Browse the Repo
Browse the Repo
Modules and utilities certified by Gruntwork and CIS to comply with the CIS AWS Foundations Benchmark
This repo contains a collection of Terraform wrapper modules and standalone utilities that simplify the process of achieving compliance with the Center for Internet Security (CIS) AWS Foundations Benchmark. The Benchmark is an objective, consensus-driven security guideline for AWS. Gruntwork is a CIS SecureSuite member. These modules have been certified for compliance by CIS.
The Terraform modules in this repo are "wrapper" modules intended to be used in conjunction with the core modules in the Gruntwork.io Infrastructure as Code Library. The core modules are compliance-ready; that is, they can be configured in a manner that achieves compliance with the Benchmark. The modules here "wrap" the compliance-ready modules by using the core modules as a source and passing configuration options that are appropriate for compliance.
Enables AWS Config in all regions
Creates an AWS CloudTrail with CloudWatch Logs integration
Creates a series of CloudWatch Logs metrics filters to notify an SNS topic when suspicious events are logged
Create a set of IAM roles that can be used between accounts
Create IAM roles and groups with custom permissions and require MFA
Create a best-practices set of IAM groups
Enable a strong IAM password policy
Create a set of IAM roles for SAML identity providers
This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!
For a comprehensive treatment of how to use this repository for compliance with the Benchmark, please refer to the How to achieve compliance with the CIS AWS Foundations Benchmark guide. You should also review and download the Benchmark itself from CIS.
modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.
cloudtrail wrapper module: A wrapper module for a compliant configuration of AWS CloudTrail
cloudwatch-logs-metric-filters wrapper module: A wrapper module to create a series of CloudWatch Logs metrics filters
cross-account-iam-roles wrapper module: A wrapper module to create IAM roles that can be used for assume roles between accounts
custom-iam-entity wrapper module: A wrapper module to create IAM groups and/or roles with a customized set of managed policies attached
aws-config utility: A wrapper module that enables AWS config on all enabled regions of an account.
iam-groups wrapper module: A wrapper module to create a best-practices set of IAM groups
iam-password-policy wrapper module: A wrapper module to create an compliant IAM password policy
saml-iam-roles wrapper module: A wrapper module to create a set of IAM roles to use with SAML identity providers
aws-securityhub module: A Terraform module for enabling AWS SecurityHub in all enabled
codegen: Code generation utilities that help generate modules in this repo.
examples: This folder contains working examples of how to use the submodules.
test: Automated tests for the modules and examples.
If you just want to try this repo out for experimenting and learning, check out the following resources:
examples folder: The
examples folder contains sample code optimized for learning, experimenting,
and testing (but not production usage).
For a comprehensive guide to achieving compliance using this repo, please refer to How to achieve compliance with the CIS AWS Foundations Benchmark.
If you need help with this repo or anything else related to infrastructure or DevOps, Gruntwork offers Commercial Support via Slack, email, and phone/video. If you’re already a Gruntwork customer, hop on Slack and ask away! If not, subscribe now. If you’re not sure, feel free to email us at email@example.com.
Contributions to this repo are very welcome and appreciated! If you find a bug or want to add a new feature or even contribute an entirely new module, we are very happy to accept pull requests, provide feedback, and run your changes through our automated test suite.
Please see Contributing to the Gruntwork Infrastructure as Code Library for instructions.
Please see LICENSE.txt for details on how the code in this repo is licensed.
We're here to talk about our services, answer any questions, give advice, or just to chat.