This module can be used to allow users authenticated via external Security Assertion Markup Language (SAML) identity
providers such as Google, Amazon SSO, Microsoft Active Directory Federation Services (ADFS), Okta, and OneLogin to access
your AWS accounts (saml-access).
This allows you to define each environment (mgmt, stage, prod, etc) in a separate AWS account and to use SAML to assume
different roles in each account.
If you're not familiar with IAM concepts, start with the Background Information section as a
way to familiarize yourself with the terminology.
If you want to allow users of a SAML Identity Provider (IdP) to access your AWS accounts, you will first need to create a SAML Identity Provider within IAM. You will also have to configure your IdP to send the appropriate assertions as described in the
AWS Documentation.
Create IAM roles in each account
If you want to allow users from SAML IdPs to access your AWS accounts, use this module in each AWS account to create IAM roles that specify which services those users may access.
Create permissions to assume the IAM roles in other accounts
Finally, this module will also grant access to users of each SAML provider listed in the various
allow_*_access_from_saml_provider_arns variables to assume the corresponding role.
Resources Created
This module creates the following IAM roles (all optional):
allow-read-only-access-from-saml: Users authenticated by the SAML providers in
var.allow_read_only_access_from_saml_provider_arns will get read-only access to all services in this account.
allow-billing-access-from-saml: Users authenticated by the SAML providers in
var.allow_billing_access_from_saml_provider_arns will get full (read and write) access to the billing details for
this account.
allow-ssh-grunt-access-from-saml: Users authenticated by the SAML providers in
var.allow_ssh_grunt_access_from_saml_provider_arns will get read access to IAM Groups and public SSH keys. This is
useful to allow ssh-grunt running on EC2 Instances in other AWS accounts to validate SSH
connections against IAM users defined in this AWS account.
allow-dev-access-from-saml:Users authenticated by the SAML providers in
var.allow_dev_access_from_saml_provider_arns will get full (read and write) access to the services in this account
specified in var.dev_permitted_services.
allow-full-access-from-saml: Users authenticated by the SAML providers in
var.allow_full_access_from_saml_provider_arns will get full (read and write) access to all services in this account.
allow-iam-admin-access-from-saml: Users authenticated by the SAML providers in
var.allow_iam_admin_access_from_saml_provider_arns will get full IAM (iam:*) access in this account.
allow-auto-deploy-access-from-saml: Users authenticated by the SAML providers in
var.allow_read_only_access_from_saml_provider_arns will get automated deployment access to all services in this
account with the permissions specified in var.auto_deploy_permissions. The main use case is to allow a CI server
(e.g. Jenkins) in another AWS account to do automated deployments in this AWS account.
How to switch between accounts
TODO: Provide additional documentation around gruntsaml and AWS Console SAML integration
Questions? Ask away.
We're here to talk about our services, answer any questions, give advice, or just to chat.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"30bfaa039bf698a640461a3993ccc21b452ccc5d"}]},{"name":".editorconfig","path":".editorconfig","sha":"a5eec1063e66c4cb953cba222dd50b4d314ef3e2"},{"name":".gitignore","path":".gitignore","sha":"981300184e4c7fd06f5076e1b63240ff17127c4a"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"c82ec90fb502dc05e64f92ece2c49ff0a9c3cf55"},{"name":"LICENSE.txt","path":"LICENSE.txt","sha":"f4e3d9bd4717a044ed31ad847a300eee74371a78"},{"name":"README.adoc","path":"README.adoc","sha":"2fa6943dc66863a9f854a55374ed6b89f1dab998"},{"name":"_ci","children":[{"name":"output-debug-values.sh","path":"_ci/output-debug-values.sh","sha":"0ced78063218d2027a2af91368ccb2da3f9762d5"}]},{"name":"_docs","children":[{"name":"auto-update.png","path":"_docs/auto-update.png","sha":"77bfd1c65de0245ac8b3c67d5b0b64fc440824bf"},{"name":"aws-cloudtrail-architecture.png","path":"_docs/aws-cloudtrail-architecture.png","sha":"a2dd9a08b8ed77744fd5febab3be7bdf633dee79"},{"name":"aws-cloudtrail.png","path":"_docs/aws-cloudtrail.png","sha":"acc7dcaf4b46ce3cef1bcc20be0329e12c320e7f"},{"name":"aws-config-architecture.png","path":"_docs/aws-config-architecture.png","sha":"721458048d5e539468c438498863a91fa96e0a85"},{"name":"aws-config-rules-architecture.png","path":"_docs/aws-config-rules-architecture.png","sha":"29fe3f20358b176e385d1bcdc0357bff2c1d5b4a"},{"name":"aws-config-rules.png","path":"_docs/aws-config-rules.png","sha":"ac3f7b35bcac949887e62aee260d9cb70edd3ae8"},{"name":"aws-config.png","path":"_docs/aws-config.png","sha":"02f4b326aef57372def4f3fafa4f0e4cec07e395"},{"name":"aws-guardduty.png","path":"_docs/aws-guardduty.png","sha":"053b92412fb8e3fb5740acc404b493fe1dd7229b"},{"name":"aws-organizations-architecture.png","path":"_docs/aws-organizations-architecture.png","sha":"bd57412fe85d3fe8d5e358db5e3b7bfef3e786a9"},{"name":"aws-organizations-icon.png","path":"_docs/aws-organizations-icon.png","sha":"b2b3fa04f51a23e5bae1b3389ffedf5e17b3cef2"},{"name":"multiaccount_guardduty.png","path":"_docs/multiaccount_guardduty.png","sha":"c56b50bbb4c2a041366b430cada27b88aa02524b"},{"name":"ssh-grunt-architecture.png","path":"_docs/ssh-grunt-architecture.png","sha":"9ced8c68bcc7957e50aa016cad6c5b043a05b470"},{"name":"terminal-icon.png","path":"_docs/terminal-icon.png","sha":"df09d52d5b1176d7e231bab6c7712c3728e45c1b"}]},{"name":"examples","children":[{"name":"auto-update","children":[{"name":"README.md","path":"examples/auto-update/README.md","sha":"d7c630c4585bad7869d55bc6c62fca248eeb521a"},{"name":"auto-update-example.json","path":"examples/auto-update/auto-update-example.json","sha":"cafac0a781f8c675338226eee4b2413f5a4e88c1"}]},{"name":"aws-config","children":[{"name":"README.md","path":"examples/aws-config/README.md","sha":"becfeb3fe2afee81cad4476fd1300a5f26566e7e"},{"name":"main.tf","path":"examples/aws-config/main.tf","sha":"d07263ccd6a96cfbae8dd25fc40c48a364b06f04"},{"name":"outputs.tf","path":"examples/aws-config/outputs.tf","sha":"ddd32698f39772d663a2d9b8a6276260f5431068"},{"name":"vars.tf","path":"examples/aws-config/vars.tf","sha":"52da0c2fdcbaac128d94e3d7ea9ed58cccc396c7"}]},{"name":"aws-organizations-config-rules","children":[{"name":"README.md","path":"examples/aws-organizations-config-rules/README.md","sha":"ce4f53fc37936aec55b2a7e8f358378032dac0d7"},{"name":"main.tf","path":"examples/aws-organizations-config-rules/main.tf","sha":"1dae398d8ed745e3b103f3803b887e61daf7a600"},{"name":"outputs.tf","path":"examples/aws-organizations-config-rules/outputs.tf","sha":"4319400eb4190f58458f2dd9398225869ff08da3"},{"name":"variables.tf","path":"examples/aws-organizations-config-rules/variables.tf","sha":"c97f8c6bdaf4ab3f9e5f26332fc7ec983e881a53"}]},{"name":"aws-organizations","children":[{"name":"README.md","path":"examples/aws-organizations/README.md","sha":"1da3c2fc061fee6ee99564b8b2323ccf69f2c690"},{"name":"main.tf","path":"examples/aws-organizations/main.tf","sha":"7339da612ebccaa785820b0f1e6fb42d5f72e20a"},{"name":"outputs.tf","path":"examples/aws-organizations/outputs.tf","sha":"88ba8f4012111036775958d7dfad4eec6bf84be6"},{"name":"variables.tf","path":"examples/aws-organizations/variables.tf","sha":"59afc28c87bc3c49d11c6faf7e112643f0a95481"}]},{"name":"cloudtrail","children":[{"name":"README.md","path":"examples/cloudtrail/README.md","sha":"a99ca684008a985ba9246e21d480d5aadd8a63bf"},{"name":"main.tf","path":"examples/cloudtrail/main.tf","sha":"68df53c2b732e5febd5c5c5b06f1ba5330565095"},{"name":"outputs.tf","path":"examples/cloudtrail/outputs.tf","sha":"874c4bb56d8c5841ae5d23a14e8572aab2d4adea"},{"name":"vars.tf","path":"examples/cloudtrail/vars.tf","sha":"d760a1693fc326552b1a00a24eb9deb4fb1a0af3"}]},{"name":"cross-account-iam-roles","children":[{"name":"README.md","path":"examples/cross-account-iam-roles/README.md","sha":"e29b220abacd7b0ac30a9b30ae15014936e5fc9c"},{"name":"main.tf","path":"examples/cross-account-iam-roles/main.tf","sha":"6c3469ebb3be0666378962f57fb4c8055a1cb565"},{"name":"outputs.tf","path":"examples/cross-account-iam-roles/outputs.tf","sha":"459bd44da733bb20e65e17b4e13505c03bb109b7"},{"name":"vars.tf","path":"examples/cross-account-iam-roles/vars.tf","sha":"6e707ac515c0d83d32f8dccbfcfe22c66968351a"}]},{"name":"custom-iam-entity","children":[{"name":"README.md","path":"examples/custom-iam-entity/README.md","sha":"262e2508f648ec95f6bfd32626fbb2d887cfa988"},{"name":"main.tf","path":"examples/custom-iam-entity/main.tf","sha":"c1b2291bb49e98b1b4ac642920751f54bd59c2a3"},{"name":"outputs.tf","path":"examples/custom-iam-entity/outputs.tf","sha":"835eb64f431386925438cb2f63e48e413faee90c"},{"name":"vars.tf","path":"examples/custom-iam-entity/vars.tf","sha":"4af8f352ddc35352243f8e1ac0dd3fb50f230e11"}]},{"name":"fail2ban","children":[{"name":"README.md","path":"examples/fail2ban/README.md","sha":"7f6b797884ac148c0e34fd6da0eb8224e2255d8a"},{"name":"fail2ban-example.json","path":"examples/fail2ban/fail2ban-example.json","sha":"dca42add6036b1e18f03aaa3f41c500b8767f31d"}]},{"name":"guardduty","children":[{"name":"README.md","path":"examples/guardduty/README.md","sha":"23c75950a1b8b33286b79bd5e9d853cee02d62ea"},{"name":"main.tf","path":"examples/guardduty/main.tf","sha":"1a78e0f65a6d34ef60aba882d36bc2154d214f28"},{"name":"outputs.tf","path":"examples/guardduty/outputs.tf","sha":"2bd66b0621e1ae1602857aa72583fefd219e0bb4"},{"name":"variables.tf","path":"examples/guardduty/variables.tf","sha":"13f4ba729e04c6882101637b9f8a842e13f33fcf"}]},{"name":"iam-groups","children":[{"name":"README.md","path":"examples/iam-groups/README.md","sha":"019d8b433629eb895603e9b4d507b0bf479c3da5"},{"name":"main.tf","path":"examples/iam-groups/main.tf","sha":"3ef8b57b70f9f7f69a619749ce74430888bacebe"},{"name":"outputs.tf","path":"examples/iam-groups/outputs.tf","sha":"2901c51756a4b5d3ce1b040ff006849997650bb0"},{"name":"vars.tf","path":"examples/iam-groups/vars.tf","sha":"4cb4825d0b09ddb2bf1509fbe2e7506a974bae6a"}]},{"name":"iam-user-password-policy","children":[{"name":"README.md","path":"examples/iam-user-password-policy/README.md","sha":"0af47723266b57ee39d55d74127ce0c8d902c466"},{"name":"main.tf","path":"examples/iam-user-password-policy/main.tf","sha":"ae22f0ac3173d5c0f191ec537725ea6230962fc5"},{"name":"vars.tf","path":"examples/iam-user-password-policy/vars.tf","sha":"fcdc47d795f3e20427b615e26ea2d60db7109a78"}]},{"name":"iam-users","children":[{"name":"README.md","path":"examples/iam-users/README.md","sha":"f8b65e9756e9f8c8703a854c1363be700b5fe8d9"},{"name":"main.tf","path":"examples/iam-users/main.tf","sha":"892c01c4392d7befe26bb0c7ff80ac0cbefa6563"},{"name":"outputs.tf","path":"examples/iam-users/outputs.tf","sha":"5c7e14248dcd792771f5956d6acc4cd2562887b5"},{"name":"variables.tf","path":"examples/iam-users/variables.tf","sha":"5c27b34c5b14c9222e196441c29576eed1f9fb31"}]},{"name":"ip-lockdown","children":[{"name":"README.md","path":"examples/ip-lockdown/README.md","sha":"3962ba23a76d8f02e5c0ffc8cb71196991628e38"},{"name":"aws-example","children":[{"name":"README.md","path":"examples/ip-lockdown/aws-example/README.md","sha":"282005cb1cbc63ff7a642bac388a48d6cc3a2087"},{"name":"main.tf","path":"examples/ip-lockdown/aws-example/main.tf","sha":"948172240196c610e26957ca60640191fdfab0ad"},{"name":"outputs.tf","path":"examples/ip-lockdown/aws-example/outputs.tf","sha":"a175a78c9a10f9f2fd9d7c84f9b304aebc1bdb41"},{"name":"user-data","children":[{"name":"user-data.sh","path":"examples/ip-lockdown/aws-example/user-data/user-data.sh","sha":"c6d308027737a434f4c96bc3eba5bd301897af62"}]},{"name":"vars.tf","path":"examples/ip-lockdown/aws-example/vars.tf","sha":"0db59e9a6307fa940ddf5258130be1c9504c86a5"}]},{"name":"ip-lockdown-sample.json","path":"examples/ip-lockdown/ip-lockdown-sample.json","sha":"2ccf2fe1a5b90bf4ab760ddd4f7714a8e1d43df6"},{"name":"local-test","children":[{"name":"README.md","path":"examples/ip-lockdown/local-test/README.md","sha":"3f0e1a6483ce3155bb04dbb9a4fd76ed41486d35"},{"name":"docker-compose.yml","path":"examples/ip-lockdown/local-test/docker-compose.yml","sha":"1495f82dca93d86fda60fb9dec7ded13852217fc"}]}]},{"name":"kms-master-key","children":[{"name":"README.md","path":"examples/kms-master-key/README.md","sha":"888367af686e25e12f987a100d9d593bc6ca71cc"},{"name":"main.tf","path":"examples/kms-master-key/main.tf","sha":"4e9b50a413bf0844e99281e8611c43479def780f"},{"name":"outputs.tf","path":"examples/kms-master-key/outputs.tf","sha":"bfeb4638cc0ad7540bf7e5258fdc4b73df4b7dc0"},{"name":"vars.tf","path":"examples/kms-master-key/vars.tf","sha":"f8b3c8eb30cdf87d4d7a8cda04dfc001f9872242"}]},{"name":"ntp","children":[{"name":"README.md","path":"examples/ntp/README.md","sha":"b676e802c1d196f6af204d14d143b80864bccd30"},{"name":"ntp-example.json","path":"examples/ntp/ntp-example.json","sha":"ab322bfd9042a9eaf3a9b2ec3418abd7188bc99a"}]},{"name":"os-hardening","children":[{"name":"README.md","path":"examples/os-hardening/README.md","sha":"2518516d2aea0bc3f8d142f0ee8db181ab491d6e"},{"name":"packer-build.sh","path":"examples/os-hardening/packer-build.sh","sha":"7a35196064d70b06cd349d80b64a82b0affe18f0"},{"name":"packer","children":[{"name":"amazon-linux.json","path":"examples/os-hardening/packer/amazon-linux.json","sha":"e75442792ba2588a02bcc93a90eceade50e5a846"},{"name":"files","children":[{"name":"etc","children":[{"name":"fstab","path":"examples/os-hardening/packer/files/etc/fstab","sha":"cbf68cec68a92bc54f514dd0d6906f19cea857e6"}]}]}]},{"name":"terraform","children":[{"name":"main.tf","path":"examples/os-hardening/terraform/main.tf","sha":"0279c513bb48e2a5c966b19298066c04bf6b02f5"},{"name":"outputs.tf","path":"examples/os-hardening/terraform/outputs.tf","sha":"33083aed25a4ed6e323bf84381b896614814c9d1"},{"name":"vars.tf","path":"examples/os-hardening/terraform/vars.tf","sha":"60e4d2707d2f9edba702c9e8edd48ecfc30ae514"}]}]},{"name":"saml-iam-roles","children":[{"name":"README.md","path":"examples/saml-iam-roles/README.md","sha":"e316aefb1fbf753baa8625c8063e239c799c52b3"},{"name":"main.tf","path":"examples/saml-iam-roles/main.tf","sha":"d0ed7822a55913c6c93391ee345b32a8912ee3ae"},{"name":"outputs.tf","path":"examples/saml-iam-roles/outputs.tf","sha":"1bd4fec9529cddfd2d3f61bba60f9dfb8b286c70"},{"name":"saml-metadata.xml","path":"examples/saml-iam-roles/saml-metadata.xml","sha":"88596cfde52242a43559c79216a1c60b2ea12903"},{"name":"vars.tf","path":"examples/saml-iam-roles/vars.tf","sha":"8673df83c8d53eadd579d9ac9ae536711561c746"}]},{"name":"ssh-grunt","children":[{"name":"houston","children":[{"name":"README.md","path":"examples/ssh-grunt/houston/README.md","sha":"ac5cb5fd6c2b55bf198ec4a9ec744d7070bf1875"},{"name":"main.tf","path":"examples/ssh-grunt/houston/main.tf","sha":"36cb5881d191d10eb656af4f1865e1ff6ab2c6e3"},{"name":"outputs.tf","path":"examples/ssh-grunt/houston/outputs.tf","sha":"978b316044d417393b70100a427de1068c4d417f"},{"name":"vars.tf","path":"examples/ssh-grunt/houston/vars.tf","sha":"34c542e9e1afc5dca29476a6ca40d27050aa02d2"}]},{"name":"iam","children":[{"name":"README.md","path":"examples/ssh-grunt/iam/README.md","sha":"d79ebb115ab2452ff3e3dfe57c893e319ffd05ab"},{"name":"main.tf","path":"examples/ssh-grunt/iam/main.tf","sha":"9287afd098898404fa5937818d65e4beaeeef691"},{"name":"outputs.tf","path":"examples/ssh-grunt/iam/outputs.tf","sha":"978b316044d417393b70100a427de1068c4d417f"},{"name":"vars.tf","path":"examples/ssh-grunt/iam/vars.tf","sha":"093c5c41394e22b8308abc432b610a87b75e7680"}]},{"name":"mock-houston","children":[{"name":"README.md","path":"examples/ssh-grunt/mock-houston/README.md","sha":"94c0ef92814db64b5f3d578a4ba7011fb058fedf"},{"name":"main.tf","path":"examples/ssh-grunt/mock-houston/main.tf","sha":"f2bf9160b336a66634bf0f62fb720e00c851412d"},{"name":"outputs.tf","path":"examples/ssh-grunt/mock-houston/outputs.tf","sha":"a25069b6b919c0fa31fc32c3bcf1d326f7c3d46c"},{"name":"vars.tf","path":"examples/ssh-grunt/mock-houston/vars.tf","sha":"984df0c1fa7e7c78d8755652c321dcd06543d030"}]},{"name":"packer","children":[{"name":"README.md","path":"examples/ssh-grunt/packer/README.md","sha":"40dc203c7287544434c7f668ea58782afd2f2386"},{"name":"build-binary.sh","path":"examples/ssh-grunt/packer/build-binary.sh","sha":"6e96bfaa2b82f54ed3f1c5ffb8bb3ee0f99055e4"},{"name":"ssh-grunt-houston.json","path":"examples/ssh-grunt/packer/ssh-grunt-houston.json","sha":"cd3c4a1c2053c238720b0b4111efc3003db7e6cb"},{"name":"ssh-grunt-iam.json","path":"examples/ssh-grunt/packer/ssh-grunt-iam.json","sha":"ab7237cf73deccb4f94837046be2efa0d6df3ebf"}]}]},{"name":"ssm-healthchecks-iam-permissions","children":[{"name":"README.md","path":"examples/ssm-healthchecks-iam-permissions/README.md","sha":"f1fe555a3aff887a966def0a1d3ccaff3dd826e7"},{"name":"main.tf","path":"examples/ssm-healthchecks-iam-permissions/main.tf","sha":"2ff78d1f7cc4a484319a74a62880b26ad679f8b5"},{"name":"outputs.tf","path":"examples/ssm-healthchecks-iam-permissions/outputs.tf","sha":"52688c3a4f1f8349500505fb8949fa0d21c385a3"},{"name":"vars.tf","path":"examples/ssm-healthchecks-iam-permissions/vars.tf","sha":"3fb4df876ccbcd8a3ff3af79efaf3479a74261bf"}]}]},{"name":"modules","children":[{"name":"_deprecated","children":[{"name":"custom-iam-group","children":[{"name":"README.md","path":"modules/_deprecated/custom-iam-group/README.md","sha":"e7a0ff783eb1052aa77fe50d7eaa6a06d2d82649"}]}]},{"name":"auto-update","children":[{"name":"README.adoc","path":"modules/auto-update/README.adoc","sha":"6aefe0ec50a3479dc08366ee6ace6f306eec8e7a"},{"name":"core-concepts.md","path":"modules/auto-update/core-concepts.md","sha":"a292e900ff20e205679c5a8a2b382081f338a41f"},{"name":"install-scripts","children":[{"name":"configure-auto-update","path":"modules/auto-update/install-scripts/configure-auto-update","sha":"bf7cdd18bf7c284056071c5e8b905adf2ac772d0"},{"name":"unattended_upgrades_config.txt","path":"modules/auto-update/install-scripts/unattended_upgrades_config.txt","sha":"abe88fd8a5037ce518bec69a6cac0699cb421d47"},{"name":"yum_cron_config.txt","path":"modules/auto-update/install-scripts/yum_cron_config.txt","sha":"e7ef4273f1b2af0c9c032fadaacd03130ba5ea78"}]},{"name":"install.sh","path":"modules/auto-update/install.sh","sha":"7c19fd0d04b11c358af64149b3169d6b2c5e3b58"}]},{"name":"aws-auth","children":[{"name":"AWS-AUTH-LASTPASS.md","path":"modules/aws-auth/AWS-AUTH-LASTPASS.md","sha":"f989822c9600fdb7dec2b67a929f8e4b49947aa8"},{"name":"README.md","path":"modules/aws-auth/README.md","sha":"334b60630b57378a8327981cc6581244a55c2e24"},{"name":"bin","children":[{"name":"aws-auth","path":"modules/aws-auth/bin/aws-auth","sha":"973c0ad62b2ab51cb18abf57d332869171480eff"}]},{"name":"install.sh","path":"modules/aws-auth/install.sh","sha":"ab9611d92d6822ceed981bdff3766724366037f0"}]},{"name":"aws-config","children":[{"name":"README.adoc","path":"modules/aws-config/README.adoc","sha":"dee8d8a1ccfe87003d2bcea8d9446a9d74dbc64a"},{"name":"core-concepts.md","path":"modules/aws-config/core-concepts.md","sha":"7f917cedb2e054a6e7ac4455a92240ff54f15987"},{"name":"main.tf","path":"modules/aws-config/main.tf","sha":"ef90c58cb569c459ef803156f3c991bd197fb503"},{"name":"outputs.tf","path":"modules/aws-config/outputs.tf","sha":"8c8c3d4c9fd8d408d34cda20b4302abc6401005b"},{"name":"vars.tf","path":"modules/aws-config/vars.tf","sha":"d65687709db3c58685573be6f9bfa4ae6cd05c5b"}]},{"name":"aws-organizations-config-rules","children":[{"name":"README.adoc","path":"modules/aws-organizations-config-rules/README.adoc","sha":"3d9e43acb1ca6db5571b6915a7980a4ae600e8c4"},{"name":"core-concepts.md","path":"modules/aws-organizations-config-rules/core-concepts.md","sha":"28f0d3a3325c97e0417c01671bbfc8a1b577498a"},{"name":"main.tf","path":"modules/aws-organizations-config-rules/main.tf","sha":"c67d58ca43acafce5f464b969980074631573490"},{"name":"outputs.tf","path":"modules/aws-organizations-config-rules/outputs.tf","sha":"9b78cd00ad242a02579147b390c6ad946620e1f0"},{"name":"variables.tf","path":"modules/aws-organizations-config-rules/variables.tf","sha":"1d8616a01e1db2c0672827920afef50d921fde6d"}]},{"name":"aws-organizations","children":[{"name":"README.adoc","path":"modules/aws-organizations/README.adoc","sha":"711b480a00245dc87a73e1c13a18867498eb6f7b"},{"name":"core-concepts.md","path":"modules/aws-organizations/core-concepts.md","sha":"ff397622de5a23581ae9792f4161aa0f1a1e1085"},{"name":"main.tf","path":"modules/aws-organizations/main.tf","sha":"0813956755b64165bddc6a9e883ee36e686079dd"},{"name":"outputs.tf","path":"modules/aws-organizations/outputs.tf","sha":"5d71fce583011b7351615821e6a888eb8f73906a"},{"name":"variables.tf","path":"modules/aws-organizations/variables.tf","sha":"4eac97565d5ab76a5e0c03cde4a9337001125156"}]},{"name":"cloudtrail","children":[{"name":"README.adoc","path":"modules/cloudtrail/README.adoc","sha":"cb56736b0eff0b10521fc5a42e6fd30e6660f165"},{"name":"core-concepts.md","path":"modules/cloudtrail/core-concepts.md","sha":"beed0fe088229f9c33e58ad62f213964f4571349"},{"name":"main.tf","path":"modules/cloudtrail/main.tf","sha":"7e98e2b4fa6e8142b28ae3ad3e7ddf1d91c6d54c"},{"name":"outputs.tf","path":"modules/cloudtrail/outputs.tf","sha":"20e598a564e2362f8e199d710699dedded900dfb"},{"name":"vars.tf","path":"modules/cloudtrail/vars.tf","sha":"59c5979a5bd9cfe391ac30e74e05709802a7858d"}]},{"name":"cross-account-iam-roles","children":[{"name":"README.md","path":"modules/cross-account-iam-roles/README.md","sha":"9185ef34dd25c4da8d907a180495c377fdbcff49"},{"name":"main.tf","path":"modules/cross-account-iam-roles/main.tf","sha":"d4b66fff9f7acee9999f6674a86441e09ca9b393"},{"name":"outputs.tf","path":"modules/cross-account-iam-roles/outputs.tf","sha":"73b26ff9804cb98404c81fa07e084042898482cf"},{"name":"vars.tf","path":"modules/cross-account-iam-roles/vars.tf","sha":"9a45fb999b66e057a1f23d2457c130963b7ddbdc"}]},{"name":"custom-iam-entity","children":[{"name":"README.md","path":"modules/custom-iam-entity/README.md","sha":"98ab8129418c43978d46d58896b6e64172995aba"},{"name":"main.tf","path":"modules/custom-iam-entity/main.tf","sha":"3a6866b29cf106c185bf7452595315666ec41398"},{"name":"outputs.tf","path":"modules/custom-iam-entity/outputs.tf","sha":"23cc0eb151da4ab2f146c89d9ad53dfc0e5c8c82"},{"name":"vars.tf","path":"modules/custom-iam-entity/vars.tf","sha":"28688569e02fb678fa65637d99bc2d379d48b767"}]},{"name":"fail2ban","children":[{"name":"README.md","path":"modules/fail2ban/README.md","sha":"2301349c1b8775809b7362189a72655ce58b26fb"},{"name":"install-scripts","children":[{"name":"cloudwatch-metric.conf","path":"modules/fail2ban/install-scripts/cloudwatch-metric.conf","sha":"f78f5f55f585a6efe60a51a2c0f41e4a63f99749"},{"name":"configure-fail2ban","path":"modules/fail2ban/install-scripts/configure-fail2ban","sha":"19e281057d9e5ac91e7497441febfe633d231cd1"},{"name":"fail2ban.local","path":"modules/fail2ban/install-scripts/fail2ban.local","sha":"8292c4a18c825bfbf0a8d52cfb2746aa43f76ca4"},{"name":"filters.sshd.amazon.conf","path":"modules/fail2ban/install-scripts/filters.sshd.amazon.conf","sha":"093bb1baf88a1e283a43b7dd7d04c64992abecc6"},{"name":"jail.amazon.local","path":"modules/fail2ban/install-scripts/jail.amazon.local","sha":"a0aef73873e461c46ff63a4a3e5166ad3453c5e3"},{"name":"jail.amazon2.local","path":"modules/fail2ban/install-scripts/jail.amazon2.local","sha":"73993857d9a9424bb991666a58adc080024fe720"},{"name":"jail.ubuntu.local","path":"modules/fail2ban/install-scripts/jail.ubuntu.local","sha":"3ba6255a331696f384c0fcc385cd599687f60199"}]},{"name":"install.sh","path":"modules/fail2ban/install.sh","sha":"8f7b536f08506dabc2f6beb6cd5a50f7282168aa"},{"name":"user-data-scripts","children":[{"name":"configure-fail2ban-cloudwatch.sh","path":"modules/fail2ban/user-data-scripts/configure-fail2ban-cloudwatch.sh","sha":"64b7c27b8aa50302f4f7e35ebd8bbf93064bb777"}]}]},{"name":"guardduty-multi-region","children":[{"name":"README.adoc","path":"modules/guardduty-multi-region/README.adoc","sha":"85887434b074c3f595e9cd2c41ac6fff99d10590"},{"name":"core-concepts.md","path":"modules/guardduty-multi-region/core-concepts.md","sha":"2eab0fd6c0548ba11104b6d778eb224df5622886"},{"name":"generate-main.py","path":"modules/guardduty-multi-region/generate-main.py","sha":"dbae0442bf30a95c97e3dc0c001d547472876d09"},{"name":"main.tf","path":"modules/guardduty-multi-region/main.tf","sha":"cbd2d875a68d852ef9ccb8ccc44ab85a06bba1b5"},{"name":"outputs.tf","path":"modules/guardduty-multi-region/outputs.tf","sha":"fd9b6d8e742af5b74d875ff6c796e289f32ba191"},{"name":"variables.tf","path":"modules/guardduty-multi-region/variables.tf","sha":"952903ce482d54464dd8454107f94d719e29c12c"}]},{"name":"guardduty-single-region","children":[{"name":"README.md","path":"modules/guardduty-single-region/README.md","sha":"abed69e3d0b928f47a80fdac8838f1efe354de4d"},{"name":"main.tf","path":"modules/guardduty-single-region/main.tf","sha":"6768c3c9d874062c45180bd0504948ac4285de4b"},{"name":"outputs.tf","path":"modules/guardduty-single-region/outputs.tf","sha":"0fd6fdc76d8bc1bb4c544028c802248999d309f7"},{"name":"variables.tf","path":"modules/guardduty-single-region/variables.tf","sha":"79d6e08f8992744de45d733a5ca58a97bb3991e2"}]},{"name":"iam-groups","children":[{"name":"README.md","path":"modules/iam-groups/README.md","sha":"072baead8ab54d99d6c9232802c42522a9785c96"},{"name":"_docs","children":[{"name":"iam-user-access-to-billing.png","path":"modules/iam-groups/_docs/iam-user-access-to-billing.png","sha":"063f6cf8dc766b4d44942de89660e8ab9e1f3d63"},{"name":"my-account.png","path":"modules/iam-groups/_docs/my-account.png","sha":"387320200ed756ce4191afef87f0ab76e2c3d89a"}]},{"name":"main.tf","path":"modules/iam-groups/main.tf","sha":"09854772868b6351d46a29a3fa717804b1460f83"},{"name":"outputs.tf","path":"modules/iam-groups/outputs.tf","sha":"59cbe8c8417ce370880236a1596998f26bdf7f07"},{"name":"vars.tf","path":"modules/iam-groups/vars.tf","sha":"bb2c89d70441cf6e19b1df8d929cbbae1726bc6d"}]},{"name":"iam-policies","children":[{"name":"README.md","path":"modules/iam-policies/README.md","sha":"a6b450cb3dc9b7f0809223c37dcc79451ac573d9"},{"name":"main.tf","path":"modules/iam-policies/main.tf","sha":"8648ecc0eae6ced94c1b10197186f760760dbf8b"},{"name":"outputs.tf","path":"modules/iam-policies/outputs.tf","sha":"6e9206ee3029eb480b6ede1bf55e4ef15b0a0673"},{"name":"vars.tf","path":"modules/iam-policies/vars.tf","sha":"6204c2d4b1b7ec860b4cc5d4d206990a91dfdc9c"}]},{"name":"iam-user-password-policy","children":[{"name":"README.md","path":"modules/iam-user-password-policy/README.md","sha":"5bea6ba56fc796be5b860549156a3a251735fc2a"},{"name":"main.tf","path":"modules/iam-user-password-policy/main.tf","sha":"9670fa0991057e03a72b72987c02a71e14611724"},{"name":"vars.tf","path":"modules/iam-user-password-policy/vars.tf","sha":"7c08eef88a7b13226cc4e18aa8338db64fdf83f0"}]},{"name":"iam-users","children":[{"name":"README.md","path":"modules/iam-users/README.md","sha":"9da56f1341cc4b4dc67038391ea8f52198bb3b21"},{"name":"main.tf","path":"modules/iam-users/main.tf","sha":"4d9e3efab76e509a9715fc276833254b9500169a"},{"name":"outputs.tf","path":"modules/iam-users/outputs.tf","sha":"67020f9214a30c4fddd150c67209a231d4aec00e"},{"name":"variables.tf","path":"modules/iam-users/variables.tf","sha":"3e49197e1f1b4251f5fff088974cb6e40c3677b0"}]},{"name":"ip-lockdown","children":[{"name":"README.md","path":"modules/ip-lockdown/README.md","sha":"af806e396600aed64922eac8a3c7ab29a90f858d"},{"name":"install.sh","path":"modules/ip-lockdown/install.sh","sha":"ce61af763bee9ad29754220ae24521f22c3a956f"},{"name":"ip-lockdown","path":"modules/ip-lockdown/ip-lockdown","sha":"93a0e1f5876e7de5778c595e8801d64986cb118b"}]},{"name":"kms-master-key","children":[{"name":"README.md","path":"modules/kms-master-key/README.md","sha":"2b5bfbea3ccd458581062da3896569c15ff7e580"},{"name":"main.tf","path":"modules/kms-master-key/main.tf","sha":"056fe2d8ed385f12ebfef79c0addc9e97e8b07c8"},{"name":"outputs.tf","path":"modules/kms-master-key/outputs.tf","sha":"b9bd1c5fa06b56d0bd78f7dab15c9f3233443bed"},{"name":"vars.tf","path":"modules/kms-master-key/vars.tf","sha":"47b6750ee300f7ab06bbad17212a859e66d4bf4a"}]},{"name":"ntp","children":[{"name":"README.md","path":"modules/ntp/README.md","sha":"c81ae3adf4d5af364729c5537414de1ada470af5"},{"name":"install.sh","path":"modules/ntp/install.sh","sha":"d31aa46b7f60f621a45166726559c8025efc1aa0"}]},{"name":"os-hardening","children":[{"name":"README.md","path":"modules/os-hardening/README.md","sha":"3e864b0e9208eb6809adf41968c51e02fc233ee1"},{"name":"_docs","children":[{"name":"Helpful Email.md","path":"modules/os-hardening/_docs/Helpful Email.md","sha":"246a0b80b29f5ff3d2b2f4c5c170fc927e2d9dd7"}]},{"name":"ami-builder","children":[{"name":"files","children":[{"name":"user-data.sh.template","path":"modules/os-hardening/ami-builder/files/user-data.sh.template","sha":"4a3c87a19e1a4caa20b9b425b2a02101566d1166"}]},{"name":"main.tf","path":"modules/os-hardening/ami-builder/main.tf","sha":"3b23018276920ce33dab358eab79ef39e269fd98"},{"name":"outputs.tf","path":"modules/os-hardening/ami-builder/outputs.tf","sha":"8ce2ee598124ca50dd530a33aa60f5d1452a4a2b"},{"name":"vars.tf","path":"modules/os-hardening/ami-builder/vars.tf","sha":"c5927cfcebf6781b8b920d8fd7872f2992bb1501"}]},{"name":"partition-scripts","children":[{"name":"README.md","path":"modules/os-hardening/partition-scripts/README.md","sha":"a2986f1ab8f7470d2ba71d5270e5217d64cb10a3"},{"name":"bin","children":[{"name":"cleanup-volume","path":"modules/os-hardening/partition-scripts/bin/cleanup-volume","sha":"c7cbf3ecebd915235238557d27a1ce25e6fc10fa"},{"name":"partition-volume","path":"modules/os-hardening/partition-scripts/bin/partition-volume","sha":"f4f8566a1ef6aa4ff0c0268bd28721488aa6dfc4"}]},{"name":"install.sh","path":"modules/os-hardening/partition-scripts/install.sh","sha":"606776c068260836e8612a681ff4e3edc8abdb41"}]}]},{"name":"saml-iam-roles","children":[{"name":"README.md","path":"modules/saml-iam-roles/README.md","sha":"fed1904b6d61d7d3fdee2931cfeb0cb79ec54523","toggled":true},{"name":"main.tf","path":"modules/saml-iam-roles/main.tf","sha":"e4d97af0e2b812427faaf4e860b593eb9a113d30"},{"name":"outputs.tf","path":"modules/saml-iam-roles/outputs.tf","sha":"b2778906a16b2b513808aaea58c06cc3c9fc8c42"},{"name":"vars.tf","path":"modules/saml-iam-roles/vars.tf","sha":"981970525d6fd88bbaad9e72745f390795102333"}],"toggled":true},{"name":"ssh-grunt-selinux-policy","children":[{"name":"README.md","path":"modules/ssh-grunt-selinux-policy/README.md","sha":"8a934c81da696e32c365183b6a707594da99ba79"},{"name":"install.sh","path":"modules/ssh-grunt-selinux-policy/install.sh","sha":"3de871d61a9990e7f2c130f23afaf00daeb6bbef"},{"name":"ssh-grunt.pp","path":"modules/ssh-grunt-selinux-policy/ssh-grunt.pp","sha":"7c7050f812cd0e3cb34e37b88c35fb09f369be7d"},{"name":"ssh-grunt.te","path":"modules/ssh-grunt-selinux-policy/ssh-grunt.te","sha":"3317a71feaa633662a00b1dc05b1176cb85c9793"}]},{"name":"ssh-grunt","children":[{"name":".dockerignore","path":"modules/ssh-grunt/.dockerignore","sha":"a725465aee245635a2bd129af54858ed32c84cb8"},{"name":"Dockerfile","path":"modules/ssh-grunt/Dockerfile","sha":"6a6f21b4742f67f58be809a54ff48f2f6937ae14"},{"name":"Gopkg.lock","path":"modules/ssh-grunt/Gopkg.lock","sha":"f96af3ce514c0a60f18f7fb2b9620e1890e1e764"},{"name":"Gopkg.toml","path":"modules/ssh-grunt/Gopkg.toml","sha":"529ca4ea4ef756052c92315e07b2fbdb92720237"},{"name":"README.adoc","path":"modules/ssh-grunt/README.adoc","sha":"89e1ff7db5620809af182703c45f87601e59a766"},{"name":"_ci","children":[{"name":"build-and-test.sh","path":"modules/ssh-grunt/_ci/build-and-test.sh","sha":"903993de2d7bcde19d472fa5e510ee862d4b10c3"},{"name":"test.sh","path":"modules/ssh-grunt/_ci/test.sh","sha":"235603944316e81f1da1cc0248b80beecf99cb27"}]},{"name":"_docs","children":[{"name":"houston-upload-ssh-key.png","path":"modules/ssh-grunt/_docs/houston-upload-ssh-key.png","sha":"e32519497262f9796a4ea46c53953923975cbd7d"},{"name":"iam-upload-ssh-key.png","path":"modules/ssh-grunt/_docs/iam-upload-ssh-key.png","sha":"8bb1e793185eb0b4822023552899874394342f21"}]},{"name":"core-concepts.md","path":"modules/ssh-grunt/core-concepts.md","sha":"39e72fc7d9ecc6fb69a2b0beb582f5e23701de6a"},{"name":"docker-compose.yml","path":"modules/ssh-grunt/docker-compose.yml","sha":"0609cfaadf18bb9eb8ff13459cf9f0f10928765e"},{"name":"scripts","children":[{"name":"build-linux-binary.sh","path":"modules/ssh-grunt/scripts/build-linux-binary.sh","sha":"fc74dd9990e9f4526ae2e7cd13e338d4fd0f11c4"},{"name":"run.sh","path":"modules/ssh-grunt/scripts/run.sh","sha":"050027e034cd03e53625986eb0f331c043492cf6"}]},{"name":"src","children":[{"name":"cli.go","path":"modules/ssh-grunt/src/cli.go","sha":"f72f670dcf0ae2e0bcb8ed02e91c706a5e8c3be0"},{"name":"cli_test.go","path":"modules/ssh-grunt/src/cli_test.go","sha":"a65fc7945a800263b6ad153cc0c4354551814f0c"},{"name":"collections.go","path":"modules/ssh-grunt/src/collections.go","sha":"abb602cb1a1df835caf2cfd66dfc058aed75e3ee"},{"name":"cron.go","path":"modules/ssh-grunt/src/cron.go","sha":"ba1ada9e91762b66206025cfc281bea8f35498b0"},{"name":"cron_test.go","path":"modules/ssh-grunt/src/cron_test.go","sha":"0300a91bf9e0b536a2061a2f85c69542f86966a6"},{"name":"errors.go","path":"modules/ssh-grunt/src/errors.go","sha":"0e6361f5d7773d32f7fc9ff48a6d54bafd33508e"},{"name":"file.go","path":"modules/ssh-grunt/src/file.go","sha":"edf84f18ffa9c25038e02c5eb74213a413ee5ad3"},{"name":"groups.go","path":"modules/ssh-grunt/src/groups.go","sha":"fba9e95114aa7aa723913e855b424b76952d5c7b"},{"name":"groups_test.go","path":"modules/ssh-grunt/src/groups_test.go","sha":"c0b0bef6dc58bc640e689c0eab284fe3767359b5"},{"name":"houston.go","path":"modules/ssh-grunt/src/houston.go","sha":"2ba5973deb8a5431946ed0fc401bdc06028d91d7"},{"name":"houston_test.go","path":"modules/ssh-grunt/src/houston_test.go","sha":"088b51302fe48341ba83ac05107910cd5269e50f"},{"name":"iam.go","path":"modules/ssh-grunt/src/iam.go","sha":"dafbc8fbb732d2d6212cade786eb13d7215b9862"},{"name":"iam_test.go","path":"modules/ssh-grunt/src/iam_test.go","sha":"4f69cd90234d025c4368421ca7ce3f7818a52165"},{"name":"logger.go","path":"modules/ssh-grunt/src/logger.go","sha":"e62f5712a083ee1006911a23ee71e03ebd3622cf"},{"name":"main.go","path":"modules/ssh-grunt/src/main.go","sha":"89fe7e90c47dc8b2527e1c8addebca5e55ccfb35"},{"name":"shell.go","path":"modules/ssh-grunt/src/shell.go","sha":"070b861e82973d6cb7b09b91f99ad3055035bb1c"},{"name":"ssh.go","path":"modules/ssh-grunt/src/ssh.go","sha":"7eddcb4fa3fb3cf51ffa6221bc6552a7d57cfa98"},{"name":"ssh_test.go","path":"modules/ssh-grunt/src/ssh_test.go","sha":"f095f9d6d3618ac50c2ef8e65d6be4a2bff26283"},{"name":"string.go","path":"modules/ssh-grunt/src/string.go","sha":"fc61ca9625f9d654c2b3576ff932db1b90ae9dfe"},{"name":"string_test.go","path":"modules/ssh-grunt/src/string_test.go","sha":"a51e495942cd4364b1b2a511fa68fc4b1dde1237"},{"name":"sync.go","path":"modules/ssh-grunt/src/sync.go","sha":"b5d5bdbc0c1b52fa0008190eb3f97bc99109c3dd"},{"name":"sync_test.go","path":"modules/ssh-grunt/src/sync_test.go","sha":"f0a46bd471c56bde16cb822f8281e975c8aec848"},{"name":"url.go","path":"modules/ssh-grunt/src/url.go","sha":"12ff56939763979f94a8cb6dc35c9775ce0d3474"},{"name":"url_test.go","path":"modules/ssh-grunt/src/url_test.go","sha":"fe77a4563549dc6e0148452c1b03f19b6c0d9dcc"},{"name":"users.go","path":"modules/ssh-grunt/src/users.go","sha":"a40c2d3f26f69a93dac83da731a2407d1b89a083"},{"name":"users_test.go","path":"modules/ssh-grunt/src/users_test.go","sha":"3473766223be802090c695568e696149442ce112"}]}]},{"name":"ssh-iam","children":[{"name":"README.md","path":"modules/ssh-iam/README.md","sha":"4aa06d6a729e53384b6d2a43c06ee38807092f32"}]},{"name":"ssm-healthchecks-iam-permissions","children":[{"name":"README.md","path":"modules/ssm-healthchecks-iam-permissions/README.md","sha":"005260025ae51ed9e13f1b6c6f9d737a02d5db68"},{"name":"main.tf","path":"modules/ssm-healthchecks-iam-permissions/main.tf","sha":"6b6b91fa59bc86de7521264ff34217cc88ae3842"},{"name":"vars.tf","path":"modules/ssm-healthchecks-iam-permissions/vars.tf","sha":"731aa1c2f275f723272114ef0357a8c3a246b47e"}]},{"name":"tls-cert-private","children":[{"name":"Dockerfile","path":"modules/tls-cert-private/Dockerfile","sha":"028aa72d434cf4bf28dff92d293e35a85b19fcf0"},{"name":"README.md","path":"modules/tls-cert-private/README.md","sha":"c6996ec25d7d9b1ab4f79d8164a14e86e1ac844f"},{"name":"docker-compose.yml","path":"modules/tls-cert-private/docker-compose.yml","sha":"f872026e8d51ceaab2e1c11cc9cf9c35ba81f29c"},{"name":"files","children":[{"name":"openssl.cnf","path":"modules/tls-cert-private/files/openssl.cnf","sha":"2542542c80ab180c47d3e0a27dbded65bed572de"}]},{"name":"scripts","children":[{"name":"generate-ca-keypair.sh","path":"modules/tls-cert-private/scripts/generate-ca-keypair.sh","sha":"395ee97c0e499c660efac5c5cf1f79dfcdbb69f8"},{"name":"generate-tls-keypair.sh","path":"modules/tls-cert-private/scripts/generate-tls-keypair.sh","sha":"f1c3577437fd589087704a9c003de416cb87d232"},{"name":"main.sh","path":"modules/tls-cert-private/scripts/main.sh","sha":"dc7af965ffb783bbef449010818e69294fa2ef75"}]}]}],"toggled":true},{"name":"test","children":[{"name":"Gopkg.lock","path":"test/Gopkg.lock","sha":"551944ad10e882e62590a33f90f60e480be80d4a"},{"name":"Gopkg.toml","path":"test/Gopkg.toml","sha":"b1dfa116f26fb4b7d7fe6a524e1b5bb074f67365"},{"name":"README.md","path":"test/README.md","sha":"62b43a1b4268805a0a1fdcecd51f4068b07d37b1"},{"name":"auto_update_test.go","path":"test/auto_update_test.go","sha":"1d2a5906849c2ae62c65c0c5ce42a9ba20201f82"},{"name":"aws_config_test.go","path":"test/aws_config_test.go","sha":"df32a8831f033d011743adbc70a679a287f8d899"},{"name":"aws_organizations_config_rules_test.go","path":"test/aws_organizations_config_rules_test.go","sha":"873b1ea607fe800910a02aa5b5d72e1709e3d724"},{"name":"aws_organizations_test.go","path":"test/aws_organizations_test.go","sha":"2eead85751ec47bd1008b795621fa5cff4a2a262"},{"name":"cloudtrail_test.go","path":"test/cloudtrail_test.go","sha":"bfd0e35b8f08e14a55026de1e72a97e6e7f15342"},{"name":"cross_account_iam_roles_test.go","path":"test/cross_account_iam_roles_test.go","sha":"b7dd54b59acb03cb0c5a7581e15de61f4b901c36"},{"name":"custom_iam_entity_test.go","path":"test/custom_iam_entity_test.go","sha":"390cace437fd609e2ad5d81c77d7ffacb0d7555e"},{"name":"fail2ban_test.go","path":"test/fail2ban_test.go","sha":"ac5c2f060a8aefc96d6ddd60630b6c8826182dfc"},{"name":"guardduty_test.go","path":"test/guardduty_test.go","sha":"73372ee85a4f78efd307d9a6d08fd09f41d781ed"},{"name":"iam_groups_test.go","path":"test/iam_groups_test.go","sha":"21d66e7dcdf43cb7725be7ed4c7c8c7eb34dab79"},{"name":"iam_ssm_test.go","path":"test/iam_ssm_test.go","sha":"48e1870a8882f4ad88bd5fb7fb018b33baee82a6"},{"name":"iam_user_password_policy_test.go","path":"test/iam_user_password_policy_test.go","sha":"1fb35eea4e93bd26aad51804094dda325a4893b0"},{"name":"iam_users_test.go","path":"test/iam_users_test.go","sha":"e4934196d3df5d2a506b92fcae3f65b6309eebb8"},{"name":"ip-lockdown-test-scripts","children":[{"name":"allow-several-users.sh","path":"test/ip-lockdown-test-scripts/allow-several-users.sh","sha":"2f75dbe0880ed0907b43db58b6ac030a0d0e9bd4"},{"name":"common.sh","path":"test/ip-lockdown-test-scripts/common.sh","sha":"cdfe11aca76607a4feaf254a394f32273b738c5c"},{"name":"index.html","path":"test/ip-lockdown-test-scripts/index.html","sha":"557db03de997c86a4a028e1ebd3a1ceb225be238"},{"name":"restrict-all-users.sh","path":"test/ip-lockdown-test-scripts/restrict-all-users.sh","sha":"a37c1ffc90f2532e7cc3f9f5a859b75c98661dc6"},{"name":"restrict-one-user.sh","path":"test/ip-lockdown-test-scripts/restrict-one-user.sh","sha":"4214e1c15102f4568d1e995aa82add46ee430237"},{"name":"sanity-check.sh","path":"test/ip-lockdown-test-scripts/sanity-check.sh","sha":"542ed72f4f0952ace67c9cbf2e5ac07e81e6870c"}]},{"name":"ip_lockdown_test.go","path":"test/ip_lockdown_test.go","sha":"8a523ee4446d8f114647bbe76102cf3b755e30d4"},{"name":"kms_master_key_test.go","path":"test/kms_master_key_test.go","sha":"f372cb4e061299de80e2d9b1594d3cd7aa5cf88b"},{"name":"ntp_test.go","path":"test/ntp_test.go","sha":"e4ec90a5d39ed012b87a32d5b0b27b299cd746e8"},{"name":"os_hardening_test.go","path":"test/os_hardening_test.go","sha":"d7b1de96445a8474e323bcde272c909379d11a10"},{"name":"saml_iam_roles_test.go","path":"test/saml_iam_roles_test.go","sha":"78ec14c02892e1cb3d7b5e36756bca532ae27dd2"},{"name":"ssh_grunt_houston_test.go","path":"test/ssh_grunt_houston_test.go","sha":"b8b4d0786e13432f86745acc8e4ae468561c17a7"},{"name":"ssh_grunt_iam_test.go","path":"test/ssh_grunt_iam_test.go","sha":"30c2bf25c90aef2a0f22cf5ed789af9e45e6c86e"},{"name":"test_helpers.go","path":"test/test_helpers.go","sha":"018ca09c9888db5325fefb9774bad0b5f14670a0"},{"name":"test_helpers_aws_auth.go","path":"test/test_helpers_aws_auth.go","sha":"5be2449c8274695a1f27c235f4c70cbb2416b591"},{"name":"tls_cert_private_test.go","path":"test/tls_cert_private_test.go","sha":"5696a2f5113288b1d4da4327c2a44137ad662ecd"}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"a-best-practices-set-of-iam-roles-for-saml-access\">A best-practices set of IAM roles for SAML access</h1><div class=\"preview__body--border\"></div><p>This module can be used to allow users authenticated via external Security Assertion Markup Language (SAML) identity\nproviders such as Google, Amazon SSO, Microsoft Active Directory Federation Services (ADFS), Okta, and OneLogin to access\nyour AWS accounts (<a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html\" class=\"preview__body--description--blue\" target=\"_blank\">saml-access</a>).\nThis allows you to define each environment (mgmt, stage, prod, etc) in a separate AWS account and to use SAML to assume\ndifferent roles in each account.</p>\n<p>If you're not familiar with IAM concepts, start with the <a href=\"#background-information\" class=\"preview__body--description--blue\">Background Information</a> section as a\nway to familiarize yourself with the terminology.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-use-this-module\">How do you use this module?</h2>\n<p>To set up SAML access to AWS, you need to:</p>\n<ol>\n<li><a href=\"#create-identity-provider\" class=\"preview__body--description--blue\">Create an Identity Provider in each account</a></li>\n<li><a href=\"#create-iam-roles\" class=\"preview__body--description--blue\">Create IAM roles in each of your accounts</a></li>\n<li><a href=\"#create-permissions-to-assume-the-iam-roles-in-other-accounts\" class=\"preview__body--description--blue\">Create permissions to assume the IAM roles in other accounts</a></li>\n</ol>\n<p>This module takes care of <a href=\"#create-iam-roles\" class=\"preview__body--description--blue\">creating IAM roles</a> and <a href=\"#create-permissions-to-assume-the-iam-roles-in-other-accounts\" class=\"preview__body--description--blue\">creating the appropriate permissions</a>. Check out the <a href=\"/repos/v0.25.1/module-security/examples/saml-iam-roles\" class=\"preview__body--description--blue\">saml-iam-roles\nexample</a> for a working sample code of how to use this module.</p>\n<h3 class=\"preview__body--subtitle\" id=\"create-identity-provider-in-iam\">Create Identity Provider in IAM</h3>\n<p>If you want to allow users of a SAML Identity Provider (IdP) to access your AWS accounts, you will first need to create a SAML Identity Provider within IAM. You will also have to configure your IdP to send the appropriate assertions as described in the\n<a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html\" class=\"preview__body--description--blue\" target=\"_blank\">AWS Documentation</a>.</p>\n<h3 class=\"preview__body--subtitle\" id=\"create-iam-roles-in-each-account\">Create IAM roles in each account</h3>\n<p>If you want to allow users from SAML IdPs to access your AWS accounts, use this module in each AWS account to create IAM roles that specify which services those users may access.</p>\n<h3 class=\"preview__body--subtitle\" id=\"create-permissions-to-assume-the-iam-roles-in-other-accounts\">Create permissions to assume the IAM roles in other accounts</h3>\n<p>Finally, this module will also grant access to users of each SAML provider listed in the various\n<code>allow_*_access_from_saml_provider_arns</code> variables to assume the corresponding role.</p>\n<h2 class=\"preview__body--subtitle\" id=\"resources-created\">Resources Created</h2>\n<p>This module creates the following IAM roles (all optional):</p>\n<ul>\n<li>\n<p><strong>allow-read-only-access-from-saml</strong>: Users authenticated by the SAML providers in\n<code>var.allow_read_only_access_from_saml_provider_arns</code> will get read-only access to all services in this account.</p>\n</li>\n<li>\n<p><strong>allow-billing-access-from-saml</strong>: Users authenticated by the SAML providers in\n<code>var.allow_billing_access_from_saml_provider_arns</code> will get full (read and write) access to the billing details for\nthis account.</p>\n</li>\n<li>\n<p><strong>allow-ssh-grunt-access-from-saml</strong>: Users authenticated by the SAML providers in\n<code>var.allow_ssh_grunt_access_from_saml_provider_arns</code> will get read access to IAM Groups and public SSH keys. This is\nuseful to allow <a href=\"/repos/v0.25.1/module-security/modules/ssh-grunt\" class=\"preview__body--description--blue\">ssh-grunt</a> running on EC2 Instances in other AWS accounts to validate SSH\nconnections against IAM users defined in this AWS account.</p>\n</li>\n<li>\n<p><strong>allow-dev-access-from-saml</strong>:Users authenticated by the SAML providers in\n<code>var.allow_dev_access_from_saml_provider_arns</code> will get full (read and write) access to the services in this account\nspecified in <code>var.dev_permitted_services</code>.</p>\n</li>\n<li>\n<p><strong>allow-full-access-from-saml</strong>: Users authenticated by the SAML providers in\n<code>var.allow_full_access_from_saml_provider_arns</code> will get full (read and write) access to all services in this account.</p>\n</li>\n<li>\n<p><strong>allow-iam-admin-access-from-saml</strong>: Users authenticated by the SAML providers in\n<code>var.allow_iam_admin_access_from_saml_provider_arns</code> will get full IAM (<code>iam:*</code>) access in this account.</p>\n</li>\n<li>\n<p><strong>allow-auto-deploy-access-from-saml</strong>: Users authenticated by the SAML providers in\n<code>var.allow_read_only_access_from_saml_provider_arns</code> will get automated deployment access to all services in this\naccount with the permissions specified in <code>var.auto_deploy_permissions</code>. The main use case is to allow a CI server\n(e.g. Jenkins) in another AWS account to do automated deployments in this AWS account.</p>\n</li>\n</ul>\n<h2 class=\"preview__body--subtitle\" id=\"how-to-switch-between-accounts\">How to switch between accounts</h2>\n<p>TODO: Provide additional documentation around <code>gruntsaml</code> and AWS Console SAML integration</p>\n","repoName":"module-security","repoRef":"v0.22.1","serviceDescriptor":{"serviceName":"ssh-grunt","serviceRepoName":"module-security","serviceRepoOrg":"gruntwork-io","serviceMainReadmePath":"/modules/ssh-grunt","cloudProviders":["aws"],"description":"Manage SSH access to EC2 Instances using groups in AWS IAM or your Identity Provider (e.g., ADFS, Google, Okta, etc).","imageUrl":"grunt.png","licenseType":"subscriber","technologies":["Terraform","Go"],"compliance":[],"tags":[""]},"serviceCategoryName":"SSH access","fileName":"README.md","filePath":"/modules/saml-iam-roles","title":"Repo Browser: ssh-grunt","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}