Lacework Compliance Remediation

Terraform module for remediating common non-compliant resources in AWS as detected by Lacework.

Requirements

Name	Version
terraform	>= 0.12.31
aws	~> 3.0
lacework	~> 0.2

Providers

Name	Version
archive	2.2.0
aws	3.74.3
lacework	0.16.0
local	2.1.0
random	3.1.0
template	2.2.0

Resources

Name	Type
aws_cloudwatch_event_bus.lacework_events	resource
aws_cloudwatch_event_permission.lacework_events	resource
aws_cloudwatch_event_rule.lacework_events	resource
aws_cloudwatch_event_target.lacework_events	resource
aws_cloudwatch_log_group.event_router	resource
aws_iam_role.lambda_execution	resource
aws_iam_role_policy.lambda_ec2_policy	resource
aws_iam_role_policy.lambda_iam_policy	resource
aws_iam_role_policy.lambda_log_policy	resource
aws_iam_role_policy.lambda_s3_policy	resource
aws_lambda_function.event_router	resource
aws_lambda_permission.allow_cloudwatch_invocation	resource
lacework_alert_channel_aws_cloudwatch.remediation_channel	resource
lacework_alert_rule.remediation_rule	resource
local_file.remediation_map	resource
random_id.uniq	resource
archive_file.lambda_app	data source
template_file.remediation_map	data source

Inputs

Name	Description	Type	Default	Required
event_bridge_bus_name	The desired name of the EventBridge event bus.	string	""	no
event_bridge_rule_name	The desired name of the EventBridge event rule.	string	""	no
lacework_alert_rule_categories	The categories of Lacework alerts that should be sent to the alert channel	list(string)	[ "Compliance" ]	no
lacework_alert_rule_severities	The severities of Lacework alerts that should be sent to the alert channel	list(string)	[ "Critical", "High" ]	no
lacework_aws_account	The AWS account used by Lacework.	string	"434813966438"	no
lacework_integration_name	The name to use for the Alert Channel integration in Lacework.	string	"Compliance Events to CloudWatch"	no
lacework_resource_prefix	The name prefix to use for resources provisioned by the module.	string	"lacework-remediation"	no
lambda_function_name	The desired name of the Lacework event router lambda function.	string	""	no
lambda_log_retention	The number of days in which to retain logs for the remediation lambda	number	30	no
lambda_role_name	The desired IAM role name for the Lacework remediation lambda function.	string	""	no
remediation_map	A map of Lacework violation reasons to remediation functions.	map	{ "AWS_CIS_1_3_AccessKey1NotUsed": { "action": "iam_disable_unused_access_key" }, "AWS_CIS_1_3_PasswordNotUsed": { "action": "iam_disable_login_profile" }, "AWS_CIS_1_4_AccessKey1NotRotated": { "action": "iam_disable_unused_access_key" }, "AWS_CIS_4_1_UnrestrictedAccess": { "action": "sg_delete_inbound_rules_by_scope", "params": { "port": "22", "protocol": "tcp", "scope": "0.0.0.0/0" } }, "LW_AWS_GENERAL_SECURITY_1_Ec2InstanceWithoutTags": { "action": "ec2_stop_instance" }, "LW_S3_13_LoggingNotEnabled": { "action": "s3_enable_access_logs" }, "LW_S3_16_VersioningNotEnabled": { "action": "s3_enable_versioning" }, "LW_S3_1_ReadAccessGranted": { "action": "s3_delete_acls" }, "LW_S3_2_WriteAccessGranted": { "action": "s3_delete_acls" } }	no
sqs_queue_name	The desired name of the SQS event queue.	string	""	no

Outputs

Name	Description
event_bridge_bus_arn	EventBridge Event Bus ARN
event_bridge_bus_name	EventBridge Event Bus Name
event_bridge_rule_arn	EventBridge Event Rule ARN
event_bridge_rule_name	EventBridge Event Rule Name
lambda_function_arn	Lambda Function ARN
lambda_function_name	Lambda Function Name
lambda_role_arn	Lambda IAM Role ARN
lambda_role_name	Lambda IAM Role Name