Welcome to the AWS Security Checks Module! This module is designed to perform security compliance checks on AWS accounts according to the CIS Level 1, CIS Level 2, and SOC 2 frameworks. It helps ensure that your AWS infrastructure aligns with these security standards.
The AWS Security Checks Module is a powerful tool for automating the process of auditing and validating AWS accounts against common security benchmarks. It provides a structured framework for performing CIS Level 1, CIS Level 2, and SOC 2 compliance checks.
For acheiving 100% compliant for AWS Infrastructure we need to perform some manual checks which are listed in the respective directory of cis-levels.
For encrypting cloudwatch log group of cloudtrail please use this KMS key policy. Please change the account id and region.
{
"Version": "2012-10-17",
"Id": "allow-cloudwatch-logs-encryption",
"Statement": [
{
"Sid": "AllowRootFullPermissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "AllowCloudWatchLogsEncryption",
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-2.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*"
}
]
}
- Pre-configured checks for CIS Level 1, CIS Level 2, and SOC 2 security benchmarks.
- Organized folder structure for easy navigation and maintenance.
- Customizable configurations to adapt to different environments.
- Automated and repeatable security assessment process.
The module is organized into the following directory:
cis-level-1: Contains code for CIS Level 1 compliance checks.cis-level-2: Contains code for CIS Level 2 compliance checks.soc2: Contains code for SOC 2 compliance checks.examples: Contains example scripts to call compliance checks based on the desired level.
Each folder contains configuration files specific to the corresponding security framework.
To get started with the AWS Security Checks Module, follow these steps:
- Clone the repository to your local machine:
https://github.com/sq-ia/terraform-aws-infrasec - Navigate to the desired framework folder (
cis-level-1,cis-level-2, orsoc2). - Review the documentation for each check to understand its purpose and requirements.
The examples folder contains terraform code to call compliance checks based on the desired level:
- To perform CIS Level 1, Level 2 and soc2 check input the value of variable
check_level. Please refer the below example.
module "cis" {
source = "squareops/security-automations/aws"
version = "1.0.1"
name = local.name
region = local.region
email = "skaf-demo@squareops.com"
cron_expression = "cron(0 22 1,10,20,28 * ? 2023)"
check_level = local.check_level
s3_enabled = true
config_enabled = true
include_global_resource_types = true
cw_log_enabled = true
alerting_enabled = true
multiple_access_key_notification = true
multiple_access_key_deactivate = false
disable_unused_credentials = false
disable_unused_credentials_after_days = 90
remove_ssl_tls_iam = false
enable_guard_duty = true
enable_security_hub = true
enable_aws_macie = true
mfa_iam_group_name = "mfa-group" ## enter your IAM user group for mfa
cloudwatch_logs_kms_key_arn = "arn:aws:kms:us-east-1:123456:key/3116fc04-dbbd-" ## enter kms key arn for encrypting cloudwatch log group of cloud trail
cloudwatch_log_group_retention_days = 60
s3_object_expiration_days = 90
}
| Name | Version |
|---|---|
| terraform | > 1.0.0 |
| Name | Version |
|---|---|
| aws | n/a |
| Name | Source | Version |
|---|---|---|
| cis-level-1 | ./modules/cis-level-1 | n/a |
| cis-level-2 | ./modules/cis-level-2 | n/a |
| soc2 | ./modules/soc2 | n/a |
| Name | Type |
|---|---|
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alarm_namespace | Namespace for the CloudWatch Alarm Metric | string |
"CISBenchmark" |
no |
| alerting_enabled | Enable alerting | bool |
true |
no |
| audit_log_bucket_custom_policy_json | Override the custom policy for the S3 logging bucket (JSON format). | string |
"" |
no |
| check_level | List of CIS checks to deploy. | list(any) |
[] |
no |
| cloudtrail_event_selector_type | Types of events that will be aggregated in CloudTrail | string |
"All" |
no |
| cloudtrail_kms_policy | KMS policy for Cloudtrail Logs | string |
"" |
no |
| cloudwatch_log_group_retention_days | Number of days to retain logs in CloudWatch log groups for CloudTrail. | number |
30 |
no |
| cloudwatch_logs_kms_key_arn | KMS key for CloudWatch Logs Encryption | string |
"" |
no |
| config_enabled | Set to true to enable AWS Config. | bool |
true |
no |
| cron_expression | Cron expression to trigger a Lambda function on a regular schedule. | string |
"cron(0 22 1,10,20,28 * ? 2023)" |
no |
| cw_log_enabled | Set it to true to aggregate logs on CloudWatch | bool |
true |
no |
| disable_unused_credentials | Disable unused IAM user credentials. | bool |
false |
no |
| disable_unused_credentials_after_days | Number of days after which unused IAM credentials will be disabled. | number |
"90" |
no |
| Email address for receiving notifications from Amazon SNS. | string |
"" |
no | |
| enable_aws_macie | Enable AWS Macie for data discovery and protection. | bool |
true |
no |
| enable_guard_duty | Enable AWS GuardDuty for threat detection. | bool |
true |
no |
| enable_security_hub | Enable AWS Security Hub for centralized security monitoring. | bool |
true |
no |
| iam_allow_users_to_change_password | Set it to true to allow users to change their own password | bool |
true |
no |
| iam_hard_expiry | Set it true to enforce hard password expiration for all users. | bool |
true |
no |
| iam_max_password_age | Maximum password age in days before expiration. | number |
90 |
no |
| iam_minimum_password_length | Minimum length requirement for user passwords. | number |
14 |
no |
| iam_password_reuse_prevention | Prevent password reuse multiple times | number |
24 |
no |
| iam_require_lowercase_characters | Require at least one lowercase letter in passwords | bool |
true |
no |
| iam_require_numbers | Require at least one number in passwords | bool |
true |
no |
| iam_require_symbols | Require at least one symbol in passwords | bool |
true |
no |
| iam_require_uppercase_characters | Require at least one uppercase letter in passwords | bool |
true |
no |
| include_global_resource_types | Set it to true to enable recording of global resources in AWS Config | bool |
true |
no |
| mfa_iam_group_name | Name of the IAM user group to which MFA user policies will be added. | string |
"test-user-group" |
no |
| multiple_access_key_deactivate | Deactivate newly created active access keys for IAM users. | bool |
false |
no |
| multiple_access_key_notification | Send email notifications for IAM users with multiple active access keys. | bool |
true |
no |
| name | Prefix for all resources (e.g., 'my-app') to identify them in the cloud environment. | string |
"" |
no |
| region | AWS region where resources will be provisioned. | string |
"us-east-2" |
no |
| remove_ssl_tls_iam | Remove expired SSL/TLS certificates from IAM. | bool |
false |
no |
| s3_enabled | Set to true to enable exporting CloudTrail logs to an S3 bucket. | bool |
true |
no |
| s3_object_expiration_days | Number of days after which object of s3 expires. | number |
"90" |
no |
| tags | Tags to be used in all the resources | map(string) |
{ |
no |
| Name | Description |
|---|---|
| access_log_bucket_arn | S3 bucket for storing audit logs of config. |
| access_log_bucket_id | S3 bucket for storing audit logs of config. |
| audit_bucket_arn | S3 bucket for storing audit logs of config. |
| audit_bucket_id | S3 bucket for storing audit logs of config. |
| sns_topic_arn | SNS topic arn |
To report an issue with a project:
- Check the repository's issue tracker on GitHub
- Search to see if the issue has already been reported
- If you can't find an answer to your question in the documentation or issue tracker, you can ask a question by creating a new issue. Be sure to provide enough context and details so others can understand your problem.
Apache License, Version 2.0, January 2004 (http://www.apache.org/licenses/).
To support a GitHub project by liking it, you can follow these steps:
-
Visit the repository: Navigate to the GitHub repository.
-
Click the "Star" button: On the repository page, you'll see a "Star" button in the upper right corner. Clicking on it will star the repository, indicating your support for the project.
-
Optionally, you can also leave a comment on the repository or open an issue to give feedback or suggest changes.
Starring a repository on GitHub is a simple way to show your support and appreciation for the project. It also helps to increase the visibility of the project and make it more discoverable to others.
We believe that the key to success in the digital age is the ability to deliver value quickly and reliably. That’s why we offer a comprehensive range of DevOps & Cloud services designed to help your organization optimize its systems & Processes for speed and agility.
- We are an AWS Advanced consulting partner which reflects our deep expertise in AWS Cloud and helping 100+ clients over the last 5 years.
- Expertise in Kubernetes and overall container solution helps companies expedite their journey by 10X.
- Infrastructure Automation is a key component to the success of our Clients and our Expertise helps deliver the same in the shortest time.
- DevSecOps as a service to implement security within the overall DevOps process and helping companies deploy securely and at speed.
- Platform engineering which supports scalable,Cost efficient infrastructure that supports rapid development, testing, and deployment.
- 24*7 SRE service to help you Monitor the state of your infrastructure and eradicate any issue within the SLA.
We provide support on all of our projects, no matter how small or large they may be.
To find more information about our company, visit squareops.com, follow us on Linkedin, or fill out a job application. If you have any questions or would like assistance with your cloud strategy and implementation, please don't hesitate to contact us.