Browse the Repo
Browse the Repo
Modules and utilities certified by Gruntwork and CIS to comply with the CIS AWS Foundations Benchmark
This Terraform module wraps the
cloudwatch-logs-metrics-filters core module
to create a series of metrics filters in compliance with the CIS AWS Foundations Benchmark.
The wrapper creates filters for the following CloudTrail events:
Unauthorized API calls
Sign-in without MFA
Usage of the root account
Changes to IAM policies
Console authentication failures
Deleted or disabled KMS customer master keys
Changes to S3 bucket policy changes
Changes to AWS Config
Changes to security groups
Network gateway changes
Route table changes
|This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!|
modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.
cloudtrail wrapper module: A wrapper module for a compliant configuration of AWS CloudTrail
cloudwatch-logs-metric-filters wrapper module: A wrapper module to create a series of CloudWatch Logs metrics filters
cross-account-iam-roles wrapper module: A wrapper module to create IAM roles that can be used for assume roles between accounts
custom-iam-entity wrapper module: A wrapper module to create IAM groups and/or roles with a customized set of managed policies attached
iam-groups wrapper module: A wrapper module to create a best-practices set of IAM groups
iam-password-policy wrapper module: A wrapper module to create an compliant IAM password policy
saml-iam-roles wrapper module: A wrapper module to create a set of IAM roles to use with SAML identity providers
aws-securityhub module: A Terraform module for enabling AWS SecurityHub in all enabled
codegen: Code generation utilities that help generate modules in this repo.
generate-securityhub utility: A code generation program to enable AWS SecurityHub in all regions of an AWS account
examples: This folder contains working examples of how to use the submodules.
test: Automated tests for the modules and examples.
For a comprehensive guide to achieving compliance using this repo, please refer to How to achieve compliance with the CIS AWS Foundations Benchmark.
If you need help with this repo or anything else related to infrastructure or DevOps, Gruntwork offers Commercial Support via Slack, email, and phone/video. If you’re already a Gruntwork customer, hop on Slack and ask away! If not, subscribe now. If you’re not sure, feel free to email us at email@example.com.
Contributions to this repo are very welcome and appreciated! If you find a bug or want to add a new feature or even contribute an entirely new module, we are very happy to accept pull requests, provide feedback, and run your changes through our automated test suite.
Please see Contributing to the Gruntwork Infrastructure as Code Library for instructions.
We're here to talk about our services, answer any questions, give advice, or just to chat.