Merge pull request #15 from trussworks/newrules

Added new rules
trussworks · Aug 8, 2019 · 6c7cea5 · 6c7cea5
2 parents 2b0b743 + 743c200
commit 6c7cea5
Show file tree

Hide file tree

Showing 3 changed files with 84 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -27,7 +27,10 @@ The following AWS Config Rules are supported:
 |------|-------------|:----:|:-----:|:-----:|
 | acm\_days\_to\_expiration | Specify the number of days before the rule flags the ACM Certificate as noncompliant. | string | `"14"` | no |
 | aggregate\_organization | Aggregate compliance data by organization | string | `"false"` | no |
+| check\_cloud\_trail\_encryption | Enable cloud-trail-encryption-enabled rule | string | `"false"` | no |
+| check\_cloud\_trail\_log\_file\_validation | Enable cloud-trail-log-file-validation-enabled rule | string | `"false"` | no |
 | check\_guard\_duty | Enable guardduty-enabled-centralized rule | string | `"false"` | no |
+| check\_multi\_region\_cloud\_trail | Enable multi-region-cloud-trail-enabled rule | string | `"false"` | no |
 | check\_rds\_public\_access | Enable rds-instance-public-access-check rule | string | `"false"` | no |
 | config\_aggregator\_name | The name of the aggregator. | string | `"organization"` | no |
 | config\_delivery\_frequency | The frequency with which AWS Config delivers configuration snapshots. | string | `"Six_Hours"` | no |

diff --git a/config-rules.tf b/config-rules.tf
@@ -60,6 +60,60 @@ resource "aws_config_config_rule" "cloudtrail-enabled" {
   ]
 }
 
+resource "aws_config_config_rule" "multi-region-cloud-trail-enabled" {
+  count       = "${var.check_multi_region_cloud_trail ? 1 : 0}"
+  name        = "multi-region-cloud-trail-enabled"
+  description = "Checks that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match inputs parameters."
+
+  source {
+    owner             = "AWS"
+    source_identifier = "MULTI_REGION_CLOUD_TRAIL_ENABLED"
+  }
+
+  maximum_execution_frequency = "${var.config_max_execution_frequency}"
+
+  depends_on = [
+    "aws_config_configuration_recorder.main",
+    "aws_config_delivery_channel.main",
+  ]
+}
+
+resource "aws_config_config_rule" "cloud-trail-encryption-enabled" {
+  count       = "${var.check_cloud_trail_encryption ? 1 : 0}"
+  name        = "cloud-trail-encryption-enabled"
+  description = "Checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The rule is COMPLIANT if the KmsKeyId is defined."
+
+  source {
+    owner             = "AWS"
+    source_identifier = "CLOUD_TRAIL_ENCRYPTION_ENABLED"
+  }
+
+  maximum_execution_frequency = "${var.config_max_execution_frequency}"
+
+  depends_on = [
+    "aws_config_configuration_recorder.main",
+    "aws_config_delivery_channel.main",
+  ]
+}
+
+resource "aws_config_config_rule" "cloud-trail-log-file-validation-enabled" {
+  count       = "${var.check_cloud_trail_log_file_validation ? 1 : 0}"
+  name        = "cloud-trail-log-file-validation-enabled"
+  description = "Checks whether AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must be enabled on all trails. The rule is NON_COMPLIANT if the validation is not enabled."
+
+  source {
+    owner             = "AWS"
+    source_identifier = "CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED"
+  }
+
+  maximum_execution_frequency = "${var.config_max_execution_frequency}"
+
+  depends_on = [
+    "aws_config_configuration_recorder.main",
+    "aws_config_delivery_channel.main",
+  ]
+}
+
 resource "aws_config_config_rule" "instances-in-vpc" {
   name        = "instances-in-vpc"
   description = "Ensure all EC2 instances run in a VPC"
@@ -131,6 +185,18 @@ resource "aws_config_config_rule" "iam-user-no-policies-check" {
   depends_on = ["aws_config_configuration_recorder.main"]
 }
 
+resource "aws_config_config_rule" "iam-group-has-users-check" {
+  name        = "iam-group-has-users-check"
+  description = "Checks whether IAM groups have at least one IAM user."
+
+  source {
+    owner             = "AWS"
+    source_identifier = "IAM_GROUP_HAS_USERS_CHECK"
+  }
+
+  depends_on = ["aws_config_configuration_recorder.main"]
+}
+
 resource "aws_config_config_rule" "rds-storage-encrypted" {
   name        = "rds-storage-encrypted"
   description = "Checks whether storage encryption is enabled for your RDS DB instances."

diff --git a/variables.tf b/variables.tf
@@ -82,3 +82,18 @@ variable "check_rds_public_access" {
   description = "Enable rds-instance-public-access-check rule"
   default     = false
 }
+
+variable "check_multi_region_cloud_trail" {
+  description = "Enable multi-region-cloud-trail-enabled rule"
+  default     = false
+}
+
+variable "check_cloud_trail_encryption" {
+  description = "Enable cloud-trail-encryption-enabled rule"
+  default     = false
+}
+
+variable "check_cloud_trail_log_file_validation" {
+  description = "Enable cloud-trail-log-file-validation-enabled rule"
+  default     = false
+}