Merge pull request #4 from clouddrove/improvement

Improvement

_example/example.tf

@@ -125,4 +125,12 @@ module "secure_baseline" {
   analyzer_enable = false
   type            = "ACCOUNT"
 
+  # Shield 
+  shield_enable = false
+
+  # EBS
+  default_ebs_enable = true
+
+  # Security Hub
+  security_hub_enable = false
 }

main.tf

@@ -182,4 +182,39 @@ module "iam_access_analyzer" {
     SLACK_WEBHOOK = var.slack_webhook
     SLACK_CHANNEL = var.slack_channel
   }
+}
+
+## Shield
+module "aws_shield" {
+  source = "./modules/shield"
+
+  name        = "shield"
+  environment = var.environment
+  managedby   = var.managedby
+  label_order = var.label_order
+  enabled     = var.enabled && var.shield_enable
+
+  ## AWS SHIELD
+  resource_arn = var.resource_arn
+
+}
+
+
+## EBS
+module "aws_ebs" {
+  source = "./modules/ebs"
+
+  enabled = var.enabled && var.default_ebs_enable
+}
+
+## AWS Security Hub
+module "security_hub" {
+  source = "./module/security_hub"
+
+  enabled                          = var.enabled && var.security_hub_enable
+  enable_ccis_standard             = var.enable_ccis_standard
+  enable_aws_foundational_standard = var.enable_aws_foundational_standard
+  enable_pci_dss_standard          = var.enable_pci_dss_standard
+
+
 }

modules/alarm/main.tf

@@ -563,3 +563,40 @@ resource "aws_cloudwatch_metric_alarm" "vpc_changes" {
   insufficient_data_actions = []
   tags                      = module.labels.tags
 }
+
+#Module      : AWS_CLOUDWATCH_LOG_METRIC_FILTER
+#Description : Provides a CloudWatch Log Metric Filter resource.
+resource "aws_cloudwatch_log_metric_filter" "aws_config_changes" {
+  count = var.enabled && var.aws_config_changes_enabled ? 1 : 0
+
+  name           = "AWSConfigChanges"
+  pattern        = "{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }"
+  log_group_name = var.cloudtrail_log_group_name
+
+  metric_transformation {
+    name      = "AWSConfigChanges"
+    namespace = var.alarm_namespace
+    value     = "1"
+  }
+}
+
+#Module      : AWS_CLOUDWATCH_LOG_METRIC_ALARM
+#Description : Provides a CloudWatch Metric Alarm resource.
+resource "aws_cloudwatch_metric_alarm" "aws_config_changes" {
+  count = var.enabled && var.aws_config_changes_enabled ? 1 : 0
+
+  alarm_name                = "AWSConfigChanges"
+  comparison_operator       = "GreaterThanOrEqualToThreshold"
+  evaluation_periods        = "1"
+  metric_name               = join("", aws_cloudwatch_log_metric_filter.vpc_changes.*.id)
+  namespace                 = var.alarm_namespace
+  period                    = "300"
+  statistic                 = "Sum"
+  threshold                 = "1"
+  alarm_description         = "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account."
+  alarm_actions             = [aws_sns_topic.alarms[0].arn]
+  treat_missing_data        = "notBreaching"
+  insufficient_data_actions = []
+  tags                      = module.labels.tags
+
+}

modules/ebs/main.tf

@@ -0,0 +1,9 @@
+## Managed By : CloudDrove
+## Copyright @ CloudDrove. All Right Reserved.
+
+
+resource "aws_ebs_encryption_by_default" "default" {
+  count = var.enabled ? 1 : 0
+
+  enabled = true
+}

modules/ebs/variable.tf

@@ -0,0 +1,4 @@
+variable "enabled" {
+  description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
+  default     = true
+}

modules/security_hub/main.tf

@@ -0,0 +1,44 @@
+data "aws_region" "current" {}
+
+# Enable SecurityHub
+resource "aws_securityhub_account" "main" {
+  count = var.enabled ? 1 : 0
+}
+
+# Add member accounts
+resource "aws_securityhub_member" "members" {
+  count = var.enabled ? length(var.member_accounts) : 0
+
+  depends_on = [aws_securityhub_account.main]
+  account_id = var.member_accounts[count.index].account_id
+  email      = var.member_accounts[count.index].email
+  invite     = true
+}
+
+# Subscribe CIS benchmark
+resource "aws_securityhub_standards_subscription" "cis" {
+  count = var.enabled && var.enable_ccis_standard ? 1 : 0
+
+  standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
+
+  depends_on = [aws_securityhub_account.main]
+}
+
+# Subscribe AWS foundational security best practices standard
+resource "aws_securityhub_standards_subscription" "aws_foundational" {
+  count = var.enabled && var.enable_aws_foundational_standard ? 1 : 0
+
+  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0"
+
+  depends_on = [aws_securityhub_account.main]
+}
+
+# Subscribe PCI DSS standard
+resource "aws_securityhub_standards_subscription" "pci_dss" {
+  count = var.enabled && var.enable_pci_dss_standard ? 1 : 0
+
+  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/pci-dss/v/3.2.1"
+
+  depends_on = [aws_securityhub_account.main]
+}
+

modules/security_hub/variable.tf

@@ -0,0 +1,28 @@
+variable "enabled" {
+  description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "enable_cis_standard" {
+  description = "Boolean whether CIS standard is enabled."
+  default     = true
+}
+
+variable "enable_pci_dss_standard" {
+  description = "Boolean whether PCI DSS standard is enabled."
+  default     = true
+}
+
+variable "enable_aws_foundational_standard" {
+  description = "Boolean whether AWS Foundations standard is enabled."
+  default     = true
+}
+
+variable "member_accounts" {
+  description = "A list of IDs and emails of AWS accounts which associated as member accounts."
+  type = list(object({
+    account_id = string
+    email      = string
+  }))
+  default = []
+}

modules/shield/main.tf

@@ -0,0 +1,26 @@
+## Managed By : CloudDrove
+## Copyright @ CloudDrove. All Right Reserved.
+
+
+#Module      : Label
+#Description : This terraform module is designed to generate consistent label names and
+#              tags for resources. You can use terraform-labels to implement a strict
+#              naming convention
+module "labels" {
+  source  = "clouddrove/labels/aws"
+  version = "0.15.0"
+
+  name        = var.name
+  environment = var.environment
+  label_order = var.label_order
+  managedby   = var.managedby
+}
+
+
+resource "aws_shield_protection" "default" {
+  count        = var.enabled ? 1 : 0
+  name         = format("%s-shield", module.labels.id)
+  resource_arn = var.resource_arn
+  tags         = module.labels.tags
+
+}

modules/shield/output.tf

@@ -0,0 +1,9 @@
+output "id" {
+  value       = join("", aws_shield_protection.default.*.id)
+  description = "The unique identifier (ID) for the Protection object that is created."
+}
+
+output "arn" {
+  value       = join("", aws_shield_protection.default.*.arn)
+  description = "The unique identifier (ID) for the Protection object that is created."
+}

modules/shield/variable.tf

@@ -0,0 +1,55 @@
+#Module      : LABEL
+#Description : Terraform label module variables.
+variable "name" {
+  type        = string
+  default     = ""
+  description = "Name  (e.g. `app` or `cluster`)."
+}
+
+variable "environment" {
+  type        = string
+  default     = ""
+  description = "Environment (e.g. `prod`, `dev`, `staging`)."
+}
+
+variable "label_order" {
+  type        = list(any)
+  default     = []
+  description = "Label order, e.g. `name`,`application`."
+}
+
+variable "attributes" {
+  type        = list(any)
+  default     = []
+  description = "Additional attributes (e.g. `1`)."
+}
+
+variable "delimiter" {
+  type        = string
+  default     = "-"
+  description = "Delimiter to be used between `organization`, `environment`, `name` and `attributes`."
+}
+
+variable "tags" {
+  type        = map(any)
+  default     = {}
+  description = "Additional tags (e.g. map(`BusinessUnit`,`XYZ`)."
+}
+
+variable "enabled" {
+  type        = bool
+  default     = true
+  description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
+}
+
+variable "shield_name" {
+  type        = string
+  default     = ""
+  description = "A friendly name for the Protection you are creating."
+}
+
+variable "resource_arn" {
+  type        = string
+  default     = ""
+  description = "The ARN (Amazon Resource Name) of the resource to be protected."
+}

variables.tf

@@ -500,4 +500,50 @@ variable "schedule_expression" {
   type        = string
   default     = "cron(0 14 ? * THU *)" # Run every Thursday at 2PM UTC/9AM EST/10AM EDT
   description = "AWS Schedule Expression: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html"
+}
+
+#shield
+variable "shield_enable" {
+  description = "The boolean flag whether shield module is enabled or not. No resources are created when set to false."
+  default     = false
+}
+
+variable "resource_arn" {
+  type        = string
+  description = "The ARN (Amazon Resource Name) of the resource to be protected."
+}
+
+#ebs
+variable "default_ebs_enable" {
+  description = "The boolean flag whether Default EBS  module is enabled or not. No resources are created when set to false."
+  default     = false
+}
+
+#Security Hub
+variable "member_accounts" {
+  description = "A list of IDs and emails of AWS accounts which associated as member accounts."
+  type = list(object({
+    account_id = string
+    email      = string
+  }))
+  default = []
+}
+variable "security_hub_enable" {
+  description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "enable_cis_standard" {
+  description = "Boolean whether CIS standard is enabled."
+  default     = true
+}
+
+variable "enable_pci_dss_standard" {
+  description = "Boolean whether PCI DSS standard is enabled."
+  default     = true
+}
+
+variable "enable_aws_foundational_standard" {
+  description = "Boolean whether AWS Foundations standard is enabled."
+  default     = true
 }