Terraform module to setup and manage various components of the SBP AWS Landing Zone.
Overview of Landing Zone tools & services:
The SBP AWS Landing Zone consists of 3 repositories:
- MCAF Landing Zone module (current repository): the foundation of the Landing Zone and manages the 3 core accounts: audit, logging, master
- MCAF Account Vending Machine (AVM) module: providing an AWS AVM. This module sets up an AWS account with one or more Terraform Cloud/Enterprise (TFE) workspace(s) backed by a VCS project
- MCAF Account Baseline module: optional module providing baseline configuration for AWS accounts
module "landing_zone" {
source = "github.com/schubergphilis/terraform-aws-mcaf-landing-zone?ref=VERSION"
tags = var.tags
control_tower_account_ids = {
audit = "012345678902"
logging = "012345678903"
}
}
Setting the ses_root_accounts_mail_forward
variable creates the necessary AWS Simple Email Service (SES) resources to accept mail sent to an AWS hosted domain and forward it to an external recipient or recipients. This can be used to enable secure mailboxes/IT service catalog aliases for all root accounts. Emails are received via AWS SES and forwarded to an email forwarder lambda which sends the email to the destination email server as specified in the recipient_mapping
variable of ses_root_accounts_mail_forward
.
Before setting the ses_root_accounts_mail_forward
variable, make sure that an AWS Route53 hosted zone is created. For example aws.yourcompany.com. Pass this domain using the domain
variable of ses_root_accounts_mail_forward
.
Example:
ses_root_accounts_mail_forward = {
domain = "aws.yourcompany.com"
from_email = "root@aws.yourcompany.com"
recipient_mapping = {
"root@aws.yourcompany.com" = [
"inbox@yourcompany.com"
]
}
}
By default, you have to create the email addresses for the accounts created using the MCAF Account Vending Machine (AVM) module yourself. Using this functionality you can pass aliases of the mailbox created. E.g. root+<account-name>@aws.yourcompany.com.
By default, all CloudTrail logs will be stored in a S3 bucket in the logging
account of your AWS Organization. However, this module also supports creating an additional CloudTrail configuration to publish logs to any S3 bucket chosen by you. This trail will be set at the Organization level, meaning that logs from all accounts will be published to the provided bucket.
NOTE: Before enabling this feature, make sure that the bucket policy authorizing CloudTrail to deliver logs is in place and that you have enabled trusted access between AWS Organizations and CloudTrail. If these two steps are not in place, Terraform will fail to create the trail.
Example:
additional_auditing_trail = {
name = "additional_auditing_trail"
bucket = "bucket_name"
}
This module provisions by default a set of basic AWS Config Rules. In order to add extra rules, a list of rule identifiers can be passed via the variable aws_config
using the attribute rule_identifiers
.
If you would like to authorize other accounts to aggregate AWS Config data, the account IDs and regions can also be passed via the variable aws_config
using the attributes aggregator_account_ids
and aggregator_regions
respectively.
NOTE: This module already authorizes the audit
account to aggregate Config data from all other accounts in the organization, so there is no need to specify the audit
account ID in the aggregator_account_ids
list.
Example:
aws_config = {
aggregator_account_ids = ["123456789012"]
aggregator_regions = ["eu-west-1"]
rule_identifiers = ["ACCESS_KEYS_ROTATED", "ALB_WAF_ENABLED"]
}
This module supports enabling GuardDuty at the organization level which means that all new accounts that are created in, or added to, the organization are added as a member accounts of the audit
account GuardDuty detector.
This feature can be controlled via the aws_guardduty
variable and is enabled by default. With aws_guardduty_s3_protection
you control if you want to have GuardDuty protecting S3, it is turned on by default.
Note: In case you are migrating an existing AWS organization to this module, all existing accounts except for the master
and logging
accounts have to be enabled like explained here.
This module supports managing AWS SSO resources to control user access to all accounts belonging to the AWS Organization.
This feature can be controlled via the aws_sso_permission_sets
variable by passing a map (key-value pair) where every key corresponds to an AWS SSO Permission Set name and the value follows the structure below:
assignments
: list of maps (key-value pair) of AWS Account IDs as keys and a list of AWS SSO Group names that should have access to the account using the permission set definedinline_policy
: valid IAM policy in JSON format (maximum length of 10240 characters)managed_policy_arns
: list of strings that contain the ARN's of the managed policies that should be attached to the permission setsession_duration
: length of time in the ISO-8601 standard
Example:
aws_sso_permission_sets = {
PlatformAdmin = {
inline_policy = file("${path.module}/template_files/sso/platform_admin.json")
session_duration = "PT2H"
managed_policy_arns = [
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
assignments = [
{
for account in [ 123456789012, 012456789012 ] : account => [
okta_group.aws["AWSPlatformAdmins"].name
]
},
{
for account in [ 925556789012 ] : account => [
okta_group.aws["AWSPlatformUsers"].name
]
}
]
}
PlatformUser = {
session_duration = "PT12H"
managed_policy_arns = [
"arn:aws:iam::aws:policy/ReadOnlyAccess",
"arn:aws:iam::aws:policy/AWSSupportAccess"
]
assignments = [
{
for account in [ 123456789012, 012456789012 ] : account => [
okta_group.aws["AWSPlatformAdmins"].name,
okta_group.aws["AWSPlatformUsers"].name
]
}
]
inline_policy = jsonencode(
{
Version = "2012-10-17",
Statement = concat(
[
{
Effect = "Allow",
Action = "support:*",
Resource = "*"
}
],
jsondecode(data.aws_iam_policy.lambda_readonly.policy).Statement
)
}
)
}
}
This module supports an optional Datadog-AWS integration. This integration makes it easier for you to forward metrics and logs from your AWS account to Datadog.
In order to enable the integration, you can pass an object to the variable datadog
containing the following attributes:
api_key
: sets the Datadog API keyenable_integration
: set totrue
to configure the Datadog AWS integrationinstall_log_forwarder
: set totrue
to install the Datadog Forwarder
In case you don't want to use the integration, you can configure the Datadog provider like in the example below:
provider "datadog" {
validate = false
}
This should prevent the provider from asking you for a Datadog API Key and allow the module to be provisioned without the integration resources.
By default, this module monitors and notifies activities performed by the root
user of all core accounts and AWS SSO Roles. All notifications will be sent to the SNS Topic LandingZone-IAMActivity
in the audit
account.
These are the type of events that will be monitored:
- Any activity made by the root user of the account.
- Any manual changes made by AWS SSO roles (read-only operations and console logins are not taken into account).
In case you would like to disable this functionality, you can set the variable monitor_iam_activity
to false
.
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. See this page for an introduction to SCPs and the value they add.
This module allows using various SCPs as described below. We try to adhere to best practices of not attaching SCPs to the root of the organisation when possible; in the event you need to pass a list of OU names, be sure to have the exact name as the matching is case sensitive.
Enabling this SCP removes a member account's ability to disable Security Hub.
This is SCP is enabled by default, but can be disabled by setting aws_deny_disabling_security_hub
variable to false
.
Enabling this SCP removes a member account's ability to leave the AWS organisation.
This is SCP is enabled by default, but can be disabled by setting aws_deny_leaving_org
variable to false
.
By default, all EC2s still allow access to the original metadata service, which means that if an attacker finds an EC2 running a proxy or WAF, or finds and SSRF vulnerability, they likely can steal the IAM role of the EC2. By enforcing IMDSv2, you can mitigate that risk. Be aware that this potentially could break some applications that have not yet been updated to work with the new IMDSv2.
This is SCP is enabled by default, but can be disabled by setting aws_require_imdsv2
variable to false
.
If you would like to define which AWS Regions can be used in your AWS Organization, you can pass a list of region names to the variable aws_region_restrictions
using the allowed
attribute. This will trigger this module to deploy a Service Control Policy (SCP) designed by AWS and attach it to the root of your AWS Organization.
In case you would like to exempt specific IAM entities from the region restriction, you can pass a list of ARN patterns using the exceptions
attribute. This can be useful for roles used by AWS ControlTower, for example, to avoid preventing it from managing all regions properly.
Example:
aws_region_restrictions = {
allowed = ["eu-west-1"]
exceptions = ["arn:aws:iam::*:role/RoleAllowedToBypassRegionRestrictions"]
}
If you would like to restrict the root user's ability to log into accounts in an OU, you can pass a list of OU names to the aws_deny_root_user_ous
variable.
Example showing SCP applied to all OUs except the Root OU:
data "aws_organizations_organization" "default" {}
data "aws_organizations_organizational_units" "default" {
parent_id = data.aws_organizations_organization.default.roots[0].id
}
module "landing_zone" {
...
aws_deny_root_user_ous = [
for ou in data.aws_organizations_organizational_units.default.children : ou.name if ou.name != "Root"
]
Tag policies are a type of policy that can help you standardize tags across resources in your organization's accounts. In a tag policy, you specify tagging rules applicable to resources when they are tagged. See this page for an introduction to tag policies and the value they add.
If you would like to enforce certain tags in an OU, you can pass a map of OU names containing the tags to the aws_required_tags
variable. Be sure to pass the exact OU name as the matching is case sensitive. If the OU provided does not match any existing OU the tag policy is not created.
Example:
module "landing_zone" {
...
aws_required_tags = {
"Production" = [
{
name = "Tag1"
values = ["A", "B"]
}
]
"Non-Production" = [
{
name = "Tag2"
values = ["A", "B"]
}
]
}
Topic Name | Variable | Content |
---|---|---|
aws-controltower-AggregateSecurityNotifications |
aws_config_sns_subscription |
Aggregated AWS Config notifications |
LandingZone-SecurityHubFindings |
aws_security_hub_sns_subscription |
Aggregated Security Hub findings |
LandingZone-IAMActivity |
monitor_iam_activity_sns_subscription |
IAM activity findings |
Example for https protocol and specified webhook endpoint:
module "landing_zone" {
...
aws_config_sns_subscription = {
endpoint = "https://app.datadoghq.com/intake/webhook/sns?api_key=qwerty0123456789"
protocol = "https"
}
}
Name | Version |
---|---|
terraform | >= 1.0 |
aws | >= 3.50.0, < 4.0.0 |
Name | Version |
---|---|
aws | >= 3.50.0, < 4.0.0 |
aws.audit | >= 3.50.0, < 4.0.0 |
aws.logging | >= 3.50.0, < 4.0.0 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
control_tower_account_ids | Control Tower core account IDs | object({ |
n/a | yes |
tags | Map of tags | map(string) |
n/a | yes |
additional_auditing_trail | CloudTrail configuration for additional auditing trail | object({ |
null |
no |
aws_account_password_policy | AWS account password policy parameters for the audit, logging and master account | object({ |
{ |
no |
aws_config | AWS Config settings | object({ |
null |
no |
aws_config_sns_subscription | Subscription options for the aws-controltower-AggregateSecurityNotifications (AWS Config) SNS topic | map(object({ |
{} |
no |
aws_deny_disabling_security_hub | Enable SCP that denies accounts the ability to disable Security Hub | bool |
true |
no |
aws_deny_leaving_org | Enable SCP that denies accounts the ability to leave the AWS organisation | bool |
true |
no |
aws_deny_root_user_ous | List of AWS Organisation OUs to apply the "DenyRootUser" SCP to | list(string) |
[] |
no |
aws_ebs_encryption_by_default | Set to true to enable AWS Elastic Block Store encryption by default | bool |
true |
no |
aws_guardduty | Whether AWS GuardDuty should be enabled | bool |
true |
no |
aws_guardduty_s3_protection | Whether AWS GuardDuty S3 protection should be enabled | bool |
true |
no |
aws_region_restrictions | List of allowed AWS regions and principals that are exempt from the restriction | object({ |
null |
no |
aws_require_imdsv2 | Enable SCP which requires EC2 instances to use V2 of the Instance Metadata Service | bool |
true |
no |
aws_required_tags | AWS Required tags settings | map(list(object({ |
null |
no |
aws_security_hub_product_arns | A list of the ARNs of the products you want to import into Security Hub | list(string) |
[] |
no |
aws_security_hub_sns_subscription | Subscription options for the LandingZone-SecurityHubFindings SNS topic | map(object({ |
{} |
no |
aws_sso_permission_sets | Map of AWS SSO Permission Sets with the AWS Accounts and the names of the AWS SSO Groups that should be granted access to each account | map(object({ |
{} |
no |
datadog | Datadog integration options for the core accounts | object({ |
null |
no |
datadog_excluded_regions | List of regions where metrics collection will be disabled. | list(string) |
[] |
no |
kms_key_policy | A valid KMS key policy JSON document | string |
"" |
no |
kms_key_policy_logging | A valid KMS key policy JSON document for use with logging KMS key | string |
"" |
no |
monitor_iam_activity | Whether IAM activity should be monitored | bool |
true |
no |
monitor_iam_activity_sns_subscription | Subscription options for the LandingZone-IAMActivity SNS topic | map(object({ |
{} |
no |
security_hub_create_cis_metric_filters | Enable the creation of metric filters related to the CIS AWS Foundation Security Hub Standard | bool |
true |
no |
security_hub_standards_arns | A list of the ARNs of the standards you want to enable in Security Hub | list(string) |
null |
no |
ses_root_accounts_mail_forward | SES config to receive and forward root account emails | object({ |
null |
no |
Name | Description |
---|---|
kms_key_arn | ARN of KMS key for SSM encryption |
kms_key_id | ID of KMS key for SSM encryption |
kms_key_logging_arn | ARN of KMS key for logging account |
kms_key_logging_id | ID of KMS key for logging account |
monitor_iam_activity_sns_topic_arn | ARN of the SNS Topic in the Audit account for IAM activity monitoring notifications |
Copyright: Schuberg Philis
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.