional auditing trail
object({
name = string
bucket = string
})
null no
aws_account_password_policy AWS account password policy parameters for the audit, logging and master account
object({
allow_users_to_change = bool
max_age = number
minimum_length = number
require_lowercase_characters = bool
require_numbers = bool
require_symbols = bool
require_uppercase_characters = bool
reuse_prevention_history = number
})
{
"allow_users_to_change": true,
"max_age": 90,
"minimum_length": 14,
"require_lowercase_characters": true,
"require_numbers": true,
"require_symbols": true,
"require_uppercase_characters": true,
"reuse_prevention_history": 24
}
no
aws_config AWS Config settings
object({
aggregator_account_ids = list(string)
aggregator_regions = list(string)
})
null no
aws_config_sns_subscription Subscription options for the aws-controltower-AggregateSecurityNotifications (AWS Config) SNS topic
map(object({
endpoint = string
protocol = string
}))
{} no
aws_deny_leaving_org Enable SCP that denies accounts the ability to leave the AWS organisation bool true no
aws_deny_root_user_ous List of AWS Organisation OUs to apply the "DenyRootUser" SCP to list(string) [] no
aws_ebs_encryption_by_default Set to true to enable AWS Elastic Block Store encryption by default bool true no
aws_guardduty Whether AWS GuardDuty should be enabled bool true no
aws_guardduty_s3_protection Whether AWS GuardDuty S3 protection should be enabled bool true no
aws_region_restrictions List of allowed AWS regions and principals that are exempt from the restriction
object({
allowed = list(string)
exceptions = list(string)
})
null no
aws_require_imdsv2 Enable SCP which requires EC2 instances to use V2 of the Instance Metadata Service bool true no
aws_required_tags AWS Required tags settings
map(list(object({
name = string
values = list(string)
})))
null no
aws_security_hub_product_arns A list of the ARNs of the products you want to import into Security Hub list(string) [] no
aws_security_hub_sns_subscription Subscription options for the LandingZone-SecurityHubFindings SNS topic
map(object({
endpoint = string
protocol = string
}))
{} no
aws_sso_permission_sets Map of AWS SSO Permission Sets with the AWS Accounts and the names of the AWS SSO Groups that should be granted access to each account
map(object({
assignments = list(map(list(string)))
inline_policy = string
session_duration = string
}))
{} no
datadog Datadog integration options for the core accounts
object({
api_key = string
enable_integration = bool
install_log_forwarder = bool
site_url = string
})
null no
kms_key_policy A valid KMS key policy JSON document string "" no
monitor_iam_activity Whether IAM activity should be monitored bool true no
monitor_iam_activity_sns_subscription Subscription options for the LandingZone-IAMActivity SNS topic
map(object({
endpoint = string
protocol = string
}))
{} no
security_hub_standards_arns A list of the ARNs of the standards you want to enable in Security Hub list(string) null no

Outputs

Name Description
kms_key_arn ARN of KMS key for SSM encryption
kms_key_id ID of KMS key for SSM encryption
monitor_iam_activity_sns_topic_arn ARN of the SNS Topic in the Audit account for IAM activity monitoring notifications

About

Terraform module to setup and manage various components of the AWS Landing Zone.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • HCL 87.4%
  • Smarty 12.6%