README.md

AWS SRA Inspector Solution with Terraform

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0

---

⚠️Influence the future of the AWS Security Reference Architecture (AWS SRA) code library by taking a short survey.

Table of Contents

• Introduction
• Deployed Resource Details
• Implementation Instructions
• Requirements
• Providers
• Modules
• Resources
• Inputs
• Outputs

---

Introduction

This Terraform module deploys the Inspector AWS SRA solution.

The common pre-requisite solution must be installed, in the management account, prior to installing this solution.

Information on the resources deployed as well as terraform requirements, providers, modules, resources, and inputs of this module are documented below.

Please navigate to the installing the AWS SRA Solutions section of the documentation for more information and installation instructions.

For the CloudFormation version of this AWS SRA solution as well as more information please navigate to the AWS SRA Inspector solution documentation page.

---

Deployed Resource Details

1.0 Organization Management Account

1.1 IAM Roles

• See 1.2 IAM Roles

1.2 Regional Event Rules

• See 1.3 Regional Event Rules

1.3 Global Event Rules

• See 1.4 Global Event Rules

1.4 SNS Topic

• See 1.5 SNS Topic

1.5 Dead Letter Queue (DLQ)

• See 1.6 Dead Letter Queue (DLQ)

1.6 AWS Lambda Function

• See 1.7 AWS Lambda Function

1.7 Lambda CloudWatch Log Group

• See 1.8 Lambda CloudWatch Log Group

1.8 Alarm SNS Topic

• See 1.9 Alarm SNS Topic

1.9 Inspector

• See 1.10 Inspector

1.10 Lambda Layer

• See 1.11 Lambda Layer

---

2.0 Audit Account

2.2 Configuration IAM Role

• See 2.2 Configuration IAM Role

2.2 Inspector (Delegated admin)

• See 2.3 Inspector (Delegated admin)

---

3.0 All Existing and Future Organization Member Accounts

3.1 Configuration IAM Role

• See 3.2 Configuration IAM Role

3.2 Inspector (Members)

• See 3.3 Inspector (Members)

---

Implementation Instructions

Please navigate to the installing the AWS SRA Solutions section of the documentation for installation instructions.

---

Requirements

Name	Version
aws	>= 5.1.0

Providers

Name	Version
aws.main	>= 5.1.0

Modules

Name	Source	Version
inspector_configuration	./configuration	n/a
inspector_configuration_role	./configuration_role	n/a

Resources

Name	Type
aws_caller_identity.current	data source
aws_partition.current	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
audit_account_id	AWS Account ID of the Control Tower Audit account.	string	n/a	yes
ecr_rescan_duration	ECR Rescan Duration	string	n/a	yes
enabled_regions	(Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions.	string	""	no
home_region	Name of the Control Tower home region	string	n/a	yes
inspector_configuration_role_name	Inspector Configuration role to assume in the delegated administrator account	string	"sra-inspector-configuration"	no
inspector_control_tower_regions_only	Only enable in the Control Tower governed regions	bool	true	no
inspector_org_lambda_function_name	Lambda function name	string	"sra-inspector-org"	no
inspector_org_lambda_role_name	Inspector configuration Lambda role name	string	"sra-inspector-org-lambda"	no
log_archive_account_id	AWS Account ID of the Control Tower Log Archive account.	string	n/a	yes
management_account_id	Organization Management Account ID	string	n/a	yes
organization_id	AWS Organizations ID	string	n/a	yes
scan_components	Components to scan (e.g., 'ec2,ecs')	string	n/a	yes
sra_solution_name	The SRA solution name. The default value is the folder name of the solution.	string	"sra-inspector-org"	no

Outputs

No outputs.