Browse the Repo
Browse the Repo
Manage SSH access to EC2 Instances using groups in AWS IAM or your Identity Provider (e.g., ADFS, Google, Okta, etc).
This repo contains modules for configuring a variety of security best practices, including IAM users, IAM groups, IAM roles, IAM policies, audit logging for your AWS account, secrets management, SSH access, and server hardening.
Create and manage IAM users, IAM groups, IAM roles, and IAM policies as code.
Configure audit logging in your AWS account using AWS Config and AWS CloudTrail.
Enforce server hardening best practices, including
auto-update (automatically install critical security updates),
fail2ban (automatically block malicious SSH attempts),
ntp (sync the clock on a server), and
down the EC2 metadata endpoint to specific OS users).
Create and manage master keys in KMS that you can use to securely encrypt and decrypt data.
Manage SSH access using an identity provider (e.g., IAM Groups or ADFS Groups) using
Manage EBS encryption defaults so all new EBS volumes are encrypted with your master keys.
|This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!|
If you just want to try this repo out for experimenting and learning, check out the following resources:
examples folder: The
examples folder contains sample code optimized for learning, experimenting,
and testing (but not production usage).
If you want to deploy this repo in production, check out the following resources:
security modules in the Acme example Reference Architecture: Production-ready sample code from the Acme Reference Architecture examples.
Packer template with server-hardening in the Acme example Reference Architecture: Production-ready sample code from the Acme Reference Architecture examples.
If you need help with this repo or anything else related to infrastructure or DevOps, Gruntwork offers Commercial Support via Slack, email, and phone/video. If you’re already a Gruntwork customer, hop on Slack and ask away! If not, subscribe now. If you’re not sure, feel free to email us at firstname.lastname@example.org.
Contributions to this repo are very welcome and appreciated! If you find a bug or want to add a new feature or even contribute an entirely new module, we are very happy to accept pull requests, provide feedback, and run your changes through our automated test suite.
Please see Contributing to the Gruntwork Infrastructure as Code Library for instructions.
For specific guidance on how to create a new module as part of this repository, please read through and consider the guide questions below.
Adding a new module to this repo is a task that requires deep understanding of the module you’re about to create.
A few important questions that will need deeper understaning and planning prior to adding a new module are:
What’s the purpose of the new module? Does it belong to another existing one already?
For example, if it’s a very simple AWS resource being created without extra complexity, it might make sense to bundle it with another existing module.
Is the new module required to be enabled and deployed in all AWS regions?
This is usually the case with regional services such as IAM Access Analyzer and KMS grants;
But might not be the same if the service was global such as S3 and IAM users.
What is the migration steps for the new module?
Are Gruntwork’s customers required to do anything, and if so, what and how urgently?
We're here to talk about our services, answer any questions, give advice, or just to chat.