This repo contains a collection of Terraform wrapper modules and standalone utilities that simplify the process of achieving compliance with the Center for Internet
Security (CIS)AWS Foundations
Benchmark. The Benchmark is an objective, consensus-driven security guideline for AWS. Gruntwork is a CIS SecureSuite member. These modules have been certified for compliance by CIS.
The Terraform modules in this repo are "wrapper" modules intended to be used in conjunction with the core modules
in the Gruntwork.io Infrastructure as Code Library.
The core modules are compliance-ready; that is, they can be configured in a manner that achieves compliance
with the Benchmark. The modules here "wrap" the compliance-ready modules by using the core modules as a source
and passing configuration options that are appropriate for compliance.
If you need help with this repo or anything else related to infrastructure or DevOps, Gruntwork offers Commercial Support via Slack, email, and phone/video. If you’re already a Gruntwork customer, hop on Slack and ask away! If not, subscribe now. If you’re not sure, feel free to email us at support@gruntwork.io.
Contributions to this repo are very welcome and appreciated! If you find a bug or want to add a new feature or even contribute an entirely new module, we are very happy to accept pull requests, provide feedback, and run your changes through our automated test suite.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"300d42e7f2c1623ca6b9da1f731c133f277b5e41"}]},{"name":".gitignore","path":".gitignore","sha":"03aff38511349fa3b4441e2b0157b707218aa7ef"},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"b9fd389c37a0872a9d838269b406c0f8186acfcc"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"47ca720c554dc4a85a502b796941512d019f6046"},{"name":"CONTRIBUTING.md","path":"CONTRIBUTING.md","sha":"87892060317568e38fb3673e6c974c548b5a3b49"},{"name":"README.adoc","path":"README.adoc","sha":"0de0bdcdefcddce617974b9d32b52dcc957a0532","toggled":true},{"name":"_docs","children":[{"name":"aws-cloudtrail.png","path":"_docs/aws-cloudtrail.png","sha":"c5482ed9b343509b76ce9678c5d6fcc07902a664"},{"name":"aws-cloudwatch.png","path":"_docs/aws-cloudwatch.png","sha":"5211cf11b76d724d86ffe022a314c443afef74cf"},{"name":"aws-config.png","path":"_docs/aws-config.png","sha":"bfa3bd7f86edfb2d914b2fad0c608b8120cb13cd"},{"name":"aws-iam.png","path":"_docs/aws-iam.png","sha":"9c0ebb4b5543199462b52282d86617db471ec48a"},{"name":"cis-account-architecture.png","path":"_docs/cis-account-architecture.png","sha":"86113f679c13fb529ceed5596fecec41d5204f54"},{"name":"cis-logo.png","path":"_docs/cis-logo.png","sha":"e75a052f28ac1e4d1d2292fa6cdc1ccd6a904885"}]},{"name":"codegen","children":[{"name":"generate-aws-config","children":[{"name":".gitignore","path":"codegen/generate-aws-config/.gitignore","sha":"b488f31b176e8da6501add7ce148074af2337d91"},{"name":"README.adoc","path":"codegen/generate-aws-config/README.adoc","sha":"997b340c7ffe1acac40861358c07674614c72c81"},{"name":"core-concepts.md","path":"codegen/generate-aws-config/core-concepts.md","sha":"8d2f9154541e1476df457348260fd29eda7e6150"},{"name":"images","children":[{"name":"aws-config-architecture.png","path":"codegen/generate-aws-config/images/aws-config-architecture.png","sha":"721458048d5e539468c438498863a91fa96e0a85"}]},{"name":"main.go","path":"codegen/generate-aws-config/main.go","sha":"3b0134a62ce1c94bc9f633eec8364813f231771f"},{"name":"templates","children":[{"name":"aws-config","children":[{"name":"README.adoc.tpl","path":"codegen/generate-aws-config/templates/aws-config/README.adoc.tpl","sha":"82e6b7d445e1354f6772205ff9cbb112a3fecefb"},{"name":"main.tf.tpl","path":"codegen/generate-aws-config/templates/aws-config/main.tf.tpl","sha":"9a3e6c44b6c71c69543b471ee8d4ca0f8a4e6029"},{"name":"outputs.tf.tpl","path":"codegen/generate-aws-config/templates/aws-config/outputs.tf.tpl","sha":"78fa3b2ce4cb2d02f4e3c0e193012c341cab2042"},{"name":"variables.tf.tpl","path":"codegen/generate-aws-config/templates/aws-config/variables.tf.tpl","sha":"a26a0a86040e5824185c15a2e27a269886b23bbe"}]}]}]},{"name":"generate-securityhub","children":[{"name":".gitignore","path":"codegen/generate-securityhub/.gitignore","sha":"61f44f130bdff8fcac8058495bd28ffd9062de25"},{"name":"README.md","path":"codegen/generate-securityhub/README.md","sha":"2ca7ca586fbe7a8ff77bdc9a435c2843caf25204"},{"name":"data","children":[{"name":"static","children":[{"name":"core-concepts.md","path":"codegen/generate-securityhub/data/static/core-concepts.md","sha":"6307ca9d06fb54f2d0061a81290ffead6bf5e7fa"},{"name":"invite-external-accounts","children":[{"name":"build_scripts","children":[{"name":"build.sh","path":"codegen/generate-securityhub/data/static/invite-external-accounts/build_scripts/build.sh","sha":"d88b72cd2e82f5156a50a35fb8cfa238159c6f82"}]},{"name":"dev_requirements.txt","path":"codegen/generate-securityhub/data/static/invite-external-accounts/dev_requirements.txt","sha":"ff7dfc3a64633aa716313a6adc39a95412bb9da8"},{"name":"invite_external_accounts","children":[{"name":"__init__.py","path":"codegen/generate-securityhub/data/static/invite-external-accounts/invite_external_accounts/__init__.py","sha":"e69de29bb2d1d6434b8b29ae775ad8c2e48c5391"},{"name":"errors.py","path":"codegen/generate-securityhub/data/static/invite-external-accounts/invite_external_accounts/errors.py","sha":"7dc0edfd882b693d431c6fc8c345bdc1be70e520"},{"name":"main.py","path":"codegen/generate-securityhub/data/static/invite-external-accounts/invite_external_accounts/main.py","sha":"3cbba395f54591fd4d13750a5c07fccc061236bb"},{"name":"project_logging.py","path":"codegen/generate-securityhub/data/static/invite-external-accounts/invite_external_accounts/project_logging.py","sha":"82c5fecd96fc2531417d0ac09f4adedd39fc169b"},{"name":"securityhub.py","path":"codegen/generate-securityhub/data/static/invite-external-accounts/invite_external_accounts/securityhub.py","sha":"d40b61026878f522afebc9172d1d4b8bba7074e2"}]},{"name":"invite_external_accounts_pex.tar","path":"codegen/generate-securityhub/data/static/invite-external-accounts/invite_external_accounts_pex.tar","sha":"35d9ea3ff4b964125095d80d49276b86ed38558c"},{"name":"requirements.txt","path":"codegen/generate-securityhub/data/static/invite-external-accounts/requirements.txt","sha":"a40be0ee80ae138ac17fe8e4015ecfc5115b29c0"}]}]},{"name":"templates","children":[{"name":"aws-securityhub","children":[{"name":"README.adoc.tpl","path":"codegen/generate-securityhub/data/templates/aws-securityhub/README.adoc.tpl","sha":"dbf4a695948e2db28d99c9f0fff3221d4572031b"},{"name":"main.tf.tpl","path":"codegen/generate-securityhub/data/templates/aws-securityhub/main.tf.tpl","sha":"f9116a89bb53f226677608beb0605a06cf983a20"},{"name":"outputs.tf.tpl","path":"codegen/generate-securityhub/data/templates/aws-securityhub/outputs.tf.tpl","sha":"baf227f4683cc8dbcb3d5b3feec978b6c6b063fa"},{"name":"variables.tf.tpl","path":"codegen/generate-securityhub/data/templates/aws-securityhub/variables.tf.tpl","sha":"e9a017e5f5ed0d238b6faf2af9915013e5aa35e3"}]}]}]},{"name":"main.go","path":"codegen/generate-securityhub/main.go","sha":"271d00b9b29290c1a598b7abafabd25cd1d1c6df"}]},{"name":"generator","children":[{"name":"generator.go","path":"codegen/generator/generator.go","sha":"1eba5f52c04c33f25c6140abffe9a192b560a30b"}]},{"name":"go.mod","path":"codegen/go.mod","sha":"782b3eaf70bfa03f695e6d9b3bfead5caebf22b3"},{"name":"go.sum","path":"codegen/go.sum","sha":"f34e0b7d560cd4e5a06c7f2a476da5dcdc7e7633"},{"name":"logging","children":[{"name":"logging.go","path":"codegen/logging/logging.go","sha":"d4fb9da710acb21567b4e0581cb7bd7692baca04"}]}]},{"name":"examples","children":[{"name":"cloudtrail","children":[{"name":"terraform","children":[{"name":"README.md","path":"examples/cloudtrail/terraform/README.md","sha":"9b9ff0b6c9e117d046c6ceecda94479e33b79d72"},{"name":"main.tf","path":"examples/cloudtrail/terraform/main.tf","sha":"b4fbcdc0812484e50d6a5a85f7e0a01a5554f220"},{"name":"outputs.tf","path":"examples/cloudtrail/terraform/outputs.tf","sha":"d761e149fa2b1a22c74727b0f7ef1329f3063037"},{"name":"variables.tf","path":"examples/cloudtrail/terraform/variables.tf","sha":"81d4f4bb2ea1131763003f85de7b2e88f800f241"}]},{"name":"terragrunt","children":[{"name":"README.md","path":"examples/cloudtrail/terragrunt/README.md","sha":"5b2d50aab0541ccc335021e95fe22b56bd034dbf"},{"name":"terragrunt.hcl","path":"examples/cloudtrail/terragrunt/terragrunt.hcl","sha":"64a8047867d9b341b3d11ea07a492e8fcd4367cb"}]}]},{"name":"cloudwatch-logs-metric-filters","children":[{"name":"terraform","children":[{"name":"README.md","path":"examples/cloudwatch-logs-metric-filters/terraform/README.md","sha":"a60c455a1d42b0fb3801af970753c5c43977207e"},{"name":"main.tf","path":"examples/cloudwatch-logs-metric-filters/terraform/main.tf","sha":"8ccb2e619843d8af516755b85da00480717dddfb"},{"name":"outputs.tf","path":"examples/cloudwatch-logs-metric-filters/terraform/outputs.tf","sha":"074e6118f58a6fd89d339ee3561c241b5de3583e"},{"name":"variables.tf","path":"examples/cloudwatch-logs-metric-filters/terraform/variables.tf","sha":"8e9c4651d9a5d79026c591b18616600499b1bdd9"}]},{"name":"terragrunt","children":[{"name":"README.md","path":"examples/cloudwatch-logs-metric-filters/terragrunt/README.md","sha":"5428ae138344bcb31a29bf653de47adbacf65976"},{"name":"terragrunt.hcl","path":"examples/cloudwatch-logs-metric-filters/terragrunt/terragrunt.hcl","sha":"4782ce6b03c26c43f2d0849d1baa0298edc5e13b"}]}]},{"name":"cross-account-iam-roles","children":[{"name":"terraform","children":[{"name":"README.md","path":"examples/cross-account-iam-roles/terraform/README.md","sha":"f3eadc1484eba090fd6e80006c14441e0fb2485c"},{"name":"main.tf","path":"examples/cross-account-iam-roles/terraform/main.tf","sha":"26aca4cd77367b7424078fd4cfe042ce6f37b447"},{"name":"outputs.tf","path":"examples/cross-account-iam-roles/terraform/outputs.tf","sha":"4635d74afd5ba0289decfaabe9e57266621866e2"},{"name":"variables.tf","path":"examples/cross-account-iam-roles/terraform/variables.tf","sha":"1c80da1943250d2c40180963c0a2f89fb2df9175"}]},{"name":"terragrunt","children":[{"name":"README.md","path":"examples/cross-account-iam-roles/terragrunt/README.md","sha":"d052127555ef25f2dfc7b878e664835414430615"},{"name":"terragrunt.hcl","path":"examples/cross-account-iam-roles/terragrunt/terragrunt.hcl","sha":"eb5224cea7b8e53a085045e490a79005e7814cf4"}]}]},{"name":"custom-iam-entity","children":[{"name":"terraform","children":[{"name":"README.md","path":"examples/custom-iam-entity/terraform/README.md","sha":"a44b701a7cdc4d03b1fba8857a71df5b4cdf6672"},{"name":"main.tf","path":"examples/custom-iam-entity/terraform/main.tf","sha":"33a2fc66826b737702aef28787ab83d9545b58c2"},{"name":"outputs.tf","path":"examples/custom-iam-entity/terraform/outputs.tf","sha":"835eb64f431386925438cb2f63e48e413faee90c"},{"name":"variables.tf","path":"examples/custom-iam-entity/terraform/variables.tf","sha":"7539c565d899f88078983f2232c550361a0ee502"}]},{"name":"terragrunt","children":[{"name":"README.md","path":"examples/custom-iam-entity/terragrunt/README.md","sha":"d9ea947f74c5518550d9cb34263b0236a955c5d2"},{"name":"terragrunt.hcl","path":"examples/custom-iam-entity/terragrunt/terragrunt.hcl","sha":"99bdccc50f04f2efb82ba424e86926066fddacff"}]}]},{"name":"iam-groups","children":[{"name":"terraform","children":[{"name":"README.md","path":"examples/iam-groups/terraform/README.md","sha":"2027c01edcc6d5125b71657e32520cc48f1c4f02"},{"name":"main.tf","path":"examples/iam-groups/terraform/main.tf","sha":"852d3e363fa4aab098cfcb7b382f145a246f7e5e"},{"name":"outputs.tf","path":"examples/iam-groups/terraform/outputs.tf","sha":"f386fa2f8b93fddfc8a04cb067220e4297c03ada"},{"name":"variables.tf","path":"examples/iam-groups/terraform/variables.tf","sha":"154f5a51e416bec433824942c65199bc74f28321"}]},{"name":"terragrunt","children":[{"name":"README.md","path":"examples/iam-groups/terragrunt/README.md","sha":"f12a36abf1602bf3fa19b42a1eecd3a95499631f"},{"name":"terragrunt.hcl","path":"examples/iam-groups/terragrunt/terragrunt.hcl","sha":"de01124a0a417059d5b62bf1cbb1352f4063ba24"}]}]},{"name":"iam-password-policy","children":[{"name":"terraform","children":[{"name":"README.md","path":"examples/iam-password-policy/terraform/README.md","sha":"29edc975ebec6423e42b789b02ee9ed2db0f521e"},{"name":"main.tf","path":"examples/iam-password-policy/terraform/main.tf","sha":"6cfd3decf581247ab410c1a6966b52c8d6f3d2da"},{"name":"variables.tf","path":"examples/iam-password-policy/terraform/variables.tf","sha":"ee9fe6604ee7b34c3a59b42cb9bcc503e5707abc"}]},{"name":"terragrunt","children":[{"name":"README.md","path":"examples/iam-password-policy/terragrunt/README.md","sha":"207bb1ad3e44c64e0e70c73de185e1f42b68756b"},{"name":"terragrunt.hcl","path":"examples/iam-password-policy/terragrunt/terragrunt.hcl","sha":"9a5abfb7982ee98aace97a1ea691a948aab5929e"}]}]},{"name":"saml-iam-roles","children":[{"name":"terraform","children":[{"name":"README.md","path":"examples/saml-iam-roles/terraform/README.md","sha":"431cef7141fde3a292df1626ed707d4b55c7a25d"},{"name":"main.tf","path":"examples/saml-iam-roles/terraform/main.tf","sha":"f669a1c4418c2249b5f850ac1614d64439db542b"},{"name":"outputs.tf","path":"examples/saml-iam-roles/terraform/outputs.tf","sha":"6e69339e781035cc29323a9dda927bea8a3d115b"},{"name":"saml-metadata.xml","path":"examples/saml-iam-roles/terraform/saml-metadata.xml","sha":"88596cfde52242a43559c79216a1c60b2ea12903"},{"name":"variables.tf","path":"examples/saml-iam-roles/terraform/variables.tf","sha":"7e552ab7a080ca8b9f4d0fd2b2058cda4b75c0c3"}]},{"name":"terragrunt","children":[{"name":"README.md","path":"examples/saml-iam-roles/terragrunt/README.md","sha":"2cd3c7bdde337bee726b29d4a3e49c761b0ba3e0"},{"name":"terragrunt.hcl","path":"examples/saml-iam-roles/terragrunt/terragrunt.hcl","sha":"68c50d324603caa08181d1744b315c75e3697df8"}]}]},{"name":"securityhub","children":[{"name":"terragrunt","children":[{"name":"README.md","path":"examples/securityhub/terragrunt/README.md","sha":"e37eac4f45aab63a46d5b04d08ed53a6ac2471fe"},{"name":"master","children":[{"name":"terragrunt.hcl","path":"examples/securityhub/terragrunt/master/terragrunt.hcl","sha":"43f9e1834d0ccde7de6ebd01657078e73cba7574"}]},{"name":"member","children":[{"name":"terragrunt.hcl","path":"examples/securityhub/terragrunt/member/terragrunt.hcl","sha":"e27e078840046a1fff817ff84ba47a9a26c2fac9"}]}]}]}]},{"name":"modules","children":[{"name":"aws-config","children":[{"name":"README.adoc","path":"modules/aws-config/README.adoc","sha":"82e6b7d445e1354f6772205ff9cbb112a3fecefb"},{"name":"main.tf","path":"modules/aws-config/main.tf","sha":"6d5cb2a7ebe119efc435eb598a185d50be1223de"},{"name":"outputs.tf","path":"modules/aws-config/outputs.tf","sha":"480ad0ffa8dbe3410f19dbe89c0fbb277b715b87"},{"name":"variables.tf","path":"modules/aws-config/variables.tf","sha":"a58168bf7ea381ca7b83d1fd278f1cf5682aec0d"}]},{"name":"aws-securityhub","children":[{"name":"README.adoc","path":"modules/aws-securityhub/README.adoc","sha":"dbf4a695948e2db28d99c9f0fff3221d4572031b"},{"name":"core-concepts.md","path":"modules/aws-securityhub/core-concepts.md","sha":"6307ca9d06fb54f2d0061a81290ffead6bf5e7fa"},{"name":"invite-external-accounts","children":[{"name":"bin","children":[{"name":"invite_external_accounts_py27_env.pex","path":"modules/aws-securityhub/invite-external-accounts/bin/invite_external_accounts_py27_env.pex","sha":"a61d838d1fd681fd56760c4ab3c9b8ef7750e051"},{"name":"invite_external_accounts_py3_env.pex","path":"modules/aws-securityhub/invite-external-accounts/bin/invite_external_accounts_py3_env.pex","sha":"d1afb0ae6efe358dd053458799367c0bb29e0614"}]},{"name":"invite_external_accounts","children":[{"name":"__init__.py","path":"modules/aws-securityhub/invite-external-accounts/invite_external_accounts/__init__.py","sha":"e69de29bb2d1d6434b8b29ae775ad8c2e48c5391"},{"name":"errors.py","path":"modules/aws-securityhub/invite-external-accounts/invite_external_accounts/errors.py","sha":"7dc0edfd882b693d431c6fc8c345bdc1be70e520"},{"name":"main.py","path":"modules/aws-securityhub/invite-external-accounts/invite_external_accounts/main.py","sha":"3cbba395f54591fd4d13750a5c07fccc061236bb"},{"name":"project_logging.py","path":"modules/aws-securityhub/invite-external-accounts/invite_external_accounts/project_logging.py","sha":"82c5fecd96fc2531417d0ac09f4adedd39fc169b"},{"name":"securityhub.py","path":"modules/aws-securityhub/invite-external-accounts/invite_external_accounts/securityhub.py","sha":"d40b61026878f522afebc9172d1d4b8bba7074e2"}]}]},{"name":"main.tf","path":"modules/aws-securityhub/main.tf","sha":"2841415e84457fdcc0f44754fbb61614a1f2d18c"},{"name":"outputs.tf","path":"modules/aws-securityhub/outputs.tf","sha":"6725581233df013f765f7031ac2fba93b79a37fc"},{"name":"variables.tf","path":"modules/aws-securityhub/variables.tf","sha":"ad2d8eb8928d9e5fd43d0051a84359c2fe1f4f26"}]},{"name":"cloudtrail","children":[{"name":"README.adoc","path":"modules/cloudtrail/README.adoc","sha":"5e7f7a35ae88be0c3a1f8e89fb61305677e5db21"},{"name":"images","children":[{"name":"cloudtrail-cis-architecture.png","path":"modules/cloudtrail/images/cloudtrail-cis-architecture.png","sha":"70b296eb99f2c2da1bcc73fbb8d4528eb4743204"}]},{"name":"main.tf","path":"modules/cloudtrail/main.tf","sha":"68864581db72d48cb9c09a98ce7a765d09d5a72b"},{"name":"outputs.tf","path":"modules/cloudtrail/outputs.tf","sha":"33c67afdc73569394d1b43c182355156938d9b11"},{"name":"variables.tf","path":"modules/cloudtrail/variables.tf","sha":"8862afa2218c75cb0c2af079428bbd2358042b89"}]},{"name":"cloudwatch-logs-metric-filters","children":[{"name":"README.adoc","path":"modules/cloudwatch-logs-metric-filters/README.adoc","sha":"1bfa7134c7e3dc2f020205c20d98642414c92c10"},{"name":"core-concepts.md","path":"modules/cloudwatch-logs-metric-filters/core-concepts.md","sha":"75301bd203c74458fc05857510fdf89188ef3921"},{"name":"images","children":[{"name":"cloudwatch-alarm.png","path":"modules/cloudwatch-logs-metric-filters/images/cloudwatch-alarm.png","sha":"b9fa4a893e9a4c402f117d4fa3922b4e5fdc0b4f"},{"name":"cloudwatch-logs-architecture.png","path":"modules/cloudwatch-logs-metric-filters/images/cloudwatch-logs-architecture.png","sha":"65a8d960553521dbcb5d2342609b648fc1397f91"}]},{"name":"main.tf","path":"modules/cloudwatch-logs-metric-filters/main.tf","sha":"ed801c84926b89fe7753a6bf02e8bca0327a790e"},{"name":"outputs.tf","path":"modules/cloudwatch-logs-metric-filters/outputs.tf","sha":"1d0237d1e1bf5ba6d9e2136ecf1f2bf047ec7063"},{"name":"variables.tf","path":"modules/cloudwatch-logs-metric-filters/variables.tf","sha":"09c5655a6cd58fab958bea3afe91cc2287bfc248"}]},{"name":"cross-account-iam-roles","children":[{"name":"README.adoc","path":"modules/cross-account-iam-roles/README.adoc","sha":"9b36582f166539f09617a16f386d1f6678880874"},{"name":"images","children":[{"name":"iam-roles-architecture.png","path":"modules/cross-account-iam-roles/images/iam-roles-architecture.png","sha":"5b7c1e935fac59214299e224eb8425c8c9b246b8"}]},{"name":"main.tf","path":"modules/cross-account-iam-roles/main.tf","sha":"ced23a20d145023b87a22a9cf90ce9841500b757"},{"name":"outputs.tf","path":"modules/cross-account-iam-roles/outputs.tf","sha":"4635d74afd5ba0289decfaabe9e57266621866e2"},{"name":"variables.tf","path":"modules/cross-account-iam-roles/variables.tf","sha":"d7835df3cc93a9a0d858ac824f213144e419168b"}]},{"name":"custom-iam-entity","children":[{"name":"README.adoc","path":"modules/custom-iam-entity/README.adoc","sha":"7b49cabfe0da64d4398fb64581da7b810b79f9bc"},{"name":"main.tf","path":"modules/custom-iam-entity/main.tf","sha":"4b0a1e7443048694d727d5a64015e12dce4026e3"},{"name":"outputs.tf","path":"modules/custom-iam-entity/outputs.tf","sha":"157e624e8e8610fbeaf54f603dce2516806c332f"},{"name":"variables.tf","path":"modules/custom-iam-entity/variables.tf","sha":"9a4e12646a30d1bfee9ce18b28e134dad19983da"}]},{"name":"iam-groups","children":[{"name":"README.adoc","path":"modules/iam-groups/README.adoc","sha":"bd97d27b0878c3db0f1fdc03fae7278390260456"},{"name":"core-concepts.md","path":"modules/iam-groups/core-concepts.md","sha":"02dc8472d42c7ae6497417b378f31e8bd9882bd9"},{"name":"images","children":[{"name":"iam-groups-architecture.png","path":"modules/iam-groups/images/iam-groups-architecture.png","sha":"c95384f4ee5e543cda1b39bbfe6239f9581609f0"}]},{"name":"main.tf","path":"modules/iam-groups/main.tf","sha":"0540e498e623a11d60316cfbc6949b3767f65ba3"},{"name":"outputs.tf","path":"modules/iam-groups/outputs.tf","sha":"0919bcae3e51cadad70355a2c52fd15b45434287"},{"name":"variables.tf","path":"modules/iam-groups/variables.tf","sha":"a24e2fb4548de52da24e1c7eb8b3a2078b44c552"}]},{"name":"iam-password-policy","children":[{"name":"README.adoc","path":"modules/iam-password-policy/README.adoc","sha":"56d1516af9c03d91cff5484387096e782e44ba7e"},{"name":"main.tf","path":"modules/iam-password-policy/main.tf","sha":"7438c6148e697e1ec28537b86f1e3f4a3111393d"},{"name":"variables.tf","path":"modules/iam-password-policy/variables.tf","sha":"e8c3867f0ef9eb1a1d253ef6d5dffe6c902a4221"}]},{"name":"saml-iam-roles","children":[{"name":"README.adoc","path":"modules/saml-iam-roles/README.adoc","sha":"70bcb8fb3f59b169e84ad36af525cb72a5d1482d"},{"name":"images","children":[{"name":"saml-iam-roles.png","path":"modules/saml-iam-roles/images/saml-iam-roles.png","sha":"d8bb2b15ad1fbcb4cb0f823663735edc469d0c14"}]},{"name":"main.tf","path":"modules/saml-iam-roles/main.tf","sha":"1bcacf255b990ba9ea71d8a90cf363af7cac4020"},{"name":"outputs.tf","path":"modules/saml-iam-roles/outputs.tf","sha":"6e69339e781035cc29323a9dda927bea8a3d115b"},{"name":"variables.tf","path":"modules/saml-iam-roles/variables.tf","sha":"4319d117656b5a6945009dd15d62083af779852e"}]}]},{"name":"rfcs","children":[{"name":"flexible-backends.md","path":"rfcs/flexible-backends.md","sha":"8c308f20484932b9773c07f127d498de14c76bae"}]},{"name":"setup.cfg","path":"setup.cfg","sha":"981bc2bfd0b35029438d56c6d862a7f1519b8fe6"},{"name":"test","children":[{"name":"cloudtrail_test.go","path":"test/cloudtrail_test.go","sha":"46669ddd1b32aeb3f959a8dac9000d599bcbb03a"},{"name":"cloudwatch_logs_metric_filters_test.go","path":"test/cloudwatch_logs_metric_filters_test.go","sha":"1110d7f0ddeeda36fff67ffaf49fd326a71dc83c"},{"name":"cross_account_iam_roles_test.go","path":"test/cross_account_iam_roles_test.go","sha":"aa6d75cf953722a65edd0f623fe76a142c9aa02a"},{"name":"custom_iam_entity_test.go","path":"test/custom_iam_entity_test.go","sha":"4c95a46959349aeba26e80131a35af96ab16955a"},{"name":"generate_aws_config_test.go","path":"test/generate_aws_config_test.go","sha":"a1421114d28634b7c32131f67bf324a9742387cb"},{"name":"generate_securityhub_test.go","path":"test/generate_securityhub_test.go","sha":"492a4a86011210beb598ad1fdeb73736fec1a27e"},{"name":"go.mod","path":"test/go.mod","sha":"ae654fc7163a2df0241010e098b6456fe1dc965e"},{"name":"go.sum","path":"test/go.sum","sha":"3e43d17a39b86941caf74aa75e470cb35ced4ddd"},{"name":"iam_groups_test.go","path":"test/iam_groups_test.go","sha":"a361792deea45a980ed7ceae6f7a759c20c5ae3a"},{"name":"iam_password_policy_test.go","path":"test/iam_password_policy_test.go","sha":"0402874302c76da6e7fdf035a6b688e39ef33d8c"},{"name":"saml_iam_roles_test.go","path":"test/saml_iam_roles_test.go","sha":"7fc7ae5a4a268b6b78e90830ac150a98c92bfd82"},{"name":"test_helpers.go","path":"test/test_helpers.go","sha":"f0614e492133b9e9b9bbaec4b34251493d31f4cd"}]}]},"detailsContent":"<div id=\"preamble\">\n<div class=\"sectionbody\">\n<div class=\"paragraph\">\n<p><span class=\"image\"><img src=\"https://img.shields.io/badge/CIS%20benchmark%20version-1.2.0-red)\" alt=\"CIS Benchmark Version\" class=\"preview__body--diagram\"></span>\n<span class=\"image\"><a class=\"image\" href=\"https://gruntwork.io/?ref=repo_cis_compliance_aws\" target=\"_blank\"><img src=\"https://img.shields.io/badge/maintained%20by-gruntwork.io-%235849a6.svg\" alt=\"maintained%20by gruntwork.io %235849a6\" class=\"preview__body--diagram\"></a></span></p>\n</div>\n<div class=\"paragraph\">\n<p>This repo contains a collection of Terraform wrapper modules and standalone utilities that simplify the process of achieving compliance with the <a href=\"https://www.cisecurity.org/\" target=\"_blank\">Center for Internet\nSecurity (CIS)</a> <a href=\"https://www.cisecurity.org/benchmark/amazon_web_services\" target=\"_blank\">AWS Foundations\nBenchmark</a>. The Benchmark is an objective, consensus-driven security guideline for AWS. Gruntwork is a CIS SecureSuite member. These modules have been certified for compliance by CIS.</p>\n</div>\n<div class=\"paragraph\">\n<p><span class=\"image\"><img src=\"/repos/images/v0.3.3/cis-compliance-aws/_docs/cis-account-architecture.png\" alt=\"cis account architecture\" class=\"preview__body--diagram\"></span></p>\n</div>\n<div class=\"paragraph\">\n<p>The Terraform modules in this repo are \"wrapper\" modules intended to be used in conjunction with the core modules\nin the <a href=\"https://gruntwork.io/infrastructure-as-code-library\" target=\"_blank\">Gruntwork.io Infrastructure as Code Library</a>.\nThe core modules are compliance-ready; that is, they can be configured in a manner that achieves compliance\nwith the Benchmark. The modules here \"wrap\" the compliance-ready modules by using the core modules as a source\nand passing configuration options that are appropriate for compliance.</p>\n</div>\n<div id=\"toc\" class=\"toc\">\n<div id=\"toctitle\" class=\"title\"></div>\n<ul class=\"sectlevel1\">\n<li><a href=\"#_features\">Features</a></li>\n<li><a href=\"#_learn\">Learn</a>\n<ul class=\"sectlevel2\">\n<li><a href=\"#_core_concepts\">Core concepts</a></li>\n<li><a href=\"#_repo_organization\">Repo organization</a></li>\n</ul>\n</li>\n<li><a href=\"#_deploy\">Deploy</a>\n<ul class=\"sectlevel2\">\n<li><a href=\"#_non_production_deployment_quick_start_for_learning\">Non-production deployment (quick start for learning)</a></li>\n<li><a href=\"#_production_deployment\">Production deployment</a></li>\n</ul>\n</li>\n<li><a href=\"#_support\">Support</a></li>\n<li><a href=\"#_contributions\">Contributions</a></li>\n<li><a href=\"#_license\">License</a></li>\n</ul>\n</div>\n</div>\n</div>\n<div class=\"sect1\">\n<h2 id=\"_features\"><a class=\"anchor\" href=\"#_features\"></a><a class=\"link\" href=\"#_features\">Features</a></h2>\n<div class=\"sectionbody\">\n<div class=\"ulist\">\n<ul>\n<li>\n<p>Enables AWS Config in all regions</p>\n</li>\n<li>\n<p>Creates an AWS CloudTrail with CloudWatch Logs integration</p>\n</li>\n<li>\n<p>Creates a series of CloudWatch Logs metrics filters to notify an SNS topic when suspicious events are logged</p>\n</li>\n<li>\n<p>Create a set of IAM roles that can be used between accounts</p>\n</li>\n<li>\n<p>Create IAM roles and groups with custom permissions and require MFA</p>\n</li>\n<li>\n<p>Create a best-practices set of IAM groups</p>\n</li>\n<li>\n<p>Enable a strong IAM password policy</p>\n</li>\n<li>\n<p>Create a set of IAM roles for SAML identity providers</p>\n</li>\n</ul>\n</div>\n</div>\n</div>\n<div class=\"sect1\">\n<h2 id=\"_learn\"><a class=\"anchor\" href=\"#_learn\"></a><a class=\"link\" href=\"#_learn\">Learn</a></h2>\n<div class=\"sectionbody\">\n<div class=\"admonitionblock note\">\n<table>\n<tr>\n<td class=\"icon\">\n<div class=\"title\">Note</div>\n</td>\n<td class=\"content\">\nThis repo is a part of <a href=\"https://gruntwork.io/infrastructure-as-code-library/\" target=\"_blank\">the Gruntwork Infrastructure as Code Library</a>, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read <a href=\"https://gruntwork.io/guides/foundations/how-to-use-gruntwork-infrastructure-as-code-library/\" target=\"_blank\">How to use the Gruntwork Infrastructure as Code Library</a>!\n</td>\n</tr>\n</table>\n</div>\n<div class=\"sect2\">\n<h3 id=\"_core_concepts\"><a class=\"anchor\" href=\"#_core_concepts\"></a><a class=\"link\" href=\"#_core_concepts\">Core concepts</a></h3>\n<div class=\"paragraph\">\n<p>For a comprehensive treatment of how to use this repository for compliance with the Benchmark, please refer to the\n<a href=\"https://gruntwork.io/guides/compliance/how-to-achieve-cis-compliance/\" target=\"_blank\">How to achieve compliance with the CIS AWS\nFoundations Benchmark</a> guide. You should also review and <a href=\"https://www.cisecurity.org/benchmark/amazon_web_services/\" target=\"_blank\">download the Benchmark itself from CIS</a>.</p>\n</div>\n</div>\n<div class=\"sect2\">\n<h3 id=\"_repo_organization\"><a class=\"anchor\" href=\"#_repo_organization\"></a><a class=\"link\" href=\"#_repo_organization\">Repo organization</a></h3>\n<div class=\"ulist\">\n<ul>\n<li>\n<p><a href=\"/repos/v0.3.3/cis-compliance-aws/modules\">modules</a>: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.</p>\n<div class=\"ulist\">\n<ul>\n<li>\n<p><a href=\"/repos/v0.3.3/cis-compliance-aws/modules/cloudtrail\">cloudtrail wrapper module</a>: A wrapper module for a compliant configuration of AWS CloudTrail</p>\n</li>\n<li>\n<p><a href=\"/repos/v0.3.3/cis-compliance-aws/modules/cloudwatch-logs-metric-filters\">cloudwatch-logs-metric-filters wrapper module</a>: A wrapper module to create a series of CloudWatch Logs metrics filters</p>\n</li>\n<li>\n<p><a href=\"/repos/v0.3.3/cis-compliance-aws/modules/cross-account-iam-roles\">cross-account-iam-roles wrapper module</a>: A wrapper module to create IAM roles that can be used for assume roles between accounts</p>\n</li>\n<li>\n<p><a href=\"/repos/v0.3.3/cis-compliance-aws/modules/custom-iam-entity\">custom-iam-entity wrapper module</a>: A wrapper module to create IAM groups and/or roles with a customized set of managed policies attached</p>\n</li>\n<li>\n<p><a href=\"/repos/v0.3.3/cis-compliance-aws/modules/aws-config\">aws-config utility</a>: A wrapper module that enables AWS config on all enabled regions of an account.</p>\n</li>\n<li>\n<p><a href=\"/repos/v0.3.3/cis-compliance-aws/modules/iam-groups\">iam-groups wrapper module</a>: A wrapper module to create a best-practices set of IAM groups</p>\n</li>\n<li>\n<p><a href=\"/repos/v0.3.3/cis-compliance-aws/modules/iam-password-policy\">iam-password-policy wrapper module</a>: A wrapper module to create an compliant IAM password policy</p>\n</li>\n<li>\n<p><a href=\"/repos/v0.3.3/cis-compliance-aws/modules/saml-iam-roles\">saml-iam-roles wrapper module</a>: A wrapper module to create a set of IAM roles to use with SAML identity providers</p>\n</li>\n<li>\n<p><a href=\"/repos/v0.3.3/cis-compliance-aws/modules/aws-securityhub\">aws-securityhub module</a>: A Terraform module for enabling AWS SecurityHub in all enabled</p>\n</li>\n</ul>\n</div>\n</li>\n<li>\n<p><a href=\"/repos/v0.3.3/cis-compliance-aws/codegen\">codegen</a>: Code generation utilities that help generate modules in this repo.</p>\n<div class=\"ulist\">\n<ul>\n<li>\n<p><a href=\"/repos/v0.3.3/cis-compliance-aws/codegen/generate-aws-config\">generate-aws-config utility</a>: A code generation program to enable AWS Config in all regions of an AWS account</p>\n</li>\n<li>\n<p><a href=\"/repos/v0.3.3/cis-compliance-aws/codegen/generate-securityhub\">generate-securityhub utility</a>: A code generation program to enable AWS SecurityHub in all regions of an AWS account</p>\n</li>\n</ul>\n</div>\n</li>\n<li>\n<p><a href=\"/repos/v0.3.3/cis-compliance-aws/examples\">examples</a>: This folder contains working examples of how to use the submodules.</p>\n</li>\n<li>\n<p><a href=\"/repos/v0.3.3/cis-compliance-aws/test\">test</a>: Automated tests for the modules and examples.</p>\n</li>\n</ul>\n</div>\n</div>\n</div>\n</div>\n<div class=\"sect1\">\n<h2 id=\"_deploy\"><a class=\"anchor\" href=\"#_deploy\"></a><a class=\"link\" href=\"#_deploy\">Deploy</a></h2>\n<div class=\"sectionbody\">\n<div class=\"sect2\">\n<h3 id=\"_non_production_deployment_quick_start_for_learning\"><a class=\"anchor\" href=\"#_non_production_deployment_quick_start_for_learning\"></a><a class=\"link\" href=\"#_non_production_deployment_quick_start_for_learning\">Non-production deployment (quick start for learning)</a></h3>\n<div class=\"paragraph\">\n<p>If you just want to try this repo out for experimenting and learning, check out the following resources:</p>\n</div>\n<div class=\"ulist\">\n<ul>\n<li>\n<p><a href=\"/repos/v0.3.3/cis-compliance-aws/examples\">examples folder</a>: The <code>examples</code> folder contains sample code optimized for learning, experimenting,\nand testing (but not production usage).</p>\n</li>\n</ul>\n</div>\n</div>\n<div class=\"sect2\">\n<h3 id=\"_production_deployment\"><a class=\"anchor\" href=\"#_production_deployment\"></a><a class=\"link\" href=\"#_production_deployment\">Production deployment</a></h3>\n<div class=\"ulist\">\n<ul>\n<li>\n<p>For a comprehensive guide to achieving compliance using this repo, please refer to\n<a href=\"https://gruntwork.io/guides/compliance/how-to-achieve-cis-compliance/\" target=\"_blank\">How to achieve compliance with the CIS AWS\nFoundations Benchmark</a>.</p>\n</li>\n</ul>\n</div>\n</div>\n</div>\n</div>\n<div class=\"sect1\">\n<h2 id=\"_support\"><a class=\"anchor\" href=\"#_support\"></a><a class=\"link\" href=\"#_support\">Support</a></h2>\n<div class=\"sectionbody\">\n<div class=\"paragraph\">\n<p>If you need help with this repo or anything else related to infrastructure or DevOps, Gruntwork offers <a href=\"https://gruntwork.io/support/\" target=\"_blank\">Commercial Support</a> via Slack, email, and phone/video. If you’re already a Gruntwork customer, hop on Slack and ask away! If not, <a href=\"https://www.gruntwork.io/pricing/\" target=\"_blank\">subscribe now</a>. If you’re not sure, feel free to email us at <a href=\"mailto:support@gruntwork.io\" target=\"_blank\">support@gruntwork.io</a>.</p>\n</div>\n</div>\n</div>\n<div class=\"sect1\">\n<h2 id=\"_contributions\"><a class=\"anchor\" href=\"#_contributions\"></a><a class=\"link\" href=\"#_contributions\">Contributions</a></h2>\n<div class=\"sectionbody\">\n<div class=\"paragraph\">\n<p>Contributions to this repo are very welcome and appreciated! If you find a bug or want to add a new feature or even contribute an entirely new module, we are very happy to accept pull requests, provide feedback, and run your changes through our automated test suite.</p>\n</div>\n<div class=\"paragraph\">\n<p>Please see <a href=\"https://gruntwork.io/guides/foundations/how-to-use-gruntwork-infrastructure-as-code-library/#contributing-to-the-gruntwork-infrastructure-as-code-library\" target=\"_blank\">Contributing to the Gruntwork Infrastructure as Code Library</a> for instructions.</p>\n</div>\n</div>\n</div>\n<div class=\"sect1\">\n<h2 id=\"_license\"><a class=\"anchor\" href=\"#_license\"></a><a class=\"link\" href=\"#_license\">License</a></h2>\n<div class=\"sectionbody\">\n<div class=\"paragraph\">\n<p>Please see <a href=\"/repos/v0.3.3/cis-compliance-aws/LICENSE.txt\">LICENSE.txt</a> for details on how the code in this repo is licensed.</p>\n</div>\n</div>\n</div>","repoName":"cis-compliance-aws","repoRef":"v0.3.2","serviceDescriptor":{"serviceName":"CIS Foundations Benchmark","serviceRepoName":"cis-compliance-aws","serviceRepoOrg":"gruntwork-io","cloudProviders":["aws"],"description":"Modules and utilities certified by Gruntwork and CIS to comply with the CIS AWS Foundations Benchmark","imageUrl":"cis-logo.png","licenseType":"subscriber","technologies":["Terraform","Go","Python"],"compliance":["CIS"],"tags":[""]},"serviceCategoryName":"Compliance","fileName":"README.adoc","filePath":"","title":"Repo Browser: CIS Foundations Benchmark","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}