Enables AWS Config and adds managed config rules with good defaults.
This is a RocketReach fork of the https://github.com/trussworks/terraform-aws-config repository that provides AWS Config infrastructure for our main production account, which we've configured to capture the config changes in all our other accounts.
We branched this in 2023/09 because the original module didn't support excluding Config resource_types and when we tried to include a specific set of resource_types, that didn't work either.
- acm-certificate-expiration-check: Ensure ACM Certificates in your account are marked for expiration within the specified number of days.
- approved-amis-by-tag: Checks whether running instances are using specified AMIs.
- cloudtrail-enabled: Ensure CloudTrail is enabled.
- cloud-trail-encryption-enabled: Ensure CloudTrail is configured to use server side encryption (SSE) with AWS KMS or CMK encryption.
- cloud-trail-log-file-validation-enabled: Checks whether AWS CloudTrail creates a signed digest file with logs.
- multi-region-cloud-trail-enabled: Ensure that there is at least one multi-region AWS CloudTrail enabled.
- cloud-trail-cloud-watch-logs-enabled: Checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch logs.
- cloudwatch-log-group-encrypted: Ensure that CloudWatch Logs are encrypted.
- cw-loggroup-retention-period-check: Checks whether Amazon CloudWatch LogGroup retention period is set to specific number of days.
- dynamodb-table-encryption-enabled: Checks if the Amazon DynamoDB tables are encrypted and checks their status. The rule is COMPLIANT if the status is enabled or enabling. Not supported in all regions
- dynamodb-table-encrypted-kms: Checks if Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS)
- ec2-encrypted-volumes: Evaluates whether EBS volumes that are in an attached state are encrypted.
- ec2-volume-inuse-check: Checks whether EBS volumes are attached to EC2 instances.
- ebs-snapshot-public-restorable-check: Checks whether Amazon Elastic Block Store snapshots are not publicly restorable.
- ebs-optimized-instance: Checks if EBS optimization is enabled for your EC2 instances that can be EBS-optimized.
- ecr-private-image-scanning-enabled: Checks if a private Amazon Elastic Container Registry (ECR) repository has image scanning enabled. Not supported in all regions
- ecr-private-lifecycle-policy-configured: Checks if a private Amazon Elastic Container Registry (ECR) repository has at least one lifecycle policy configured. Not supported in all regions
- ecs-awsvpc-networking-enabled: Checks if the networking mode for active ECSTaskDefinitions is set to ‘awsvpc’. Not supported in all regions
- ecs-containers-nonprivileged: Checks if the privileged parameter in the container definition of ECSTaskDefinitions is set to ‘true’. Not supported in all regions
- ecs-containers-readonly-access: Checks if Amazon Elastic Container Service (Amazon ECS) Containers only have read-only access to its root filesystems. Not supported in all regions
- ecs-no-environment-secrets: Checks if secrets are passed as container environment variables. Not supported in all regions
- efs-encrypted-check: Checks if Amazon Elastic File System is configured to encrypt file data using AWS Key Management Service.
- elb-logging-enabled: Checks if the Application Load Balancer and the Classic Load Balancer have logging enabled.
- elb-deletion-protection-enabled: Checks if Elastic Load Balancing has deletion protection enabled.
- eip-attached: Checks whether all EIP addresses that are allocated to a VPC are attached to EC2 or in-use ENIs.
- instances-in-vpc: Ensure all EC2 instances run in a VPC.
- vpc-default-security-group-closed: Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic.
- vpc-sg-open-only-to-authorized-ports: Checks whether any security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible.
- restricted-common-ports: Checks if the security groups in use do not allow unrestricted incoming TCP traffic to the specified ports.
- guardduty-enabled-centralized: Checks whether Amazon GuardDuty is enabled in your AWS account and region.
- iam-password-policy: Ensure the account password policy for IAM users meets the specified requirements.
- iam-user-no-policies-check: Ensure that none of your IAM users have policies attached; IAM users must inherit permissions from IAM groups or roles.
- iam-group-has-users-check: Checks whether IAM groups have at least one IAM user.
- root-account-mfa-enabled: Ensure root AWS account has MFA enabled.
- iam-root-access-key: Ensure root AWS account does not have Access Keys.
- mfa_enabled_for_iam_console_access: Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password.
- iam-policy-no-statements-with-admin-access: Checks the IAM policies that you create for Allow statements that grant permissions to all actions on all resources.
- iam-policy-no-statements-with-full-access: Checks if AWS Identity and Access Management (IAM) policies grant permissions to all actions on individual AWS resources. Not supported in all regions
- restricted-ssh: Checks whether security groups that are in use disallow unrestricted incoming SSH traffic.
- access_keys_rotated: Checks if the active access keys are rotated within the number of days specified in maxAccessKeyAge.
- cmk_backing_key_rotation_enabled: Checks if automatic key rotation is enabled for every AWS Key Management Service customer managed symmetric encryption key.
- nacl-no-unrestricted-ssh-rdp: Checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted. Not supported in all regions
- internet-gateway-authorized-vpc-only: Checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs).
- required-tags: Checks if resources are deployed with configured tags.
- rds-instance-public-access-check: Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible.
- rds-snapshots-public-prohibited: Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public.
- rds-storage-encrypted: Checks whether storage encryption is enabled for your RDS DB instances.
- rds-snapshot-encrypted: Checks whether Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted.
- rds-cluster-deletion-protection-enabled: Checks if an Amazon Relational Database Service (Amazon RDS) cluster has deletion protection enabled. Not supported in all regions
- db-instance-backup-enabled: Checks if RDS DB instances have backups enabled.
- s3-bucket-public-write-prohibited: Checks that your S3 buckets do not allow public write access.
- s3-bucket-public-read-prohibited: Checks if your Amazon S3 buckets do not allow public read access.
- s3-bucket-ssl-requests-only: Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).
- s3-bucket-level-public-access-prohibited: Checks if Amazon Simple Storage Service (Amazon S3) buckets are publicly accessible. Not supported in all regions
- s3-bucket-acl-prohibited: Checks if Amazon Simple Storage Service (Amazon S3) Buckets allow user permissions through access control lists (ACLs). Not supported in all regions
- s3-bucket-server-side-encryption-enabled: Checks if S3 bucket either has the S3 default encryption enabled or that S3 policy explicitly denies put-object requests without SSE that uses AES-256 or AWS KMS.
Note: This module sets up AWS IAM Roles and Policies, which are globally namespaced. If you plan to have multiple instances of AWS Config, make sure they have unique values for config_name
.
Note: If you use this module in multiple regions, be sure to disable duplicate checks and global resource types.
module "aws_config" {
source = "trussworks/config/aws"
config_name = "my-aws-config"
config_logs_bucket = "my-aws-logs"
}
Name | Version |
---|---|
terraform | >= 1.0 |
aws | >= 2.70 |
Name | Version |
---|---|
aws | >= 2.70 |
No modules.
Name | Description | Type | Default | Required |
---|---|---|---|---|
access_key_max_age | Maximum number of days without rotation. | number |
90 |
no |
acm_days_to_expiration | Specify the number of days before the rule flags the ACM Certificate as noncompliant. | number |
14 |
no |
aggregate_organization | Aggregate compliance data by organization | bool |
false |
no |
ami_required_tag_key_value | Tag/s key and value which AMI has to have in order to be compliant: Example: key1:value1,key2:value2 | string |
"" |
no |
authorized_vpc_ids | Comma-separated list of the authorized VPC IDs with attached IGWs. If parameter is not provided all attached IGWs will be NON_COMPLIANT. | string |
"example,CSV" |
no |
check_access_keys_rotated | Enable access-keys-rotated rule | bool |
true |
no |
check_acm_certificate_expiration_check | Enable acm-certificate-expiration-check rule | bool |
true |
no |
check_approved_amis_by_tag | Enable approved-amis-by-tag rule | bool |
false |
no |
check_cloud_trail_encryption | Enable cloud-trail-encryption-enabled rule | bool |
false |
no |
check_cloud_trail_log_file_validation | Enable cloud-trail-log-file-validation-enabled rule | bool |
false |
no |
check_cloudtrail_enabled | Enable cloudtrail-enabled rule | bool |
true |
no |
check_cloudwatch_log_group_encrypted | Enable cloudwatch-log-group-encryption rule | bool |
true |
no |
check_cmk_backing_key_rotated | Enable cmk_backing_key_rotation_enabled rule | bool |
true |
no |
check_cw_loggroup_retention_period | Enable cloudwatch-log-group-retention-period-check rule | bool |
false |
no |
check_db_instance_backup_enabled | Enable db-instance-backup-enabled rule | bool |
false |
no |
check_dynamodb_table_encrypted_kms | Enable dynamodb-table-encrypted-kms rule | bool |
false |
no |
check_dynamodb_table_encryption_enabled | Enable checkdynamodb-table-encryption-enabled rule | bool |
true |
no |
check_ebs_optimized_instance | Enable ebs-optimized-instance-check rule | bool |
false |
no |
check_ebs_snapshot_public_restorable | Enable ebs-snapshot-public-restorable rule | bool |
true |
no |
check_ec2_encrypted_volumes | Enable ec2-encrypted-volumes rule | bool |
true |
no |
check_ec2_imdsv2 | Enable IMDSv2 rule | bool |
false |
no |
check_ec2_volume_inuse_check | Enable ec2-volume-inuse-check rule | bool |
true |
no |
check_ecr_private_image_scanning_enabled | Enable ecr-private-image-scanning-enabled rule | bool |
true |
no |
check_ecr_private_lifecycle_policy_configured | Enable ecr-private-lifecycle-policy-configured rule | bool |
true |
no |
check_ecs_awsvpc_networking_enabled | Enable ecs-awsvpc-networking-enabled rule | bool |
true |
no |
check_ecs_containers_nonprivileged | Enable ecs-containers-nonprivileged rule | bool |
true |
no |
check_ecs_containers_readonly_access | Enable ecs-containers-readonly-access rule | bool |
true |
no |
check_ecs_no_environment_secrets | Enable ecs-no-environment-secrets rule | bool |
false |
no |
check_eip_attached | Enable eip-attached rule | bool |
false |
no |
check_elb_deletion_protection_enabled | Enable elb-deletion-protection-enabled rule | bool |
true |
no |
check_elb_logging_enabled | Enable elb-logging-enabled rule | bool |
false |
no |
check_guard_duty | Enable guardduty-enabled-centralized rule | bool |
false |
no |
check_iam_group_has_users_check | Enable iam-group-has-users-check rule | bool |
true |
no |
check_iam_password_policy | Enable iam-password-policy rule | bool |
true |
no |
check_iam_policy_no_statements_with_admin_access | Enable iam-policy-no-statements-with-admin-access rule | bool |
true |
no |
check_iam_policy_no_statements_with_full_access | Enable iam-policy-no-statements-with-full-access rule | bool |
true |
no |
check_iam_root_access_key | Enable iam-root-access-key rule | bool |
true |
no |
check_iam_user_no_policies_check | Enable iam-user-no-policies-check rule | bool |
true |
no |
check_instances_in_vpc | Enable instances-in-vpc rule | bool |
true |
no |
check_internet_gateway_authorized_vpc_only | Enable internet-gateway-authorized-vpc-only rule | bool |
false |
no |
check_mfa_enabled_for_iam_console_access | Enable mfa-enabled-for-iam-console-access rule | bool |
true |
no |
check_multi_region_cloud_trail | Enable multi-region-cloud-trail-enabled rule | bool |
false |
no |
check_nacl_no_unrestricted_ssh_rdp | Enable nacl-no-unrestricted-ssh-rdp rule | bool |
true |
no |
check_rds_cluster_deletion_protection_enabled | Enable rds-cluster-deletion-protection-enabled rule | bool |
true |
no |
check_rds_public_access | Enable rds-instance-public-access-check rule | bool |
false |
no |
check_rds_snapshot_encrypted | Enable rds-snapshot-encrypted rule | bool |
true |
no |
check_rds_snapshots_public_prohibited | Enable rds-snapshots-public-prohibited rule | bool |
true |
no |
check_rds_storage_encrypted | Enable rds-storage-encrypted rule | bool |
true |
no |
check_required_tags | Enable required-tags rule | bool |
false |
no |
check_restricted_common_ports | Enable restricted-common-ports-check | bool |
false |
no |
check_restricted_ssh | Enable restricted-ssh rule | bool |
true |
no |
check_root_account_mfa_enabled | Enable root-account-mfa-enabled rule | bool |
false |
no |
check_s3_bucket_acl_prohibited | Enable s3-bucket-acl-prohibited rule | bool |
true |
no |
check_s3_bucket_level_public_access_prohibited | Enable s3-bucket-level-public-access-prohibited rule | bool |
false |
no |
check_s3_bucket_public_read_prohibited | Enable s3-bucket-public-read-prohibited rule | bool |
false |
no |
check_s3_bucket_public_write_prohibited | Enable s3-bucket-public-write-prohibited rule | bool |
true |
no |
check_s3_bucket_server_side_encryption_enabled | Enable s3-bucket-server-side-encryption-enabled rule | bool |
true |
no |
check_s3_bucket_ssl_requests_only | Enable s3-bucket-ssl-requests-only rule | bool |
true |
no |
check_vpc_default_security_group_closed | Enable vpc-default-security-group-closed rule | bool |
true |
no |
check_vpc_sg_open_only_to_authorized_ports | Enable vpc-sg-open-only-to-authorized-ports rule | bool |
false |
no |
cloud_trail_cloud_watch_logs_enabled | Enable cloud_trail_cloud_watch_logs_enabled rule | bool |
true |
no |
config_aggregator_name | The name of the aggregator. | string |
"organization" |
no |
config_delivery_frequency | The frequency with which AWS Config delivers configuration snapshots. | string |
"Six_Hours" |
no |
config_logs_bucket | The S3 bucket for AWS Config logs. If you have set enable_config_recorder to false then this can be an empty string. | string |
n/a | yes |
config_logs_bucket_kms_key_arn | The ARN of the AWS KMS key used to encrypt objects delivered by AWS Config. Must belong to the same Region as the destination S3 bucket. | string |
null |
no |
config_logs_prefix | The S3 prefix for AWS Config logs. | string |
"config" |
no |
config_max_execution_frequency | The maximum frequency with which AWS Config runs evaluations for a rule. | string |
"TwentyFour_Hours" |
no |
config_name | The name of the AWS Config instance. | string |
"aws-config" |
no |
config_role_permissions_boundary | The ARN of the permissions boundary to apply to IAM roles created for AWS Config | string |
null |
no |
config_sns_topic_arn | An SNS topic to stream configuration changes and notifications to. | string |
null |
no |
cw_loggroup_retention_period | Retention period for cloudwatch logs in number of days | number |
3653 |
no |
dynamodb_arn_encryption_list | Comma separated list of AWS KMS key ARNs allowed for encrypting Amazon DynamoDB Tables. | string |
"example,CSV" |
no |
ecs_no_environment_secrets | Comma-separated list of key names to search for in the environment variables of container definitions within Task Definitions. Extra spaces will be removed. | string |
"example,CSV" |
no |
elb_logging_s3_buckets | Comma-separated list of Amazon S3 bucket names for Amazon ELB to deliver the log files. | string |
"example,CSV" |
no |
enable_config_recorder | Enables configuring the AWS Config recorder resources in this module. | bool |
true |
no |
enable_efs_encrypted_check | Enable efs-encrypted-check rule | bool |
false |
no |
enable_multi_account_logs | Enable sending of logs and snapshots from different Config accounts / regions into a single bucket | bool |
false |
no |
exclude_permission_boundary | Boolean to exclude the evaluation of IAM policies used as permissions boundaries. If set to 'true', the rule will not include permissions boundaries in the evaluation. Otherwise, all IAM policies in scope are evaluated when set to 'false.' | bool |
false |
no |
expected_delivery_window_age | Maximum age in hours of the most recent delivery to CloudWatch logs that satisfies compliance. | number |
12 |
no |
include_global_resource_types | Specifies whether AWS Config includes all supported types of global resources with the resources that it records. | bool |
true |
no |
kms_key_id | Amazon Resource Name (ARN) of the KMS key that is used to encrypt the EFS file system. | string |
"example,CSV" |
no |
password_max_age | Number of days before password expiration. | number |
90 |
no |
password_min_length | Password minimum length. | number |
14 |
no |
password_require_lowercase | Require at least one lowercase character in password. | bool |
true |
no |
password_require_numbers | Require at least one number in password. | bool |
true |
no |
password_require_symbols | Require at least one symbol in password. | bool |
true |
no |
password_require_uppercase | Require at least one uppercase character in password. | bool |
true |
no |
password_reuse_prevention | Number of passwords before allowing reuse. | number |
24 |
no |
required_tags | A map of required resource tags. Format is tagNKey, tagNValue, where N is int. Values are optional. | map(string) |
{} |
no |
required_tags_resource_types | Resource types to check for tags. | list(string) |
[] |
no |
resource_types | A list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail). See relevant part of AWS Docs for available types. | list(string) |
[] |
no |
s3_bucket_public_access_prohibited_exclusion | Comma-separated list of known allowed public Amazon S3 bucket names. | string |
"example,CSV" |
no |
tags | Tags to apply to AWS Config resources | map(string) |
{} |
no |
vpc_sg_authorized_ports | Object with values as Comma-separated list of ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash. example, '443,1020-1025' | object({ authorizedTcpPorts = optional(string, null) authorizedUdpPorts = optional(string, null) }) |
{} |
no |
Name | Description |
---|---|
aws_config_role_arn | The ARN of the AWS config role. |
aws_config_role_name | The name of the IAM role used by AWS config |
required_tags_rule_arn | The ARN of the required-tags config rule. |
Version 2.4.0 changed how AWS Config IAM polices would be attached to IAM roles. When applying the upgrade, you will likely see a race condition resulting in the following error
Error: Provider produced inconsistent result after apply
A second terraform apply
should resolve the issue.
Install dependencies (macOS)
brew install pre-commit go terraform terraform-docs