Browse the Repo

file-type-icon.circleci
file-type-icon.github
file-type-icon_ci
file-type-icon_docs
file-type-iconcodegen
file-type-iconexamples
file-type-iconmodules
file-type-icontest
file-type-icon.editorconfig
file-type-icon.gitignore
file-type-icon.pre-commit-config.yaml
file-type-iconCODEOWNERS
file-type-iconLICENSE.txt
file-type-iconREADME.adoc
file-type-iconterraform-cloud-enterprise-private-module-...

Browse the Repo

file-type-icon.circleci
file-type-icon.github
file-type-icon_ci
file-type-icon_docs
file-type-iconcodegen
file-type-iconexamples
file-type-iconmodules
file-type-icontest
file-type-icon.editorconfig
file-type-icon.gitignore
file-type-icon.pre-commit-config.yaml
file-type-iconCODEOWNERS
file-type-iconLICENSE.txt
file-type-iconREADME.adoc
file-type-iconterraform-cloud-enterprise-private-module-...
ssh-grunt

ssh-grunt

Manage SSH access to EC2 Instances using groups in AWS IAM or your Identity Provider (e.g., ADFS, Google, Okta, etc).

Code Preview

Preview the Code

mobile file icon

README.adoc

down

maintained%20by gruntwork.io %235849a6 Terraform version

This repo contains modules for configuring a variety of security best practices, including IAM users, IAM groups, IAM roles, IAM policies, audit logging for your AWS account, secrets management, SSH access, and server hardening.

Features

  • Create and manage IAM users, IAM groups, IAM roles, and IAM policies as code.

  • Configure audit logging in your AWS account using AWS Config and AWS CloudTrail.

  • Enforce server hardening best practices, including auto-update (automatically install critical security updates), fail2ban (automatically block malicious SSH attempts), ntp (sync the clock on a server), and ip-lockdown (lock down the EC2 metadata endpoint to specific OS users).

  • Create and manage master keys in KMS that you can use to securely encrypt and decrypt data.

  • Manage SSH access using an identity provider (e.g., IAM Groups or ADFS Groups) using ssh-grunt.

  • Manage EBS encryption defaults so all new EBS volumes are encrypted with your master keys.

Learn

Note
This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!

Repo organization

  • modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.

  • examples: This folder contains working examples of how to use the submodules.

  • test: Automated tests for the modules and examples.

Deploy

Non-production deployment (quick start for learning)

If you just want to try this repo out for experimenting and learning, check out the following resources:

  • examples folder: The examples folder contains sample code optimized for learning, experimenting, and testing (but not production usage).

Production deployment

If you want to deploy this repo in production, check out the following resources:

Manage

Check out the individual modules in the modules folder for documentation.

Support

If you need help with this repo or anything else related to infrastructure or DevOps, Gruntwork offers Commercial Support via Slack, email, and phone/video. If you’re already a Gruntwork customer, hop on Slack and ask away! If not, subscribe now. If you’re not sure, feel free to email us at support@gruntwork.io.

Contributions

Contributions to this repo are very welcome and appreciated! If you find a bug or want to add a new feature or even contribute an entirely new module, we are very happy to accept pull requests, provide feedback, and run your changes through our automated test suite.

For specific guidance on how to create a new module as part of this repository, please read through and consider the guide questions below.

Adding a new module to this repo is a task that requires deep understanding of the module you’re about to create.

A few important questions that will need deeper understaning and planning prior to adding a new module are:

  • What’s the purpose of the new module? Does it belong to another existing one already?

    • For example, if it’s a very simple AWS resource being created without extra complexity, it might make sense to bundle it with another existing module.

  • Is the new module required to be enabled and deployed in all AWS regions?

    • This is usually the case with regional services such as IAM Access Analyzer and KMS grants;

    • But might not be the same if the service was global such as S3 and IAM users.

  • What is the migration steps for the new module?

    • Are Gruntwork’s customers required to do anything, and if so, what and how urgently?

License

Please see LICENSE.txt for details on how the code in this repo is licensed.

Questions? Ask away.

We're here to talk about our services, answer any questions, give advice, or just to chat.

Ready to hand off the Gruntwork?