Generate a TLS/SSL Certificate for a Private Service
This Gruntwork Docker Module generates the public and private keys of a new TLS/SSL certificate, and also returns the
public and private keys of the Certificate Authority (CA) used to generate the TLS certificate. The private key of the
CA is optionally destroyed immediately after generation to prevent any future malfeasance.
These certificates are ideal for use with a private service. For services that are publicly addressable, consider
using a commercial CA or public, free CA like Let's Encrypt.
Generating the TLS Public and Private Keypairs
Requirements
Make sure the latest version of Docker is installed and running.
Instructions
Edit the docker-compose.yml file and fill in your desired argument values.
Now run docker-compose up and your TLS certs will output to a local output directory!
To see documentation on the arguments in docker-compose.yml, see the main.sh file.
Note that the Docker Compose file mounts the local machine folder ./output in the Docker container. Mac and Windows
users sohuld take note that, in some cases, volume mounting may be extremely slow, or even one-way-only if you use an
rsync-based workaround to Docker's occasionally unsatisfying native volume mounting functionality.
How It Works
Once you run docker-compose up, the following steps occur:
A Docker image is built on your local machine that contains the latest OpenSSL for Ubuntu.
Docker-compose runs the Docker image and passes in the command value.
This kicks off a series of scripts that:
Generate a CA public key ("CA cert") and the corresponding CA private key
Generate a Certificate Signing Request (CSR) which is used to generate a public key (the "TLS cert") that is valid
for the desired domain name and the corresponding private key.
Outputs the following files:
CA public key: ca/ca.cert.pem
CA private key: ca/ca.key.pem (if deletion was not requested)
TLS public key: cert/cert.pem
TLS private key: cert/key.pem
Inspecting a certificate
You may wish to inspect some of the certificates generated by this tool. Use OpenSSL to do this with this command:
The industry-standard way to add encryption for data in motion is to use TLS (the successor to SSL). There are many examples
online explaining how TLS works, but here are the basics:
Some entity decides to be a "Certificate Authority" ("CA") meaning it will issue TLS certificates to websites or other services
An entity becomes a Certificate Authority by creating a public/private key pair and publishing the public portion (typically
known as the "CA Cert"). The private key is kept under the tightest possible security since anyone who possesses it could issue
TLS certificates as if they were this Certificate Authority!
In fact, the consequences of a CA's private key being compromised are so disastrous that CA's typically create an "intermediate"
CA keypair with their "root" CA key, and only issue TLS certificates with the intermediate key.
Your client (e.g. a web browser) can decide to trust this newly created Certificate Authority by including its CA Cert
(the CA's public key) when making an outbound request to a service that uses the TLS certificate.
When CAs issue a TLS certificate ("TLS cert") to a service, they again create a public/private keypair, but this time
the public key is "signed" by the CA. That public key is what you view when you click on the lock icon in a web browser
and what a service "advertises" to any clients such as web browsers to declare who it is. When we say that the CA
signed a public key, we mean that, cryptographically, any possessor of the CA Cert can validate that this same CA issued
this particular public key.
The public key is more generally known as the TLS cert.
The private key created by the CA must be kept secret by the service since the possessor of the private key can "prove"
they are whoever the TLS cert (public key) claims to be as part of the TLS protocol.
How does that "proof" work? Well, your web browser will attempt to validate the TLS cert in two ways:
First, it will ensure this public key (TLS cert) is in fact signed by a CA it trusts.
Second, using the TLS protocol, your browser will encrypt a message with the public key (TLS cert) that only the
possessor of the corresponding private key can decrypt. In this manner, your browser will be able to come up with a
symmetric encryption key it can use to encrypt all traffic for just that one web session.
Now your client/browser has:
declared which CA it will trust
verified that the service it's connecting to possesses a certificate issued by a CA it trusts
used that service's public key (TLS cert) to establish a secure session
Commercial or Public Certificate Authorities
For public services like banks, healthcare, and the like, it makes sense to use a "Commercial CA" like Verisign, Thawte,
or Digicert, or better yet a widely trusted but free service like Let's Encrypt.
(For additional information on Let's Encrypt, see Alternative Solutions Considered
in this document.) That's because every web browser comes pre-configured with a set of CA's that it trusts. This means
the client connecting to the bank doesn't have to know anything about CA's at all. Instead, their web browser is
configured to trust the CA that happened to issue the bank's certificate.
Connecting securely to private services is similar to connecting to your bank's website over TLS, with one primary
difference: We want total control over the CA.
Imagine if we used a commercial CA to issue our private TLS certificate and that commercial or public CA -- which we
don't control -- were compromised. Now the attackers of that commercial or public CA could impersonate our private server.
And indeed, ithashappened
multiple times.
How We'll Generate a TLS Cert for Private Services
One option is to be very selective about choosing a commercial CA, but to what benefit? What we want instead is assurance
that our private service really was launched by people we trust. Those same people -- let's call them our "operators" -
can become their own CA and generate their own TLS certificate for the private service.
Sure, no one else in the world will trust this CA, but we don't care because we only need our organization to trust this CA.
So here's our strategy for issuing a TLS Cert for a private service:
Create our own CA.
If a client wishes to trust our CA, they need only reference this CA public key.
We'll deal with the private key in a moment.
Using our CA, issue a TLS Certificate for our private service.
Create a public/private key pair for the private service, and have the CA sign the public key.
This means anyone who trusts the CA will trust that the possessor the private key that corresponds to this public key
is who they claim to be.
We will be extremely careful with the TLS private key since anyone who obtains it can impersonate our private service!
For this reason, we recommend immediately encrypting the private key with AWS KMS by
using gruntkms.
Freely advertise our CA's public key to all internal services.
Any service that wishes to connect securely to our private service will need our CA's public key so it can declare
that it trusts this CA, and thereby the TLS cert it issued to the private service.
Finally, consider throwing away the CA private key.
By erasing a CA private key it's impossible for the CA to be compromised, because there's no private key to steal!
Future certs can be generated with a new CA.
Contrast this to protecting your CA private key. There are tradeoff's either way so choose the option that makes
the most sense for your organization.
Alternative Solutions Considered
Terraform's TLS Provider
A compelling alternative is to use Teraform's built-in TLS Provider.
The primary concern with this approach is that the TLS private key generated by the tls_private_key Terraform resource
is stored in plaintext in the Terraform state and is therefore not recommended for production use.
Let's Encrypt
Let's Encrypt behaves in every way like a traditional commercial Certificate Authority (CA),
except that it's free. Because Let's Encrypt has good documentation around how to generate and and automatically renew a
TLS Certificate, it seemed like a good solution to solve our problem.
Unfortunately, Let's Encrypt is optimized for public services, not private ones. As a result, when issuing a new TLS
certificate, operators must prove ownership of their domain name by either provisioning a DNS record under example.com
or provisioning an HTTP resource under a well-known URI on https://example.com. This means it's not possible to
generate a TLS cert for a service with a private DNS address since Let's Encrypt would have no way of either resolving
the domain name (because it's private) or reaching the service to validate an HTTP document (because, again, it's private).
While Let's Encrypt is not the ideal solution for the intent of this module, it's well-suited to automatically generating
TLS certificates for any public services.
Questions? Ask away.
We're here to talk about our services, answer any questions, give advice, or just to chat.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"b9de66066266a899cc7edbba577d6011e82c5d55"},{"name":"post-upgrade-test-results.sh","path":".circleci/post-upgrade-test-results.sh","sha":"a4867e8fbdc334b7a90259568ee41ea577fbe764"},{"name":"set-upgrade-test-vars.sh","path":".circleci/set-upgrade-test-vars.sh","sha":"04ccab865d51c1169f7ae4648c38a3d98a9889ab"}]},{"name":".editorconfig","path":".editorconfig","sha":"a5eec1063e66c4cb953cba222dd50b4d314ef3e2"},{"name":".github","children":[{"name":"ISSUE_TEMPLATE","children":[{"name":"bug_report.md","path":".github/ISSUE_TEMPLATE/bug_report.md","sha":"d2e87e27c601e423865ed660ec697082470ca60f"},{"name":"feature_request.md","path":".github/ISSUE_TEMPLATE/feature_request.md","sha":"023a33099be2336476930c96e17ff1ba5dc55348"}]},{"name":"pull_request_template.md","path":".github/pull_request_template.md","sha":"6b100e40e323b5b07f40ed30616277c51c9f4b9e"}]},{"name":".gitignore","path":".gitignore","sha":"0494e0bc6b113e3569ca7005a54aec78bc0a611a"},{"name":".patcher","children":[{"name":"patches","children":[{"name":"v0.56.0","children":[{"name":"aws-provider-3.66.0","children":[{"name":"bump_provider.sh","path":".patcher/patches/v0.56.0/aws-provider-3.66.0/bump_provider.sh","sha":"11254794eacb43659723dadaf90c9ccf7e8e4564"},{"name":"create_script_for_terraform_init.sh","path":".patcher/patches/v0.56.0/aws-provider-3.66.0/create_script_for_terraform_init.sh","sha":"ad261a37b80ce056f4c2bd9b04e62e4187de1839"},{"name":"patch.yaml","path":".patcher/patches/v0.56.0/aws-provider-3.66.0/patch.yaml","sha":"b39be600ac6d0b780c1561ececc4bad4c0b3511c"}]}]},{"name":"v0.58.0","children":[{"name":"aws-provider-3.64","children":[{"name":"bump_provider.sh","path":".patcher/patches/v0.58.0/aws-provider-3.64/bump_provider.sh","sha":"07826c7966b45767db49b4f294ed9fda2e59ec10"},{"name":"create_script_for_terraform_init.sh","path":".patcher/patches/v0.58.0/aws-provider-3.64/create_script_for_terraform_init.sh","sha":"2d47d1a18989f08bdd0f06fe9b9c05629e745e89"},{"name":"patch.yaml","path":".patcher/patches/v0.58.0/aws-provider-3.64/patch.yaml","sha":"28f54eed4264f65d8fdb8711637159ee3f4f0220"}]}]},{"name":"v0.63.0","children":[{"name":"aws-provider-4.x","children":[{"name":"bump_provider.sh","path":".patcher/patches/v0.63.0/aws-provider-4.x/bump_provider.sh","sha":"d3daee144dd21814811d998e5ae69796b9956509"},{"name":"create_script_for_terraform_init.sh","path":".patcher/patches/v0.63.0/aws-provider-4.x/create_script_for_terraform_init.sh","sha":"26262b1471d987b63dee577714840e155d97df69"},{"name":"patch.yaml","path":".patcher/patches/v0.63.0/aws-provider-4.x/patch.yaml","sha":"c5301aab2e3e3ef08a5105dcb9429d7f0d66105c"}]}]},{"name":"v0.65.0","children":[{"name":"aws-provider-4.x","children":[{"name":"bump_provider.sh","path":".patcher/patches/v0.65.0/aws-provider-4.x/bump_provider.sh","sha":"7c61315127a8c8471a2688c089e23963161d5d35"},{"name":"create_script_for_terraform_init.sh","path":".patcher/patches/v0.65.0/aws-provider-4.x/create_script_for_terraform_init.sh","sha":"68e359ce7e2e28df8560a34300a938c0fc1d78dd"},{"name":"patch.yaml","path":".patcher/patches/v0.65.0/aws-provider-4.x/patch.yaml","sha":"967cf7dd0ec1e8c046eee8d0e6c8a6f4e9bbf8c2"}]}]}]}]},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"c54725b8fe2e0eb30c15d29380a23f1fb58360fa"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"8cacc352065b723bf2230b4554710b648b13e52e"},{"name":"LICENSE.txt","path":"LICENSE.txt","sha":"f4e3d9bd4717a044ed31ad847a300eee74371a78"},{"name":"README.adoc","path":"README.adoc","sha":"d3ad8c9f56609a3c88a7d27d5fa5d183c76590b0"},{"name":"_ci","children":[{"name":"output-debug-values.sh","path":"_ci/output-debug-values.sh","sha":"39d6d5f080a53f932e3b5ec970b5f268fd00e50a"}]},{"name":"_docs","children":[{"name":"auto-update.png","path":"_docs/auto-update.png","sha":"77bfd1c65de0245ac8b3c67d5b0b64fc440824bf"},{"name":"aws-cloudtrail-architecture.png","path":"_docs/aws-cloudtrail-architecture.png","sha":"a2dd9a08b8ed77744fd5febab3be7bdf633dee79"},{"name":"aws-cloudtrail.png","path":"_docs/aws-cloudtrail.png","sha":"acc7dcaf4b46ce3cef1bcc20be0329e12c320e7f"},{"name":"aws-config-architecture.png","path":"_docs/aws-config-architecture.png","sha":"721458048d5e539468c438498863a91fa96e0a85"},{"name":"aws-config-rules-architecture.png","path":"_docs/aws-config-rules-architecture.png","sha":"29fe3f20358b176e385d1bcdc0357bff2c1d5b4a"},{"name":"aws-config-rules.png","path":"_docs/aws-config-rules.png","sha":"ac3f7b35bcac949887e62aee260d9cb70edd3ae8"},{"name":"aws-config.png","path":"_docs/aws-config.png","sha":"02f4b326aef57372def4f3fafa4f0e4cec07e395"},{"name":"aws-guardduty.png","path":"_docs/aws-guardduty.png","sha":"053b92412fb8e3fb5740acc404b493fe1dd7229b"},{"name":"aws-organizations-architecture.png","path":"_docs/aws-organizations-architecture.png","sha":"bd57412fe85d3fe8d5e358db5e3b7bfef3e786a9"},{"name":"aws-organizations-icon.png","path":"_docs/aws-organizations-icon.png","sha":"b2b3fa04f51a23e5bae1b3389ffedf5e17b3cef2"},{"name":"iam-access-analyzer.png","path":"_docs/iam-access-analyzer.png","sha":"36e38e69454beae66d35b9bf25b3e5ffe1e68a25"},{"name":"kms-icon.png","path":"_docs/kms-icon.png","sha":"cd4f350a9a3fda41089928a7e396ee8924b7a901"},{"name":"multi-account-multi-region-aws-config.png","path":"_docs/multi-account-multi-region-aws-config.png","sha":"a9c813b1799fe71554c20c8fefc703792293bfe4"},{"name":"multiaccount_guardduty.png","path":"_docs/multiaccount_guardduty.png","sha":"c56b50bbb4c2a041366b430cada27b88aa02524b"},{"name":"ssh-grunt-architecture.png","path":"_docs/ssh-grunt-architecture.png","sha":"9ced8c68bcc7957e50aa016cad6c5b043a05b470"},{"name":"terminal-icon.png","path":"_docs/terminal-icon.png","sha":"df09d52d5b1176d7e231bab6c7712c3728e45c1b"}]},{"name":"codegen","children":[{"name":"README.adoc","path":"codegen/README.adoc","sha":"e2b5314b4f15a8f5b6c1b3932e73de6e87d107f0"},{"name":"core-concepts.md","path":"codegen/core-concepts.md","sha":"6e877c099d1b83783f653db8fe47f19359bbd15b"},{"name":"generate-all.sh","path":"codegen/generate-all.sh","sha":"e95f7a1fe3b75636468472cd072e0d0b559f2eb5"},{"name":"generate-aws-config","children":[{"name":".gitignore","path":"codegen/generate-aws-config/.gitignore","sha":"b488f31b176e8da6501add7ce148074af2337d91"},{"name":"main.go","path":"codegen/generate-aws-config/main.go","sha":"02caf84ae66d751d71079437aeadd93853b72431"},{"name":"static","children":[{"name":"README.adoc","path":"codegen/generate-aws-config/static/README.adoc","sha":"dc4b0dc89afdd92984fceca74f2c2e087645d019"},{"name":"core-concepts.md","path":"codegen/generate-aws-config/static/core-concepts.md","sha":"976e6424dcb277f70377f92eb2a10d0c8e595a85"},{"name":"variables.tf","path":"codegen/generate-aws-config/static/variables.tf","sha":"5d33ad42f818f943993986c0c3bb964eee84f9ba"}]},{"name":"template_data.go","path":"codegen/generate-aws-config/template_data.go","sha":"3e7e5e495a7f126b671f587554f3d4e08278801a"}]},{"name":"generate-aws-guardduty","children":[{"name":".gitignore","path":"codegen/generate-aws-guardduty/.gitignore","sha":"b488f31b176e8da6501add7ce148074af2337d91"},{"name":"main.go","path":"codegen/generate-aws-guardduty/main.go","sha":"d755b77b23bea4615d3611d314fcb2c9d87331c2"},{"name":"static","children":[{"name":"README.adoc","path":"codegen/generate-aws-guardduty/static/README.adoc","sha":"692d7135fa34922062bfa772b405afc21b3c6ea7"},{"name":"variables.tf","path":"codegen/generate-aws-guardduty/static/variables.tf","sha":"1487cf2e1ebd7ae87152a0b40ffa9f2c27271557"}]},{"name":"template_data.go","path":"codegen/generate-aws-guardduty/template_data.go","sha":"e9e92e528711c97416b9487a604bb6a4c6211d24"}]},{"name":"generate-ebs-encryption","children":[{"name":".gitignore","path":"codegen/generate-ebs-encryption/.gitignore","sha":"a3f620a6c9c87b381bf6748917bdf9542792f54b"},{"name":"main.go","path":"codegen/generate-ebs-encryption/main.go","sha":"e56b775bc9fb475053318bd1806dae6d3b313be7"},{"name":"static","children":[{"name":"README.adoc","path":"codegen/generate-ebs-encryption/static/README.adoc","sha":"86b31069c9627391411f7b6cceed08e813a7a37e"},{"name":"variables.tf","path":"codegen/generate-ebs-encryption/static/variables.tf","sha":"4bb22b9bb519462a429baea8ffea9d1a3991be26"}]},{"name":"template_data.go","path":"codegen/generate-ebs-encryption/template_data.go","sha":"fd500cf79337ab316d3c0eb466c47ba408f75346"}]},{"name":"generate-multiregion-iam-access-analyzer","children":[{"name":".gitignore","path":"codegen/generate-multiregion-iam-access-analyzer/.gitignore","sha":"045b82ea48805332afcf6edb7a52b41310f0c72c"},{"name":"main.go","path":"codegen/generate-multiregion-iam-access-analyzer/main.go","sha":"fd18cfb0632d699f02b553b02c44d5b7fdc19811"},{"name":"static","children":[{"name":"README.adoc","path":"codegen/generate-multiregion-iam-access-analyzer/static/README.adoc","sha":"d87068a71e5a6149ba32dcc1ba33070d8b83aeaa"},{"name":"core-concepts.md","path":"codegen/generate-multiregion-iam-access-analyzer/static/core-concepts.md","sha":"6bbaac3d7e62744e3fe3f511cd4ae78b212d08a8"},{"name":"variables.tf","path":"codegen/generate-multiregion-iam-access-analyzer/static/variables.tf","sha":"6e8d81aac5af0cba584e6d0884e03cfbc23ba07f"}]},{"name":"template_data.go","path":"codegen/generate-multiregion-iam-access-analyzer/template_data.go","sha":"934f6eed2001f1155777dbdf30399d2cad447c6f"}]},{"name":"generate-multiregion-kms-grant","children":[{"name":".gitignore","path":"codegen/generate-multiregion-kms-grant/.gitignore","sha":"ce81abc8eeae39683199307d44536f0a8b1b7862"},{"name":"main.go","path":"codegen/generate-multiregion-kms-grant/main.go","sha":"75bcec53d20b60c89dead42310ab854d69bd1320"},{"name":"static","children":[{"name":"README.adoc","path":"codegen/generate-multiregion-kms-grant/static/README.adoc","sha":"7c33dc779f289c34d0c72ecce7a4a60d99c38098"},{"name":"core-concepts.md","path":"codegen/generate-multiregion-kms-grant/static/core-concepts.md","sha":"3eb1725fa927a84cc2a0341335d150bf5c6e70f5"},{"name":"variables.tf","path":"codegen/generate-multiregion-kms-grant/static/variables.tf","sha":"505b2d0cb9ecf78f0364e845cab72bf0c28365d5"}]},{"name":"template_data.go","path":"codegen/generate-multiregion-kms-grant/template_data.go","sha":"290280e7d9d065b6f8d14f2635daf05cff6607fb"}]},{"name":"generate-multiregion-kms","children":[{"name":".gitignore","path":"codegen/generate-multiregion-kms/.gitignore","sha":"dd60654458233c0bdb18892c5989f1828889d55b"},{"name":"main.go","path":"codegen/generate-multiregion-kms/main.go","sha":"1ff847b9fc534027a50e059b2a99cad3da0f6604"},{"name":"static","children":[{"name":"README.adoc","path":"codegen/generate-multiregion-kms/static/README.adoc","sha":"75402e428cc30fee27dc5dd469788cf1d71320eb"},{"name":"core-concepts.md","path":"codegen/generate-multiregion-kms/static/core-concepts.md","sha":"8ba58b9a40c3aad18e2b804f53c6439b549b756d"},{"name":"variables.tf","path":"codegen/generate-multiregion-kms/static/variables.tf","sha":"b1740fb059927c65f7afd76f902ba616a921a138"}]},{"name":"template_data.go","path":"codegen/generate-multiregion-kms/template_data.go","sha":"4e3e26c551042fd93ffcad5f96f96a13ed3dbf67"}]},{"name":"generator","children":[{"name":"autogen_variables.tf.tpl.go","path":"codegen/generator/autogen_variables.tf.tpl.go","sha":"2817455872b7ca544e003936ac04723ce4573dbb"},{"name":"aws.go","path":"codegen/generator/aws.go","sha":"9a5ad6fd89fa287e3055459a5a6ece36680f5fcd"},{"name":"cli.go","path":"codegen/generator/cli.go","sha":"cd548e5893223b1e8de92512a6ee1d9e0866bc94"},{"name":"errors.go","path":"codegen/generator/errors.go","sha":"21fd1f6d4bef60ea9cb39939783696526ddd02e7"},{"name":"generator.go","path":"codegen/generator/generator.go","sha":"0ba3772e731c5a5b66242ff91425baace3c1626d"},{"name":"main.tf.tpl.go","path":"codegen/generator/main.tf.tpl.go","sha":"5cc7edcf31fc4a7d8e3c023563d82912d44ad6df"},{"name":"outputs.tf.tpl.go","path":"codegen/generator/outputs.tf.tpl.go","sha":"46860a17e8d59f4d063483a479b25bef4b05d10c"}]},{"name":"go.mod","path":"codegen/go.mod","sha":"8eb3c444360bfaadc3bb9f9be0a3d790abf065b9"},{"name":"go.sum","path":"codegen/go.sum","sha":"352e56caebeaee3cbf86f6866c50364967e65b24"},{"name":"logging","children":[{"name":"logging.go","path":"codegen/logging/logging.go","sha":"6aaf23efa4292058dc0d2cbe470c8f985b8651e9"}]}]},{"name":"examples","children":[{"name":"auto-update","children":[{"name":"README.md","path":"examples/auto-update/README.md","sha":"d7c630c4585bad7869d55bc6c62fca248eeb521a"},{"name":"auto-update-example.json","path":"examples/auto-update/auto-update-example.json","sha":"18ca339caae31c3e313e32a63300d08c2bfc5179"}]},{"name":"aws-config-multi-region","children":[{"name":"README.md","path":"examples/aws-config-multi-region/README.md","sha":"5d472db5cdc843b494852a062d8c0880f246fcd0"},{"name":"terraform","children":[{"name":"main.tf","path":"examples/aws-config-multi-region/terraform/main.tf","sha":"8f3dc13be12eb72f99301d2c30d4614ae04a3430"},{"name":"outputs.tf","path":"examples/aws-config-multi-region/terraform/outputs.tf","sha":"77ee90f69634c965b8ebed79a8d3afd6adca4db4"},{"name":"providers.tf","path":"examples/aws-config-multi-region/terraform/providers.tf","sha":"d1bc12aa42b0c4103afa93c6f89acbf05bfeccf8"},{"name":"variables.tf","path":"examples/aws-config-multi-region/terraform/variables.tf","sha":"9edb00dd56c986468334d57a0551e3b7a6207858"}]},{"name":"terragrunt","children":[{"name":"terragrunt.hcl","path":"examples/aws-config-multi-region/terragrunt/terragrunt.hcl","sha":"713980e74246ec91a10f780dd69235fc60fc5352"}]}]},{"name":"aws-config-rules","children":[{"name":"README.md","path":"examples/aws-config-rules/README.md","sha":"6cd2794e82af1e3c3620d8feaed136af5358207e"},{"name":"main.tf","path":"examples/aws-config-rules/main.tf","sha":"f70a39af913afccea0f4ae4cc1834c2e58416a9a"},{"name":"outputs.tf","path":"examples/aws-config-rules/outputs.tf","sha":"4319400eb4190f58458f2dd9398225869ff08da3"},{"name":"variables.tf","path":"examples/aws-config-rules/variables.tf","sha":"7d39063bdc912f043b060e8390a72fe1b984f2c5"}]},{"name":"aws-config","children":[{"name":"README.md","path":"examples/aws-config/README.md","sha":"5d66d09633de365e154669a090edc37fc70548d1"},{"name":"main.tf","path":"examples/aws-config/main.tf","sha":"83f2a3f136c03e0d6a05fde9901b6de845ccb671"},{"name":"outputs.tf","path":"examples/aws-config/outputs.tf","sha":"ddd32698f39772d663a2d9b8a6276260f5431068"},{"name":"variables.tf","path":"examples/aws-config/variables.tf","sha":"f119464824bd2821f2c6e8917e0670010090bc34"}]},{"name":"aws-organizations","children":[{"name":"README.md","path":"examples/aws-organizations/README.md","sha":"1da3c2fc061fee6ee99564b8b2323ccf69f2c690"},{"name":"main.tf","path":"examples/aws-organizations/main.tf","sha":"2f1aa70e96530de170c9d5375f0bbf6117cb437e"},{"name":"outputs.tf","path":"examples/aws-organizations/outputs.tf","sha":"58e36aac71c1fd04d5552fa840a9b5f149dcc32a"},{"name":"variables.tf","path":"examples/aws-organizations/variables.tf","sha":"59afc28c87bc3c49d11c6faf7e112643f0a95481"}]},{"name":"cloudtrail-custom-key","children":[{"name":"README.md","path":"examples/cloudtrail-custom-key/README.md","sha":"bb376ddaca4b52bef18a5526aa9cb0465574ff7e"},{"name":"main.tf","path":"examples/cloudtrail-custom-key/main.tf","sha":"743174357faa6a56118984f942e3a3d4965e18f8"},{"name":"outputs.tf","path":"examples/cloudtrail-custom-key/outputs.tf","sha":"b6cd4e77d231018a5beb19cd3a9a4eb3f2017d64"},{"name":"variables.tf","path":"examples/cloudtrail-custom-key/variables.tf","sha":"a72f9cabc8968d84ecdd5f2a3cbd5e8e41c064f6"}]},{"name":"cloudtrail","children":[{"name":"README.md","path":"examples/cloudtrail/README.md","sha":"2fbe4b7494d970738d054910d86d0ae31718c8ec"},{"name":"main.tf","path":"examples/cloudtrail/main.tf","sha":"6967ee85f1d118188cc8f80cb66aab09f9cac5e5"},{"name":"outputs.tf","path":"examples/cloudtrail/outputs.tf","sha":"b6cd4e77d231018a5beb19cd3a9a4eb3f2017d64"},{"name":"variables.tf","path":"examples/cloudtrail/variables.tf","sha":"cbeb938286bd999d6072ef3093254e8fd435f529"}]},{"name":"cross-account-iam-roles","children":[{"name":"README.md","path":"examples/cross-account-iam-roles/README.md","sha":"bac6fd37f7f7009454a66e55e8ff377fff36aefb"},{"name":"main.tf","path":"examples/cross-account-iam-roles/main.tf","sha":"5a77161dc3bd69db7794deaceb9cfc3760bc94c4"},{"name":"outputs.tf","path":"examples/cross-account-iam-roles/outputs.tf","sha":"44af3be56d0a80e4d509fcd62c0e6dd8628072fa"},{"name":"variables.tf","path":"examples/cross-account-iam-roles/variables.tf","sha":"749900f2e1e1d18ca039847f30676461c14cb7a8"}]},{"name":"custom-iam-entity","children":[{"name":"README.md","path":"examples/custom-iam-entity/README.md","sha":"7e6c2e15f44a4ddc28ef276da4b323d2fd326a3f"},{"name":"main.tf","path":"examples/custom-iam-entity/main.tf","sha":"2dd0fdb4c2105ca92312001169bfa5cefca0a5fa"},{"name":"outputs.tf","path":"examples/custom-iam-entity/outputs.tf","sha":"835eb64f431386925438cb2f63e48e413faee90c"},{"name":"variables.tf","path":"examples/custom-iam-entity/variables.tf","sha":"098b2744c093aac9a50c36df4a88d12f4a9baa50"}]},{"name":"ebs-encryption-multi-region","children":[{"name":"README.md","path":"examples/ebs-encryption-multi-region/README.md","sha":"6052c04a4f885b2e37658652bd174a59c56273de"},{"name":"main.tf","path":"examples/ebs-encryption-multi-region/main.tf","sha":"03c73d3f3dc28938626f664b5e8e1be2757e1ba6"},{"name":"outputs.tf","path":"examples/ebs-encryption-multi-region/outputs.tf","sha":"49520778a1fc9e5e82777cbb5aa0250e032e1817"},{"name":"providers.tf","path":"examples/ebs-encryption-multi-region/providers.tf","sha":"ff7fd8215d5d85513268ae89c879057b6ea97d61"},{"name":"variables.tf","path":"examples/ebs-encryption-multi-region/variables.tf","sha":"8a366d8cbe240950657f3851ea267c676029fd61"}]},{"name":"fail2ban","children":[{"name":"README.md","path":"examples/fail2ban/README.md","sha":"6599f8481a3e7666ffe7924707c89b0701d57689"},{"name":"fail2ban-example.json","path":"examples/fail2ban/fail2ban-example.json","sha":"0df4338f82ea084f189152aef764d616c52f2875"},{"name":"main.tf","path":"examples/fail2ban/main.tf","sha":"c3454514556b1bcd7f905138dbc291a3e23b2d18"},{"name":"outputs.tf","path":"examples/fail2ban/outputs.tf","sha":"77a6ab8a992cd106de126f24b2950c1efa499229"},{"name":"user-data","children":[{"name":"user-data.sh","path":"examples/fail2ban/user-data/user-data.sh","sha":"460b230fb025451e06e8cdd73f83bb5bfea21110"}]},{"name":"variables.tf","path":"examples/fail2ban/variables.tf","sha":"236006c79b34f4fe3a517dd2ae8b805bfb19b6df"}]},{"name":"github-actions-iam-role","children":[{"name":"main.tf","path":"examples/github-actions-iam-role/main.tf","sha":"6b5f72389bbadc5260b3b4fb4a1b9b9d772c7bfa"},{"name":"outputs.tf","path":"examples/github-actions-iam-role/outputs.tf","sha":"d440f596aefbccbe3b4e76f8262a7201a89688c1"},{"name":"variables.tf","path":"examples/github-actions-iam-role/variables.tf","sha":"550e0459f5df591a403de1ba4b746fdda116bb70"}]},{"name":"guardduty","children":[{"name":"README.md","path":"examples/guardduty/README.md","sha":"23c75950a1b8b33286b79bd5e9d853cee02d62ea"},{"name":"main.tf","path":"examples/guardduty/main.tf","sha":"8f6798a8b349432dff6854a968cb4860d0af2cd1"},{"name":"outputs.tf","path":"examples/guardduty/outputs.tf","sha":"5cdf5798a495a01ce59269dd84fa95c0dc9a548b"},{"name":"providers.tf","path":"examples/guardduty/providers.tf","sha":"ff7fd8215d5d85513268ae89c879057b6ea97d61"},{"name":"variables.tf","path":"examples/guardduty/variables.tf","sha":"f34fed58aa65a7fafd7188b31dd15083acb3bad7"}]},{"name":"iam-access-analyzer-multi-region","children":[{"name":"README.md","path":"examples/iam-access-analyzer-multi-region/README.md","sha":"51c398bec469b1d95f4e59e2fb1f287fe621bf20"},{"name":"main.tf","path":"examples/iam-access-analyzer-multi-region/main.tf","sha":"339b6493278de7f82728308abc32db82f203e8a0"},{"name":"providers.tf","path":"examples/iam-access-analyzer-multi-region/providers.tf","sha":"ff7fd8215d5d85513268ae89c879057b6ea97d61"},{"name":"variables.tf","path":"examples/iam-access-analyzer-multi-region/variables.tf","sha":"734110e1aaac9640ad689d058dec03dd968fb9ee"}]},{"name":"iam-groups","children":[{"name":"README.md","path":"examples/iam-groups/README.md","sha":"7bd21c82fd8f28f7b3155497a0524d86ce17cfdd"},{"name":"main.tf","path":"examples/iam-groups/main.tf","sha":"09a5e9a6d29589345c6729ed42cee8023500d221"},{"name":"outputs.tf","path":"examples/iam-groups/outputs.tf","sha":"5076c13be431d7844e1ce524bcd40076450c051e"},{"name":"variables.tf","path":"examples/iam-groups/variables.tf","sha":"a7790e3207316f9e6216574fe2e0dd50fb39b767"}]},{"name":"iam-user-password-policy","children":[{"name":"README.md","path":"examples/iam-user-password-policy/README.md","sha":"bc62258833767d2e383a130c43d57a11e229af27"},{"name":"main.tf","path":"examples/iam-user-password-policy/main.tf","sha":"6195571cd760e44d41a8984cfd52a3407264d72f"},{"name":"outputs.tf","path":"examples/iam-user-password-policy/outputs.tf","sha":"36e88e92cf2568fb06a8da0453a85bcb4bd199dd"},{"name":"variables.tf","path":"examples/iam-user-password-policy/variables.tf","sha":"7f920bda19b0928773bb37203859a68453a12231"}]},{"name":"iam-users","children":[{"name":"README.md","path":"examples/iam-users/README.md","sha":"f8b65e9756e9f8c8703a854c1363be700b5fe8d9"},{"name":"main.tf","path":"examples/iam-users/main.tf","sha":"9e58a9288ebaa62cacd92dbff376ee68c0239892"},{"name":"outputs.tf","path":"examples/iam-users/outputs.tf","sha":"dfa5ea6a81c8d28ffbfb0bf34e9ee3871eb80619"},{"name":"variables.tf","path":"examples/iam-users/variables.tf","sha":"52c97ebc727f29aa1c7cbc7e3947967a04dd4e52"}]},{"name":"ip-lockdown","children":[{"name":"README.md","path":"examples/ip-lockdown/README.md","sha":"3962ba23a76d8f02e5c0ffc8cb71196991628e38"},{"name":"aws-example","children":[{"name":"README.md","path":"examples/ip-lockdown/aws-example/README.md","sha":"da44a1265bdd321d10b4a6e3471a655da91033bb"},{"name":"main.tf","path":"examples/ip-lockdown/aws-example/main.tf","sha":"3ef69d2bc78e295c4d25b989d3489b5b47d2cdfe"},{"name":"outputs.tf","path":"examples/ip-lockdown/aws-example/outputs.tf","sha":"a175a78c9a10f9f2fd9d7c84f9b304aebc1bdb41"},{"name":"user-data","children":[{"name":"user-data.sh","path":"examples/ip-lockdown/aws-example/user-data/user-data.sh","sha":"c6d308027737a434f4c96bc3eba5bd301897af62"}]},{"name":"variables.tf","path":"examples/ip-lockdown/aws-example/variables.tf","sha":"85be46b79dfe349e32974eccdc9c3206211787ac"}]},{"name":"ip-lockdown-sample.json","path":"examples/ip-lockdown/ip-lockdown-sample.json","sha":"611ce6e3fe9d0cd53682a6edf643e4b02c1a57dc"},{"name":"local-test","children":[{"name":"README.md","path":"examples/ip-lockdown/local-test/README.md","sha":"3f0e1a6483ce3155bb04dbb9a4fd76ed41486d35"},{"name":"docker-compose.yml","path":"examples/ip-lockdown/local-test/docker-compose.yml","sha":"7c8e3a5d1fd40a95ef99b4bba0911c63ed43b530"}]}]},{"name":"kms-grant-multi-region","children":[{"name":"main.tf","path":"examples/kms-grant-multi-region/main.tf","sha":"c5b838c14e2b79ac2b37c58970655e75ee5004d6"},{"name":"providers.tf","path":"examples/kms-grant-multi-region/providers.tf","sha":"ff7fd8215d5d85513268ae89c879057b6ea97d61"},{"name":"variables.tf","path":"examples/kms-grant-multi-region/variables.tf","sha":"de7bc5d08278f3ecbf78a6397327f491cf8ac054"}]},{"name":"kms-master-key-multi-region","children":[{"name":"main.tf","path":"examples/kms-master-key-multi-region/main.tf","sha":"f21f568d41f5306cf9dd755f06e3747914b037a7"},{"name":"outputs.tf","path":"examples/kms-master-key-multi-region/outputs.tf","sha":"c2685a282b5ce295c2dd80a78841711a40e80dcb"},{"name":"providers.tf","path":"examples/kms-master-key-multi-region/providers.tf","sha":"ff7fd8215d5d85513268ae89c879057b6ea97d61"},{"name":"variables.tf","path":"examples/kms-master-key-multi-region/variables.tf","sha":"7ab53d8a832e0b925c0d58ec5d293a0137120b33"}]},{"name":"kms-master-key","children":[{"name":"README.md","path":"examples/kms-master-key/README.md","sha":"821565d831f2afcf7a2ffeea9a0854fabdaae033"},{"name":"main.tf","path":"examples/kms-master-key/main.tf","sha":"b578ec3578adbf7a20780e73083972662ccd3127"},{"name":"outputs.tf","path":"examples/kms-master-key/outputs.tf","sha":"4d5fd0a19ea917beff0241f169b51417ff9935b9"},{"name":"variables.tf","path":"examples/kms-master-key/variables.tf","sha":"c1de5a7b1c0859710d1253b61baf86c4564560e3"}]},{"name":"ntp","children":[{"name":"README.md","path":"examples/ntp/README.md","sha":"b676e802c1d196f6af204d14d143b80864bccd30"},{"name":"ntp-example.json","path":"examples/ntp/ntp-example.json","sha":"019a82b1c01aaabbe5abf7ed114854202275a410"}]},{"name":"os-hardening","children":[{"name":"README.md","path":"examples/os-hardening/README.md","sha":"d311d0932f7e98b236d0dcf3d9c629a7f8b3b107"},{"name":"packer-build.sh","path":"examples/os-hardening/packer-build.sh","sha":"8a0cf99893046f648c04ad62d505746e9c3a5e95"},{"name":"packer","children":[{"name":"amazon-linux.json","path":"examples/os-hardening/packer/amazon-linux.json","sha":"d5f1bfbc81723233bfaa3f99fdff07dcf3b1025a"},{"name":"files","children":[{"name":"etc","children":[{"name":"fstab","path":"examples/os-hardening/packer/files/etc/fstab","sha":"cbf68cec68a92bc54f514dd0d6906f19cea857e6"}]}]}]},{"name":"terraform","children":[{"name":"main.tf","path":"examples/os-hardening/terraform/main.tf","sha":"9b8efb7b2c907b793a3f2c9eb0d77c183def2609"},{"name":"outputs.tf","path":"examples/os-hardening/terraform/outputs.tf","sha":"33083aed25a4ed6e323bf84381b896614814c9d1"},{"name":"variables.tf","path":"examples/os-hardening/terraform/variables.tf","sha":"25d9e4a3ecf236434b71fd2eac179fa27cdb8587"}]}]},{"name":"private-s3-bucket-with-replication","children":[{"name":"README.md","path":"examples/private-s3-bucket-with-replication/README.md","sha":"8e47c9c013750aab08f8200383a9a468af233816"},{"name":"main.tf","path":"examples/private-s3-bucket-with-replication/main.tf","sha":"06000fd72a68af3a885e3eaf552b505d1f7d196b"},{"name":"outputs.tf","path":"examples/private-s3-bucket-with-replication/outputs.tf","sha":"e0ca6c1c51d90124a0f6aa588f2286106766f7e7"},{"name":"variables.tf","path":"examples/private-s3-bucket-with-replication/variables.tf","sha":"ce9cb926cc79a19e527ec6b6b8f918232dad4168"}]},{"name":"private-s3-bucket","children":[{"name":"README.md","path":"examples/private-s3-bucket/README.md","sha":"5214e6225de5e051cb2842fa2eb6e04a92184a10"},{"name":"main.tf","path":"examples/private-s3-bucket/main.tf","sha":"2fac2d7c83fbfe7ccf3c69f229765d544f9d5728"},{"name":"outputs.tf","path":"examples/private-s3-bucket/outputs.tf","sha":"efddeeb33901e91f4f28a438afb3455f2cca5e18"},{"name":"variables.tf","path":"examples/private-s3-bucket/variables.tf","sha":"ce9cb926cc79a19e527ec6b6b8f918232dad4168"}]},{"name":"saml-iam-roles","children":[{"name":"README.md","path":"examples/saml-iam-roles/README.md","sha":"b4ef2b28d5704aec892ea54cc28a61fbb46378c9"},{"name":"main.tf","path":"examples/saml-iam-roles/main.tf","sha":"725f640fc72010e545cf04600d3a8d8f45ec2c64"},{"name":"outputs.tf","path":"examples/saml-iam-roles/outputs.tf","sha":"1bd4fec9529cddfd2d3f61bba60f9dfb8b286c70"},{"name":"saml-metadata.xml","path":"examples/saml-iam-roles/saml-metadata.xml","sha":"88596cfde52242a43559c79216a1c60b2ea12903"},{"name":"variables.tf","path":"examples/saml-iam-roles/variables.tf","sha":"28705aa859940aa4b8027a19fe0b5b4affba939e"}]},{"name":"secrets-manager-resource-policies","children":[{"name":"README.md","path":"examples/secrets-manager-resource-policies/README.md","sha":"289a83c28bd9142fc7bbb4e603a4b25b4c9c1b98"},{"name":"main.tf","path":"examples/secrets-manager-resource-policies/main.tf","sha":"3f6255090706eb80d1fb68e2386c32590c0fd380"},{"name":"variables.tf","path":"examples/secrets-manager-resource-policies/variables.tf","sha":"d6f5c45fbc2173475cec7c4e77ac8f5caed4dc27"}]},{"name":"ssh-grunt","children":[{"name":"iam","children":[{"name":"README.md","path":"examples/ssh-grunt/iam/README.md","sha":"b1ae6d51c6f6d3eeb7df2b51dab8d0d238f53132"},{"name":"main.tf","path":"examples/ssh-grunt/iam/main.tf","sha":"2a2cb5b8b8b5168fdcf67cff2552f61bdfff89e4"},{"name":"outputs.tf","path":"examples/ssh-grunt/iam/outputs.tf","sha":"978b316044d417393b70100a427de1068c4d417f"},{"name":"variables.tf","path":"examples/ssh-grunt/iam/variables.tf","sha":"1ee58afdef7dad43bb3fb221995cc3daf631177b"}]},{"name":"packer","children":[{"name":"README.md","path":"examples/ssh-grunt/packer/README.md","sha":"b44b220f168e6e682bbf5f68065b8269a706fca5"},{"name":"build-binary.sh","path":"examples/ssh-grunt/packer/build-binary.sh","sha":"fe84ead78eb3e87e4855272f28c83d681c58ffff"},{"name":"ssh-grunt-iam.json","path":"examples/ssh-grunt/packer/ssh-grunt-iam.json","sha":"a38a0fdd4db72b49a323ed00956c4971fec9b860"}]}]},{"name":"ssm-healthchecks-iam-permissions","children":[{"name":"README.md","path":"examples/ssm-healthchecks-iam-permissions/README.md","sha":"f1fe555a3aff887a966def0a1d3ccaff3dd826e7"},{"name":"main.tf","path":"examples/ssm-healthchecks-iam-permissions/main.tf","sha":"269701289f3e73e77fc98c035c714ef8eb1e352b"},{"name":"outputs.tf","path":"examples/ssm-healthchecks-iam-permissions/outputs.tf","sha":"52688c3a4f1f8349500505fb8949fa0d21c385a3"},{"name":"variables.tf","path":"examples/ssm-healthchecks-iam-permissions/variables.tf","sha":"217574c100974ae601b2a1478e0ac183d351d4a0"}]}]},{"name":"modules","children":[{"name":"_deprecated","children":[{"name":"account-baseline-app","children":[{"name":"README.md","path":"modules/_deprecated/account-baseline-app/README.md","sha":"289d35b15becbf5164ee355fecd892edf12c60bc"}]},{"name":"account-baseline-root","children":[{"name":"README.md","path":"modules/_deprecated/account-baseline-root/README.md","sha":"0ac4e867ee61387b76475d7eb36bba673a30fd76"}]},{"name":"account-baseline-security","children":[{"name":"README.md","path":"modules/_deprecated/account-baseline-security/README.md","sha":"ace992c3b31b9320aa1d559bbde597cc945c4430"}]},{"name":"custom-iam-group","children":[{"name":"README.md","path":"modules/_deprecated/custom-iam-group/README.md","sha":"e7a0ff783eb1052aa77fe50d7eaa6a06d2d82649"}]}]},{"name":"auto-update","children":[{"name":"README.adoc","path":"modules/auto-update/README.adoc","sha":"1e193ac18cb6a1863518b95d621a7802b09c1fab"},{"name":"core-concepts.md","path":"modules/auto-update/core-concepts.md","sha":"0e4dd35dc4b7320764f203b5cc91e55ecaa9b0be"},{"name":"install-scripts","children":[{"name":"configure-auto-update","path":"modules/auto-update/install-scripts/configure-auto-update","sha":"9557efec90bf62cbcd0360198ec2bf984a8a873b"},{"name":"unattended_upgrades_config.txt","path":"modules/auto-update/install-scripts/unattended_upgrades_config.txt","sha":"abe88fd8a5037ce518bec69a6cac0699cb421d47"},{"name":"yum_cron_config.txt","path":"modules/auto-update/install-scripts/yum_cron_config.txt","sha":"e7ef4273f1b2af0c9c032fadaacd03130ba5ea78"}]},{"name":"install.sh","path":"modules/auto-update/install.sh","sha":"7c19fd0d04b11c358af64149b3169d6b2c5e3b58"}]},{"name":"aws-auth","children":[{"name":"AWS-AUTH-1PASSWORD.md","path":"modules/aws-auth/AWS-AUTH-1PASSWORD.md","sha":"d7a63db66ddf11b485a2850069d52edf6bea37eb"},{"name":"AWS-AUTH-LASTPASS.md","path":"modules/aws-auth/AWS-AUTH-LASTPASS.md","sha":"d9b65d95892c1e2275894eb2ca3dd8f334a3a8b8"},{"name":"README.md","path":"modules/aws-auth/README.md","sha":"10f5164db2016bda84383b598e0262a188a39599"},{"name":"bin","children":[{"name":"aws-auth","path":"modules/aws-auth/bin/aws-auth","sha":"85039ffd1720f9b93a34e8998852bdd3b9502bcc"}]},{"name":"install.sh","path":"modules/aws-auth/install.sh","sha":"ab9611d92d6822ceed981bdff3766724366037f0"}]},{"name":"aws-config-bucket","children":[{"name":"README.md","path":"modules/aws-config-bucket/README.md","sha":"2988d934e16617289522a4ea711ee07589ce96d7"},{"name":"main.tf","path":"modules/aws-config-bucket/main.tf","sha":"3d41ab68188251d2cb7dbe321fb3b55dfd69bdb3"},{"name":"outputs.tf","path":"modules/aws-config-bucket/outputs.tf","sha":"8ac7ab1c4c5ded586bee63ce460b25cd60eb4a18"},{"name":"variables.tf","path":"modules/aws-config-bucket/variables.tf","sha":"ba6b30c18ca75ab991f42abb845ef89af8e9cb6e"}]},{"name":"aws-config-multi-region","children":[{"name":"README.adoc","path":"modules/aws-config-multi-region/README.adoc","sha":"dc4b0dc89afdd92984fceca74f2c2e087645d019"},{"name":"core-concepts.md","path":"modules/aws-config-multi-region/core-concepts.md","sha":"976e6424dcb277f70377f92eb2a10d0c8e595a85"},{"name":"main.tf","path":"modules/aws-config-multi-region/main.tf","sha":"53b63df18724b94954f2b32192bd1f1b140204e9"},{"name":"outputs.tf","path":"modules/aws-config-multi-region/outputs.tf","sha":"6592fec6ceb54bbbcfacba88e777ac8bb7a5cee4"},{"name":"variables.autogen.tf","path":"modules/aws-config-multi-region/variables.autogen.tf","sha":"3ea138065b8386950e13b049c9532d185c145f76"},{"name":"variables.tf","path":"modules/aws-config-multi-region/variables.tf","sha":"5d33ad42f818f943993986c0c3bb964eee84f9ba"}]},{"name":"aws-config-rules","children":[{"name":"README.adoc","path":"modules/aws-config-rules/README.adoc","sha":"2b550ac006ee6189aef5221748d03339bcf9806e"},{"name":"core-concepts.md","path":"modules/aws-config-rules/core-concepts.md","sha":"af111230b6262be339d220c7b2308493781fef49"},{"name":"main.tf","path":"modules/aws-config-rules/main.tf","sha":"b5b25b8a6e7bc7a70c5e87d3a6e2ef223171e60d"},{"name":"outputs.tf","path":"modules/aws-config-rules/outputs.tf","sha":"c297ad118d46f79f286d6577770ab46e59555ccb"},{"name":"variables.tf","path":"modules/aws-config-rules/variables.tf","sha":"e0645e3cfa20c357ae31401a32b7ea2d81d30d5b"}]},{"name":"aws-config","children":[{"name":"README.adoc","path":"modules/aws-config/README.adoc","sha":"191a82102e5fc9778d777052fc9efd616ddeb9db"},{"name":"core-concepts.md","path":"modules/aws-config/core-concepts.md","sha":"e5a7b8646bab42398ff7f5224549e528ce8c0d52"},{"name":"main.tf","path":"modules/aws-config/main.tf","sha":"2ef8fad8fd327c5494fa016439e3bd173249f2ca"},{"name":"outputs.tf","path":"modules/aws-config/outputs.tf","sha":"bcd505e4ac4102bc09750adb36c99398a06eb1a6"},{"name":"variables.tf","path":"modules/aws-config/variables.tf","sha":"97c21e72f615ed79b47ea325cf00e9c0495d2bab"}]},{"name":"aws-organizations","children":[{"name":"README.adoc","path":"modules/aws-organizations/README.adoc","sha":"52cda8fa0eaa15b00e5f389ba9dfb73a1f3c9d56"},{"name":"core-concepts.md","path":"modules/aws-organizations/core-concepts.md","sha":"8766c8f36eef9e8992bf13a44f6571261c43995d"},{"name":"main.tf","path":"modules/aws-organizations/main.tf","sha":"f4bff4da26d9be496b792a85b9587081a6eb3794"},{"name":"outputs.tf","path":"modules/aws-organizations/outputs.tf","sha":"feed57b33ab7eb9b100712647942f1a8d7245b3d"},{"name":"variables.tf","path":"modules/aws-organizations/variables.tf","sha":"cf9e1673e458c5c7644b1e94e128eddb6feca0d3"}]},{"name":"cloudtrail-bucket","children":[{"name":"README.md","path":"modules/cloudtrail-bucket/README.md","sha":"acc86c32958e8f6d90944e714a7731a82f404c82"},{"name":"main.tf","path":"modules/cloudtrail-bucket/main.tf","sha":"b4e8a105e9a5dce61b894139a97e5144d88c7e51"},{"name":"outputs.tf","path":"modules/cloudtrail-bucket/outputs.tf","sha":"1e560e9b0cc1c8f40e81d5fe8bbbf1c03258fdae"},{"name":"variables.tf","path":"modules/cloudtrail-bucket/variables.tf","sha":"abe69efe79ef2ad95f6e8264440e23c983c8f3f4"}]},{"name":"cloudtrail","children":[{"name":"README.adoc","path":"modules/cloudtrail/README.adoc","sha":"b3090f9aa7b062f2028af50c3da17a3293ef3cd2"},{"name":"core-concepts.md","path":"modules/cloudtrail/core-concepts.md","sha":"debe79403a177aaf1de5396c85213652dbc85481"},{"name":"main.tf","path":"modules/cloudtrail/main.tf","sha":"f97c846e112702e0eb828116a3266cbb0c2ed024"},{"name":"outputs.tf","path":"modules/cloudtrail/outputs.tf","sha":"d161a32bbcd6f824955c273c49ef9e00bcdb57b3"},{"name":"variables.tf","path":"modules/cloudtrail/variables.tf","sha":"5e2cd8457afba74fcacde56ed828c3130eb04dbb"}]},{"name":"cross-account-iam-roles","children":[{"name":"README.md","path":"modules/cross-account-iam-roles/README.md","sha":"31af5c1ebf70060948de6073188d169fb9c5a87c"},{"name":"main.tf","path":"modules/cross-account-iam-roles/main.tf","sha":"c92047d7d95c60a6f1a6e80d05f4ad21eb5f23d6"},{"name":"outputs.tf","path":"modules/cross-account-iam-roles/outputs.tf","sha":"4e4697d3c627fc668206d03557f8d58b3f391465"},{"name":"variables.tf","path":"modules/cross-account-iam-roles/variables.tf","sha":"ad26db1accff0dd3751f72009aa29284692370a0"}]},{"name":"custom-iam-entity","children":[{"name":"README.md","path":"modules/custom-iam-entity/README.md","sha":"a4dedbd0cbaad6561eaf42774054c4c640cbb478"},{"name":"main.tf","path":"modules/custom-iam-entity/main.tf","sha":"71605479a558f3fd62b0e58bff1ebda19b1d7cf6"},{"name":"outputs.tf","path":"modules/custom-iam-entity/outputs.tf","sha":"b94249803e78991682b8542d8f39e5a728432b97"},{"name":"variables.tf","path":"modules/custom-iam-entity/variables.tf","sha":"a9dc17f7ccdf58c57aaee13764304504c6cd4055"}]},{"name":"ebs-encryption-multi-region","children":[{"name":"README.adoc","path":"modules/ebs-encryption-multi-region/README.adoc","sha":"86b31069c9627391411f7b6cceed08e813a7a37e"},{"name":"main.tf","path":"modules/ebs-encryption-multi-region/main.tf","sha":"60b2c3289d3a4ae90a8be12a2a71dda004c839a7"},{"name":"outputs.tf","path":"modules/ebs-encryption-multi-region/outputs.tf","sha":"3b199b936822f2dce4c1e6820657fc199ffb6f3b"},{"name":"variables.autogen.tf","path":"modules/ebs-encryption-multi-region/variables.autogen.tf","sha":"e016bd3d20f933e3b802d5facfd9665055f5140b"},{"name":"variables.tf","path":"modules/ebs-encryption-multi-region/variables.tf","sha":"4bb22b9bb519462a429baea8ffea9d1a3991be26"}]},{"name":"ebs-encryption","children":[{"name":"README.md","path":"modules/ebs-encryption/README.md","sha":"f9f23a71b7725648a9fdc9300de92d38014e6f63"},{"name":"main.tf","path":"modules/ebs-encryption/main.tf","sha":"b2ace130274d8f88ca442288cbfc4386eabc9ce0"},{"name":"outputs.tf","path":"modules/ebs-encryption/outputs.tf","sha":"6caa6eba337ae7aa9ad7db82dbd2cf6223f42cb9"},{"name":"variables.tf","path":"modules/ebs-encryption/variables.tf","sha":"d47c23a0c98c7561fcf0d95fa22fc40b34182bf9"}]},{"name":"fail2ban","children":[{"name":"README.md","path":"modules/fail2ban/README.md","sha":"e4cd7c70b170022b2e306289d4e8b949c58dd6ab"},{"name":"install-scripts","children":[{"name":"cloudwatch-metric.conf","path":"modules/fail2ban/install-scripts/cloudwatch-metric.conf","sha":"b2fb301180aeb253f5168a6fedd3e5c44b6938ff"},{"name":"configure-fail2ban","path":"modules/fail2ban/install-scripts/configure-fail2ban","sha":"013f563aaae09316e59eb1682e53738a66aa48d4"},{"name":"fail2ban.local","path":"modules/fail2ban/install-scripts/fail2ban.local","sha":"ea80bf8058a1f9bb1a80a59031981b2a37445750"},{"name":"filters.sshd.amazon.conf","path":"modules/fail2ban/install-scripts/filters.sshd.amazon.conf","sha":"093bb1baf88a1e283a43b7dd7d04c64992abecc6"},{"name":"jail.amazon.local","path":"modules/fail2ban/install-scripts/jail.amazon.local","sha":"1284b66ca5a007b77a40c27b66662425e7fe8c91"},{"name":"jail.amazon2.local","path":"modules/fail2ban/install-scripts/jail.amazon2.local","sha":"8f0285c493c406aa0db98f40b8bf9aa238f52353"},{"name":"jail.ubuntu.local","path":"modules/fail2ban/install-scripts/jail.ubuntu.local","sha":"b3485d20a2b1fad7949167d30eff2b4caf357d81"}]},{"name":"install.sh","path":"modules/fail2ban/install.sh","sha":"8f7b536f08506dabc2f6beb6cd5a50f7282168aa"},{"name":"user-data-scripts","children":[{"name":"configure-fail2ban-cloudwatch.sh","path":"modules/fail2ban/user-data-scripts/configure-fail2ban-cloudwatch.sh","sha":"5c112c70c078b769f3ae31e71334499d0e5be64a"}]}]},{"name":"github-actions-iam-role","children":[{"name":"README.md","path":"modules/github-actions-iam-role/README.md","sha":"295142b48d9430e2579c234a2f385405fcb079de"},{"name":"main.tf","path":"modules/github-actions-iam-role/main.tf","sha":"39e82c59b82965054bd95cce7383732f0f1b7f45"},{"name":"outputs.tf","path":"modules/github-actions-iam-role/outputs.tf","sha":"250c983710c438ae022187a43f73f1f9fec00b61"},{"name":"variables.tf","path":"modules/github-actions-iam-role/variables.tf","sha":"d6215f0803fb2af7fe8f3ab3ebfec420ce5231a9"}]},{"name":"guardduty-multi-region","children":[{"name":"README.adoc","path":"modules/guardduty-multi-region/README.adoc","sha":"692d7135fa34922062bfa772b405afc21b3c6ea7"},{"name":"main.tf","path":"modules/guardduty-multi-region/main.tf","sha":"01fc84dd03d9704921fd931b6423713dad33d671"},{"name":"outputs.tf","path":"modules/guardduty-multi-region/outputs.tf","sha":"fd8f016e2f21121df954a67e1c8e3c9941eefd0a"},{"name":"variables.autogen.tf","path":"modules/guardduty-multi-region/variables.autogen.tf","sha":"05bf9410cb4878450e9e67b90b202437a7458a04"},{"name":"variables.tf","path":"modules/guardduty-multi-region/variables.tf","sha":"1487cf2e1ebd7ae87152a0b40ffa9f2c27271557"}]},{"name":"guardduty","children":[{"name":"README.adoc","path":"modules/guardduty/README.adoc","sha":"940d62d35069bdda503cac175a01bd1743f53494"},{"name":"core-concepts.md","path":"modules/guardduty/core-concepts.md","sha":"df82af9ce24cd9d73e4ca09688bf35a66d38c91a"},{"name":"main.tf","path":"modules/guardduty/main.tf","sha":"294df3dc32666232f8eb768e37836145c99e1096"},{"name":"outputs.tf","path":"modules/guardduty/outputs.tf","sha":"0fd6fdc76d8bc1bb4c544028c802248999d309f7"},{"name":"variables.tf","path":"modules/guardduty/variables.tf","sha":"e6bac32a169d2f30b27c339ed3caf36b38146171"}]},{"name":"iam-access-analyzer-multi-region","children":[{"name":"README.adoc","path":"modules/iam-access-analyzer-multi-region/README.adoc","sha":"d87068a71e5a6149ba32dcc1ba33070d8b83aeaa"},{"name":"core-concepts.md","path":"modules/iam-access-analyzer-multi-region/core-concepts.md","sha":"6bbaac3d7e62744e3fe3f511cd4ae78b212d08a8"},{"name":"main.tf","path":"modules/iam-access-analyzer-multi-region/main.tf","sha":"1d1f5a1c6a21ee99e8741718398ae82419a4b061"},{"name":"outputs.tf","path":"modules/iam-access-analyzer-multi-region/outputs.tf","sha":"0a4379e38beae72541e7e975f297584db7e98b04"},{"name":"variables.autogen.tf","path":"modules/iam-access-analyzer-multi-region/variables.autogen.tf","sha":"5fe91b51970b05ebc2fdbf4542a806e8c3f792f4"},{"name":"variables.tf","path":"modules/iam-access-analyzer-multi-region/variables.tf","sha":"6e8d81aac5af0cba584e6d0884e03cfbc23ba07f"}]},{"name":"iam-groups","children":[{"name":"README.md","path":"modules/iam-groups/README.md","sha":"07820342d38caf90b08a1ff0df904298ed132c8f"},{"name":"_docs","children":[{"name":"iam-user-access-to-billing.png","path":"modules/iam-groups/_docs/iam-user-access-to-billing.png","sha":"063f6cf8dc766b4d44942de89660e8ab9e1f3d63"},{"name":"my-account.png","path":"modules/iam-groups/_docs/my-account.png","sha":"387320200ed756ce4191afef87f0ab76e2c3d89a"}]},{"name":"main.tf","path":"modules/iam-groups/main.tf","sha":"179ac7371a08fd80432bfe64b1e4dc813247d81c"},{"name":"outputs.tf","path":"modules/iam-groups/outputs.tf","sha":"0fc97269b51e6c51647aa5420198d1d11c5afa37"},{"name":"variables.tf","path":"modules/iam-groups/variables.tf","sha":"b44cce3a58cf651cfa37ead33156b3b794021a40"}]},{"name":"iam-policies","children":[{"name":"README.md","path":"modules/iam-policies/README.md","sha":"0297e14a7dfdf5727d9be5ab4f47dcf67357b247"},{"name":"main.tf","path":"modules/iam-policies/main.tf","sha":"8cdc6c4fa0e72419a5636301b05501cffa8f261d"},{"name":"outputs.tf","path":"modules/iam-policies/outputs.tf","sha":"19511cfc28b22103cb164c6df8b5b530e7e3e172"},{"name":"variables.tf","path":"modules/iam-policies/variables.tf","sha":"8801af9087c945960705d082a2325200f78dfceb"}]},{"name":"iam-user-password-policy","children":[{"name":"README.md","path":"modules/iam-user-password-policy/README.md","sha":"5bea6ba56fc796be5b860549156a3a251735fc2a"},{"name":"main.tf","path":"modules/iam-user-password-policy/main.tf","sha":"a5c4546bbfdc4d7e989ccf50ccf958c88bb96345"},{"name":"outputs.tf","path":"modules/iam-user-password-policy/outputs.tf","sha":"825547bd9d41fed1cc1b3506c17f81c48b1bfd1a"},{"name":"variables.tf","path":"modules/iam-user-password-policy/variables.tf","sha":"568582c249e3cfd7899ea23b8b58e43328c9d100"}]},{"name":"iam-users","children":[{"name":"README.md","path":"modules/iam-users/README.md","sha":"ea820bd205fdb8ca28bb0e2eccc29700b99a2b94"},{"name":"main.tf","path":"modules/iam-users/main.tf","sha":"9849c627aad5a685f9da52a39d6ddc383ca981da"},{"name":"outputs.tf","path":"modules/iam-users/outputs.tf","sha":"b319eacce6916f4904b15d8ff5ea5be09afc29e2"},{"name":"variables.tf","path":"modules/iam-users/variables.tf","sha":"892e7b2aaa5179e83a5e3126dbf2551fd421b133"}]},{"name":"ip-lockdown","children":[{"name":"README.md","path":"modules/ip-lockdown/README.md","sha":"7ec92da38b5b06af9e61ab164bb6b4b0470ed92a"},{"name":"install.sh","path":"modules/ip-lockdown/install.sh","sha":"ce61af763bee9ad29754220ae24521f22c3a956f"},{"name":"ip-lockdown","path":"modules/ip-lockdown/ip-lockdown","sha":"93a0e1f5876e7de5778c595e8801d64986cb118b"}]},{"name":"kms-cmk-replica","children":[{"name":"README.md","path":"modules/kms-cmk-replica/README.md","sha":"9e9827df4990a6967edbcab6f35214ba229d7b18"},{"name":"main.tf","path":"modules/kms-cmk-replica/main.tf","sha":"e4eebc8b19bb3338cb8fcc186ce1b4695882b40e"},{"name":"outputs.tf","path":"modules/kms-cmk-replica/outputs.tf","sha":"28066251cbac14ae30a24d83f4ab38a550ce08ba"},{"name":"variables.tf","path":"modules/kms-cmk-replica/variables.tf","sha":"3de5459e12a3fc271230c8be243dbdbb9c6ded47"}]},{"name":"kms-grant-multi-region","children":[{"name":"README.adoc","path":"modules/kms-grant-multi-region/README.adoc","sha":"7c33dc779f289c34d0c72ecce7a4a60d99c38098"},{"name":"core-concepts.md","path":"modules/kms-grant-multi-region/core-concepts.md","sha":"3eb1725fa927a84cc2a0341335d150bf5c6e70f5"},{"name":"main.tf","path":"modules/kms-grant-multi-region/main.tf","sha":"ffdd2edb0a1cae918c031165f9a5426af2c2ce43"},{"name":"outputs.tf","path":"modules/kms-grant-multi-region/outputs.tf","sha":"b9d84078afacb154536292bddba4afbd6c9158c2"},{"name":"variables.autogen.tf","path":"modules/kms-grant-multi-region/variables.autogen.tf","sha":"185d6c42c1ab4843292b2c911e057303ae971739"},{"name":"variables.tf","path":"modules/kms-grant-multi-region/variables.tf","sha":"505b2d0cb9ecf78f0364e845cab72bf0c28365d5"}]},{"name":"kms-master-key-multi-region","children":[{"name":"README.adoc","path":"modules/kms-master-key-multi-region/README.adoc","sha":"75402e428cc30fee27dc5dd469788cf1d71320eb"},{"name":"core-concepts.md","path":"modules/kms-master-key-multi-region/core-concepts.md","sha":"8ba58b9a40c3aad18e2b804f53c6439b549b756d"},{"name":"main.tf","path":"modules/kms-master-key-multi-region/main.tf","sha":"b1339cb7e2c6e3faf9a791d82e4369d163ce8f4b"},{"name":"outputs.tf","path":"modules/kms-master-key-multi-region/outputs.tf","sha":"1be657f877e314d8ce237d1da7f29b793c63edd2"},{"name":"variables.autogen.tf","path":"modules/kms-master-key-multi-region/variables.autogen.tf","sha":"fd024d55097a7eee5fbb6ffc65b376fbdfe57c89"},{"name":"variables.tf","path":"modules/kms-master-key-multi-region/variables.tf","sha":"b1740fb059927c65f7afd76f902ba616a921a138"}]},{"name":"kms-master-key","children":[{"name":"README.md","path":"modules/kms-master-key/README.md","sha":"1b43a005494f12b05551adb020a31726f28e10d3"},{"name":"main.tf","path":"modules/kms-master-key/main.tf","sha":"33b547ed031533f37aec6c34c1fb3fa085c24bb4"},{"name":"outputs.tf","path":"modules/kms-master-key/outputs.tf","sha":"4d0dbba81e8186243d96a8325a5f643d87543451"},{"name":"variables.tf","path":"modules/kms-master-key/variables.tf","sha":"ec5e19663b361ef9f58448b5b8ae1911073c0881"}]},{"name":"ntp","children":[{"name":"README.md","path":"modules/ntp/README.md","sha":"31112a11cff027ba074d454f5a23c5ce3e839c11"},{"name":"install.sh","path":"modules/ntp/install.sh","sha":"a8b042233bc89629c31b82a9433c013b709b8d82"}]},{"name":"os-hardening","children":[{"name":"README.md","path":"modules/os-hardening/README.md","sha":"3e864b0e9208eb6809adf41968c51e02fc233ee1"},{"name":"_docs","children":[{"name":"Helpful Email.md","path":"modules/os-hardening/_docs/Helpful Email.md","sha":"246a0b80b29f5ff3d2b2f4c5c170fc927e2d9dd7"}]},{"name":"ami-builder","children":[{"name":"files","children":[{"name":"user-data.sh.template","path":"modules/os-hardening/ami-builder/files/user-data.sh.template","sha":"4a3c87a19e1a4caa20b9b425b2a02101566d1166"}]},{"name":"main.tf","path":"modules/os-hardening/ami-builder/main.tf","sha":"49c7e4fdac93990831b090727804c4ae216066c7"},{"name":"outputs.tf","path":"modules/os-hardening/ami-builder/outputs.tf","sha":"8ce2ee598124ca50dd530a33aa60f5d1452a4a2b"},{"name":"variables.tf","path":"modules/os-hardening/ami-builder/variables.tf","sha":"d760f34eeae322790865c1cb30dfe20d0225328f"}]},{"name":"partition-scripts","children":[{"name":"README.md","path":"modules/os-hardening/partition-scripts/README.md","sha":"b55df29c7a3d6dc3ecbbbfe4ab4b8749f053f00b"},{"name":"bin","children":[{"name":"cleanup-volume","path":"modules/os-hardening/partition-scripts/bin/cleanup-volume","sha":"c7cbf3ecebd915235238557d27a1ce25e6fc10fa"},{"name":"partition-volume","path":"modules/os-hardening/partition-scripts/bin/partition-volume","sha":"f4f8566a1ef6aa4ff0c0268bd28721488aa6dfc4"}]},{"name":"install.sh","path":"modules/os-hardening/partition-scripts/install.sh","sha":"606776c068260836e8612a681ff4e3edc8abdb41"}]}]},{"name":"private-s3-bucket","children":[{"name":"README.md","path":"modules/private-s3-bucket/README.md","sha":"cd44b2d3e4627ff00fffd217bd3ec36341a72a36"},{"name":"main.tf","path":"modules/private-s3-bucket/main.tf","sha":"005255d098f8ac23cba57edf700a0168e34baba4"},{"name":"mfa-delete-script","children":[{"name":"mfa-delete.sh","path":"modules/private-s3-bucket/mfa-delete-script/mfa-delete.sh","sha":"7dbcc65412467a036756562024cfc84ad128b215"}]},{"name":"outputs.tf","path":"modules/private-s3-bucket/outputs.tf","sha":"b3c780d841a1dab914a71f59381efc6583cc01a0"},{"name":"variables.tf","path":"modules/private-s3-bucket/variables.tf","sha":"6270b16a350afb1ba05d63ef31d134c8e6d4e7aa"}]},{"name":"saml-iam-roles","children":[{"name":"README.md","path":"modules/saml-iam-roles/README.md","sha":"5ebc8c20f781a0f0b5654decdcf9bd607fee65b3"},{"name":"main.tf","path":"modules/saml-iam-roles/main.tf","sha":"e9e43297457fc0f201cbd9f879190b24f7b01268"},{"name":"outputs.tf","path":"modules/saml-iam-roles/outputs.tf","sha":"c579901907b216c55e4c815d28f0a22171a960e6"},{"name":"variables.tf","path":"modules/saml-iam-roles/variables.tf","sha":"1f3f26ade9fd75d8e66ba12649f45d075b5e0f2b"}]},{"name":"secrets-manager-resource-policies","children":[{"name":"README.md","path":"modules/secrets-manager-resource-policies/README.md","sha":"b894ce3171c28ae91acbfe6bdcec35615c599bbb"},{"name":"main.tf","path":"modules/secrets-manager-resource-policies/main.tf","sha":"e063dbabd7d8fec039fd30fef048ba6bcb53a98a"},{"name":"outputs.tf","path":"modules/secrets-manager-resource-policies/outputs.tf","sha":"8b237f325d54b84ac2453e8945f61cdf0d24b41b"},{"name":"variables.tf","path":"modules/secrets-manager-resource-policies/variables.tf","sha":"2b45ef099c805c1265e5dc611c138de4a40141eb"}]},{"name":"ssh-grunt-selinux-policy","children":[{"name":"README.md","path":"modules/ssh-grunt-selinux-policy/README.md","sha":"53f02f57185efebc35d6ebfe156ce73d02a5f112"},{"name":"install.sh","path":"modules/ssh-grunt-selinux-policy/install.sh","sha":"3de871d61a9990e7f2c130f23afaf00daeb6bbef"},{"name":"ssh-grunt.pp","path":"modules/ssh-grunt-selinux-policy/ssh-grunt.pp","sha":"7c7050f812cd0e3cb34e37b88c35fb09f369be7d"},{"name":"ssh-grunt.te","path":"modules/ssh-grunt-selinux-policy/ssh-grunt.te","sha":"3317a71feaa633662a00b1dc05b1176cb85c9793"}]},{"name":"ssh-grunt","children":[{"name":".dockerignore","path":"modules/ssh-grunt/.dockerignore","sha":"a725465aee245635a2bd129af54858ed32c84cb8"},{"name":"Dockerfile","path":"modules/ssh-grunt/Dockerfile","sha":"196dc492dafc4980f07c0ea0a3a4647a56198a1b"},{"name":"README.adoc","path":"modules/ssh-grunt/README.adoc","sha":"c6bb05207d3884b1e70620408d69175027a7f989"},{"name":"_ci","children":[{"name":"build-and-test.sh","path":"modules/ssh-grunt/_ci/build-and-test.sh","sha":"903993de2d7bcde19d472fa5e510ee862d4b10c3"},{"name":"test.sh","path":"modules/ssh-grunt/_ci/test.sh","sha":"235603944316e81f1da1cc0248b80beecf99cb27"}]},{"name":"_docs","children":[{"name":"houston-upload-ssh-key.png","path":"modules/ssh-grunt/_docs/houston-upload-ssh-key.png","sha":"e32519497262f9796a4ea46c53953923975cbd7d"},{"name":"iam-upload-ssh-key.png","path":"modules/ssh-grunt/_docs/iam-upload-ssh-key.png","sha":"8bb1e793185eb0b4822023552899874394342f21"}]},{"name":"core-concepts.md","path":"modules/ssh-grunt/core-concepts.md","sha":"8c7b359b4fbfd52aa18124efe06f1304edbf2db2"},{"name":"docker-compose.yml","path":"modules/ssh-grunt/docker-compose.yml","sha":"74a2c67f6b9dc838ff3bd9c9c5aa68c813db1f0d"},{"name":"go.mod","path":"modules/ssh-grunt/go.mod","sha":"bda6dbbf16a6c96f758ec164f01791e147d7768e"},{"name":"go.sum","path":"modules/ssh-grunt/go.sum","sha":"3fb7ee290aabdc716f9e233293037bd9fcc32d12"},{"name":"scripts","children":[{"name":"build-linux-binary.sh","path":"modules/ssh-grunt/scripts/build-linux-binary.sh","sha":"2d91cbed3db40f419e6a440ce2735b9d3f2d048b"},{"name":"run.sh","path":"modules/ssh-grunt/scripts/run.sh","sha":"050027e034cd03e53625986eb0f331c043492cf6"}]},{"name":"src","children":[{"name":"cli.go","path":"modules/ssh-grunt/src/cli.go","sha":"d12bfb946f3c5268afbc9ac012134e831b2a3ec7"},{"name":"cli_test.go","path":"modules/ssh-grunt/src/cli_test.go","sha":"3925077baf4f54a539d135de17956f4f252ab5cf"},{"name":"collections.go","path":"modules/ssh-grunt/src/collections.go","sha":"aa9b67f00f57088f9bf4e129dcc53003524dd0a7"},{"name":"cron.go","path":"modules/ssh-grunt/src/cron.go","sha":"4ceb8efd0cdf51b5170bb152b6824fc54f8d429c"},{"name":"cron_test.go","path":"modules/ssh-grunt/src/cron_test.go","sha":"c56766eda2ee2201589796292fd0bb6416a6e0b3"},{"name":"ec2_instance_connect.go","path":"modules/ssh-grunt/src/ec2_instance_connect.go","sha":"99c31ddd2ee34d18dd9e676ec22eef5eebc3187f"},{"name":"errors.go","path":"modules/ssh-grunt/src/errors.go","sha":"1175435b45a980a5ff23dd4bdc880b4d63b24d79"},{"name":"file.go","path":"modules/ssh-grunt/src/file.go","sha":"eb991fd15ac2c3660313e6d4c5669b36ccc9cc21"},{"name":"groups.go","path":"modules/ssh-grunt/src/groups.go","sha":"49e569a80abb6306ab0f7fd79c810d2e2ad8ab3a"},{"name":"groups_test.go","path":"modules/ssh-grunt/src/groups_test.go","sha":"b060ded1c37d1b636b7dc59d5071049e640d00e7"},{"name":"houston.go","path":"modules/ssh-grunt/src/houston.go","sha":"d307bc1372ec78219d20222e972c1e3892fd29b0"},{"name":"houston_test.go","path":"modules/ssh-grunt/src/houston_test.go","sha":"82a9b2d2d41e09b6949897ed989a483fc7e0a650"},{"name":"iam.go","path":"modules/ssh-grunt/src/iam.go","sha":"dafbc8fbb732d2d6212cade786eb13d7215b9862"},{"name":"iam_test.go","path":"modules/ssh-grunt/src/iam_test.go","sha":"0382c08562fc329876267cf944195f3d8c8738be"},{"name":"logger.go","path":"modules/ssh-grunt/src/logger.go","sha":"93095ba8216709b3178fcc44a76421a765f4e302"},{"name":"main.go","path":"modules/ssh-grunt/src/main.go","sha":"a89d9402d32d371dc9b945ab9c72996808d17b85"},{"name":"shell.go","path":"modules/ssh-grunt/src/shell.go","sha":"7f49eeee4119efde0bd58d7c78fd4ef785dc5f6c"},{"name":"ssh.go","path":"modules/ssh-grunt/src/ssh.go","sha":"8e6b62d6c33279aaf5af6cabacd0afc4d186ca97"},{"name":"ssh_test.go","path":"modules/ssh-grunt/src/ssh_test.go","sha":"d0dee4b55d3cfc7a1c06bed3cfedeeae07b660c5"},{"name":"string.go","path":"modules/ssh-grunt/src/string.go","sha":"fc61ca9625f9d654c2b3576ff932db1b90ae9dfe"},{"name":"string_test.go","path":"modules/ssh-grunt/src/string_test.go","sha":"752aaaa776d25ff8a3e694588edb3e7c0ce4eb27"},{"name":"sync.go","path":"modules/ssh-grunt/src/sync.go","sha":"7c2f9ff292b484a7ca1ab14e1bbd558cd24553f2"},{"name":"sync_test.go","path":"modules/ssh-grunt/src/sync_test.go","sha":"09dd89b492cc7373c49b8b2fc16b17914065340f"},{"name":"url.go","path":"modules/ssh-grunt/src/url.go","sha":"0af5ddc5f3e27af95d6f6ddd41acf0c229962f7f"},{"name":"url_test.go","path":"modules/ssh-grunt/src/url_test.go","sha":"95e062eaaca09900949e0352fffc7b6f9a3524cc"},{"name":"users.go","path":"modules/ssh-grunt/src/users.go","sha":"6c3a8a22006a91656fcc5fd31d684271cdf129e3"},{"name":"users_test.go","path":"modules/ssh-grunt/src/users_test.go","sha":"e695204896bae7436e20a6615a484ae4cc6cf2f7"}]}]},{"name":"ssh-iam","children":[{"name":"README.md","path":"modules/ssh-iam/README.md","sha":"4aa06d6a729e53384b6d2a43c06ee38807092f32"}]},{"name":"ssm-healthchecks-iam-permissions","children":[{"name":"README.md","path":"modules/ssm-healthchecks-iam-permissions/README.md","sha":"0a97288d14b005662ae642819eeadb2aaff24534"},{"name":"main.tf","path":"modules/ssm-healthchecks-iam-permissions/main.tf","sha":"664b884793145b1c9f68c1da7a58650ed21dcdb3"},{"name":"variables.tf","path":"modules/ssm-healthchecks-iam-permissions/variables.tf","sha":"36778c58999e05f20468d118f22e8c9d754b1a4d"}]},{"name":"tls-cert-private","children":[{"name":"Dockerfile","path":"modules/tls-cert-private/Dockerfile","sha":"bc6b1c28764936758a47ceedccf790b56200d6cf"},{"name":"README.md","path":"modules/tls-cert-private/README.md","sha":"c6996ec25d7d9b1ab4f79d8164a14e86e1ac844f","toggled":true},{"name":"docker-compose.yml","path":"modules/tls-cert-private/docker-compose.yml","sha":"f872026e8d51ceaab2e1c11cc9cf9c35ba81f29c"},{"name":"files","children":[{"name":"openssl.cnf","path":"modules/tls-cert-private/files/openssl.cnf","sha":"2542542c80ab180c47d3e0a27dbded65bed572de"}]},{"name":"scripts","children":[{"name":"generate-ca-keypair.sh","path":"modules/tls-cert-private/scripts/generate-ca-keypair.sh","sha":"395ee97c0e499c660efac5c5cf1f79dfcdbb69f8"},{"name":"generate-tls-keypair.sh","path":"modules/tls-cert-private/scripts/generate-tls-keypair.sh","sha":"f1c3577437fd589087704a9c003de416cb87d232"},{"name":"main.sh","path":"modules/tls-cert-private/scripts/main.sh","sha":"dc7af965ffb783bbef449010818e69294fa2ef75"}]}],"toggled":true}],"toggled":true},{"name":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","path":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","sha":"ae586c0fe830819580e1009d41a9074f16e65bed"},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"b44e2152ea21d65a8c51bb58321e18ec7527c22e"},{"name":"common","children":[{"name":"test_helpers.go","path":"test/common/test_helpers.go","sha":"aa7ea914a7ee084653fe6c7cbf0149d67db9a20b"}]},{"name":"go.mod","path":"test/go.mod","sha":"bdb6a18360b632d7a3c37689dde885b87383f879"},{"name":"go.sum","path":"test/go.sum","sha":"1cce9f2aada750f1a00640d4d8812f9739739334"},{"name":"landingzone","children":[{"name":"aws_config_rules_test.go","path":"test/landingzone/aws_config_rules_test.go","sha":"e198464d094ef43a2ff5dc85da38c6cfc3d92fa8"},{"name":"aws_config_test.go","path":"test/landingzone/aws_config_test.go","sha":"622a46b0733a9018e87642187aa19a10f473b48a"},{"name":"aws_organizations_test.go","path":"test/landingzone/aws_organizations_test.go","sha":"7f4e93e798860d91f590c22cfa2efde0bf4777ac"},{"name":"ebs_encryption_multi_region_test.go","path":"test/landingzone/ebs_encryption_multi_region_test.go","sha":"d871d48ac13e4b36e9f05eccf90e9462d2c985e7"},{"name":"guardduty_test.go","path":"test/landingzone/guardduty_test.go","sha":"e6a63db172bfd239017385805fe7e8a1b7502bd3"},{"name":"iam_access_analyzer_multiregion_test.go","path":"test/landingzone/iam_access_analyzer_multiregion_test.go","sha":"bc8233bf962282e84b1a3bcf1fc88a0267531e7a"},{"name":"kms_grant_multiregion_test.go","path":"test/landingzone/kms_grant_multiregion_test.go","sha":"dacdaaef67b5b2b849d6c1bc54bccb3f89e1f008"},{"name":"kms_master_key_multiregion_test.go","path":"test/landingzone/kms_master_key_multiregion_test.go","sha":"6c1146b64cb38991b07e19d107b3371666a2cdf9"},{"name":"test_helpers.go","path":"test/landingzone/test_helpers.go","sha":"36d75ca20f1d1040a91d85c71b2133b92acfab3f"}]},{"name":"security","children":[{"name":"auto_update_test.go","path":"test/security/auto_update_test.go","sha":"b0bf3c446844977c5eeec5f43b49de7c6788f47a"},{"name":"cloudtrail_test.go","path":"test/security/cloudtrail_test.go","sha":"944ac0b5c5aa56a9a2ae09c729063a52164fbb21"},{"name":"cross_account_iam_roles_test.go","path":"test/security/cross_account_iam_roles_test.go","sha":"8d17070460824787a4619f2d585b0cebd7f6ad37"},{"name":"custom_iam_entity_test.go","path":"test/security/custom_iam_entity_test.go","sha":"f0c38f5b0d671fd740e8530b28c94e5fe5219d26"},{"name":"fail2ban_test.go","path":"test/security/fail2ban_test.go","sha":"f6425c375c96455e39c85d0df8b830beff839791"},{"name":"github_actions_iam_role_test.go","path":"test/security/github_actions_iam_role_test.go","sha":"a9cd953165bb27889ceadbae553aa116ca8cfd08"},{"name":"iam_groups_test.go","path":"test/security/iam_groups_test.go","sha":"7beb1ffcf37b1a778f61b8d26767fd7a85bfba2b"},{"name":"iam_ssm_test.go","path":"test/security/iam_ssm_test.go","sha":"28a81aab9873bb6bd02d2f37bdc3ef9c7f27b3c5"},{"name":"iam_user_password_policy_test.go","path":"test/security/iam_user_password_policy_test.go","sha":"5a44f18c469c936fa51b4e9d7911404e1ab76a0f"},{"name":"iam_users_test.go","path":"test/security/iam_users_test.go","sha":"1cd395b72942f05e03959978a72a782d0dd530bd"},{"name":"ip-lockdown-test-scripts","children":[{"name":"allow-several-users.sh","path":"test/security/ip-lockdown-test-scripts/allow-several-users.sh","sha":"2f75dbe0880ed0907b43db58b6ac030a0d0e9bd4"},{"name":"common.sh","path":"test/security/ip-lockdown-test-scripts/common.sh","sha":"cdfe11aca76607a4feaf254a394f32273b738c5c"},{"name":"index.html","path":"test/security/ip-lockdown-test-scripts/index.html","sha":"557db03de997c86a4a028e1ebd3a1ceb225be238"},{"name":"restrict-all-users.sh","path":"test/security/ip-lockdown-test-scripts/restrict-all-users.sh","sha":"a37c1ffc90f2532e7cc3f9f5a859b75c98661dc6"},{"name":"restrict-one-user.sh","path":"test/security/ip-lockdown-test-scripts/restrict-one-user.sh","sha":"4214e1c15102f4568d1e995aa82add46ee430237"},{"name":"sanity-check.sh","path":"test/security/ip-lockdown-test-scripts/sanity-check.sh","sha":"542ed72f4f0952ace67c9cbf2e5ac07e81e6870c"}]},{"name":"ip_lockdown_test.go","path":"test/security/ip_lockdown_test.go","sha":"7c560698928bacec9590ecc770c71daf969643a7"},{"name":"kms_master_key_test.go","path":"test/security/kms_master_key_test.go","sha":"751dfa23eaa391b567f023c6d1a12a4400a55c28"},{"name":"ntp_test.go","path":"test/security/ntp_test.go","sha":"372edab033e653c151b1c2e3b10d9bc13229515c"},{"name":"os_hardening_test.go","path":"test/security/os_hardening_test.go","sha":"ced303f74cd6908bbd8837cc99f317293707ab30"},{"name":"private_s3_bucket_test.go","path":"test/security/private_s3_bucket_test.go","sha":"677eabc59ad7faa3dd04d0fa7ecb78c1967cded8"},{"name":"saml_iam_roles_test.go","path":"test/security/saml_iam_roles_test.go","sha":"efbe2f3e6e9b0da73d1fb58fccc5f5fc1427a61f"},{"name":"secrets_manager_resource_policies_test.go","path":"test/security/secrets_manager_resource_policies_test.go","sha":"07f69b66238517d1f8af61eb9751248372997b70"},{"name":"ssh_grunt_iam_test.go","path":"test/security/ssh_grunt_iam_test.go","sha":"a7d9809f1cdb10fe63db762726dc1a0fd86286e3"},{"name":"test_helpers.go","path":"test/security/test_helpers.go","sha":"31d39e85b352b770cef5a5a00aaa31f659e21e0f"},{"name":"test_helpers_aws_auth.go","path":"test/security/test_helpers_aws_auth.go","sha":"461efcc040ff5024b9fa0762ffcde92081fac163"},{"name":"tls_cert_private_test.go","path":"test/security/tls_cert_private_test.go","sha":"70b2c873f20876497b4a1a0a030871e037dca995"}]},{"name":"upgrades","children":[{"name":"upgrade_test.go","path":"test/upgrades/upgrade_test.go","sha":"513d765d89dc45ae83dffe0f5833617d4c927ffa"}]},{"name":"validation","children":[{"name":"validate_all_modules_and_examples_test.go","path":"test/validation/validate_all_modules_and_examples_test.go","sha":"53877e64494aad3d4063e01c8009eee731e667c3"}]}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"generate-a-tls-ssl-certificate-for-a-private-service\">Generate a TLS/SSL Certificate for a Private Service</h1><div class=\"preview__body--border\"></div><p>This Gruntwork Docker Module generates the public and private keys of a new TLS/SSL certificate, and also returns the\npublic and private keys of the Certificate Authority (CA) used to generate the TLS certificate. The private key of the\nCA is optionally destroyed immediately after generation to prevent any future malfeasance.</p>\n<p>These certificates are ideal for use with a <strong>private</strong> service. For services that are publicly addressable, consider\nusing a commercial CA or public, free CA like <a href=\"https://letsencrypt.org\" class=\"preview__body--description--blue\" target=\"_blank\">Let's Encrypt</a>.</p>\n<h2 class=\"preview__body--subtitle\" id=\"generating-the-tls-public-and-private-keypairs\">Generating the TLS Public and Private Keypairs</h2>\n<h3 class=\"preview__body--subtitle\" id=\"requirements\">Requirements</h3>\n<ul>\n<li>Make sure the latest version of <a href=\"https://www.docker.com/products/docker-toolbox\" class=\"preview__body--description--blue\" target=\"_blank\">Docker</a> is installed and running.</li>\n</ul>\n<h3 class=\"preview__body--subtitle\" id=\"instructions\">Instructions</h3>\n<ol>\n<li>Edit the <code>docker-compose.yml</code> file and fill in your desired argument values.</li>\n<li>Now run <code>docker-compose up</code> and your TLS certs will output to a local <code>output</code> directory!</li>\n</ol>\n<p>To see documentation on the arguments in <code>docker-compose.yml</code>, see the <a href=\"/repos/v0.65.3/module-security/modules/tls-cert-private/scripts/main.sh\" class=\"preview__body--description--blue\">main.sh</a> file.</p>\n<p>Note that the Docker Compose file mounts the local machine folder <code>./output</code> in the Docker container. Mac and Windows\nusers sohuld take note that, in some cases, volume mounting may be extremely slow, or even one-way-only if you use an\nrsync-based workaround to Docker's occasionally unsatisfying native volume mounting functionality.</p>\n<h3 class=\"preview__body--subtitle\" id=\"how-it-works\">How It Works</h3>\n<p>Once you run <code>docker-compose</code> up, the following steps occur:</p>\n<ol>\n<li>A Docker image is built on your local machine that contains the latest OpenSSL for Ubuntu.</li>\n<li>Docker-compose runs the Docker image and passes in the <code>command</code> value.</li>\n<li>This kicks off a series of scripts that:\n<ul>\n<li>Generate a CA public key ("CA cert") and the corresponding CA private key</li>\n<li>Generate a Certificate Signing Request (CSR) which is used to generate a public key (the "TLS cert") that is valid\nfor the desired domain name and the corresponding private key.</li>\n<li>Outputs the following files:\n<ul>\n<li>CA public key: <code>ca/ca.cert.pem</code></li>\n<li>CA private key: <code>ca/ca.key.pem</code> (if deletion was not requested)</li>\n<li>TLS public key: <code>cert/cert.pem</code></li>\n<li>TLS private key: <code>cert/key.pem</code></li>\n</ul>\n</li>\n</ul>\n</li>\n</ol>\n<h3 class=\"preview__body--subtitle\" id=\"inspecting-a-certificate\">Inspecting a certificate</h3>\n<p>You may wish to inspect some of the certificates generated by this tool. Use OpenSSL to do this with this command:</p>\n<pre>openssl x509 -inform pem -noout -<span class=\"hljs-built_in\">text</span> -<span class=\"hljs-keyword\">in</span> cert.pem \n</pre>\n<h2 class=\"preview__body--subtitle\" id=\"background\">Background</h2>\n<h3 class=\"preview__body--subtitle\" id=\"how-tls-ssl-works\">How TLS/SSL Works</h3>\n<p>The industry-standard way to add encryption for data in motion is to use TLS (the successor to SSL). There are many examples\nonline explaining how TLS works, but here are the basics:</p>\n<ul>\n<li>Some entity decides to be a "Certificate Authority" ("CA") meaning it will issue TLS certificates to websites or other services</li>\n<li>An entity becomes a Certificate Authority by creating a public/private key pair and publishing the public portion (typically\nknown as the "CA Cert"). The private key is kept under the tightest possible security since anyone who possesses it could issue\nTLS certificates as if they were this Certificate Authority!</li>\n<li>In fact, the consequences of a CA's private key being compromised are so disastrous that CA's typically create an "intermediate"\nCA keypair with their "root" CA key, and only issue TLS certificates with the intermediate key.</li>\n<li>Your client (e.g. a web browser) can decide to trust this newly created Certificate Authority by including its CA Cert\n(the CA's public key) when making an outbound request to a service that uses the TLS certificate.</li>\n<li>When CAs issue a TLS certificate ("TLS cert") to a service, they again create a public/private keypair, but this time\nthe public key is "signed" by the CA. That public key is what you view when you click on the lock icon in a web browser\nand what a service "advertises" to any clients such as web browsers to declare who it is. When we say that the CA\nsigned a public key, we mean that, cryptographically, any possessor of the CA Cert can validate that this same CA issued\nthis particular public key.</li>\n<li>The public key is more generally known as the TLS cert.</li>\n<li>The private key created by the CA must be kept secret by the service since the possessor of the private key can "prove"\nthey are whoever the TLS cert (public key) claims to be as part of the TLS protocol.</li>\n<li>How does that "proof" work? Well, your web browser will attempt to validate the TLS cert in two ways:\n<ul>\n<li>First, it will ensure this public key (TLS cert) is in fact signed by a CA it trusts.</li>\n<li>Second, using the TLS protocol, your browser will encrypt a message with the public key (TLS cert) that only the\npossessor of the corresponding private key can decrypt. In this manner, your browser will be able to come up with a\nsymmetric encryption key it can use to encrypt all traffic for just that one web session.</li>\n</ul>\n</li>\n<li>Now your client/browser has:\n<ul>\n<li>declared which CA it will trust</li>\n<li>verified that the service it's connecting to possesses a certificate issued by a CA it trusts</li>\n<li>used that service's public key (TLS cert) to establish a secure session</li>\n</ul>\n</li>\n</ul>\n<h3 class=\"preview__body--subtitle\" id=\"commercial-or-public-certificate-authorities\">Commercial or Public Certificate Authorities</h3>\n<p>For public services like banks, healthcare, and the like, it makes sense to use a "Commercial CA" like Verisign, Thawte,\nor Digicert, or better yet a widely trusted but free service like <a href=\"https://letsencrypt.org/\" class=\"preview__body--description--blue\" target=\"_blank\">Let's Encrypt</a>.\n(For additional information on Let's Encrypt, see <a href=\"#alternative-solutions-considered\" class=\"preview__body--description--blue\">Alternative Solutions Considered</a>\nin this document.) That's because every web browser comes pre-configured with a set of CA's that it trusts. This means\nthe client connecting to the bank doesn't have to know anything about CA's at all. Instead, their web browser is\nconfigured to trust the CA that happened to issue the bank's certificate.</p>\n<p>Connecting securely to private services is similar to connecting to your bank's website over TLS, with one primary\ndifference: <strong>We want total control over the CA.</strong></p>\n<p>Imagine if we used a commercial CA to issue our private TLS certificate and that commercial or public CA -- which we\ndon't control -- were compromised. Now the attackers of that commercial or public CA could impersonate our private server.\nAnd indeed, <a href=\"https://www.theguardian.com/technology/2011/sep/05/diginotar-certificate-hack-cyberwar\" class=\"preview__body--description--blue\" target=\"_blank\">it</a> <a href=\"https://www.schneier.com/blog/archives/2012/02/verisign_hacked.html\" class=\"preview__body--description--blue\" target=\"_blank\">has</a> <a href=\"http://www.infoworld.com/article/2623707/hacking/the-real-security-issue-behind-the-comodo-hack.html\" class=\"preview__body--description--blue\" target=\"_blank\">happened</a>\nmultiple times.</p>\n<h3 class=\"preview__body--subtitle\" id=\"how-well-generate-a-tls-cert-for-private-services\">How We'll Generate a TLS Cert for Private Services</h3>\n<p>One option is to be very selective about choosing a commercial CA, but to what benefit? What we want instead is assurance\nthat our private service really was launched by people we trust. Those same people -- let's call them our "operators" -\ncan become their <em>own</em> CA and generate their <em>own</em> TLS certificate for the private service.</p>\n<p>Sure, no one else in the world will trust this CA, but we don't care because we only need our organization to trust this CA.</p>\n<p>So here's our strategy for issuing a TLS Cert for a private service:</p>\n<ol>\n<li><strong>Create our own CA.</strong></li>\n</ol>\n<ul>\n<li>If a client wishes to trust our CA, they need only reference this CA public key.</li>\n<li>We'll deal with the private key in a moment.</li>\n</ul>\n<ol>\n<li><strong>Using our CA, issue a TLS Certificate for our private service.</strong></li>\n</ol>\n<ul>\n<li>Create a public/private key pair for the private service, and have the CA sign the public key.</li>\n<li>This means anyone who trusts the CA will trust that the possessor the private key that corresponds to this public key\nis who they claim to be.</li>\n<li>We will be extremely careful with the TLS private key since anyone who obtains it can impersonate our private service!\nFor this reason, we recommend immediately encrypting the private key with <a href=\"https://aws.amazon.com/kms/\" class=\"preview__body--description--blue\" target=\"_blank\">AWS KMS</a> by\nusing <a href=\"/repos/gruntkms\" class=\"preview__body--description--blue\">gruntkms</a>.</li>\n</ul>\n<ol>\n<li><strong>Freely advertise our CA's public key to all internal services.</strong></li>\n</ol>\n<ul>\n<li>Any service that wishes to connect securely to our private service will need our CA's public key so it can declare\nthat it trusts this CA, and thereby the TLS cert it issued to the private service.</li>\n</ul>\n<ol>\n<li><strong>Finally, consider throwing away the CA private key.</strong>\n<ul>\n<li>By erasing a CA private key it's impossible for the CA to be compromised, because there's no private key to steal!</li>\n<li>Future certs can be generated with a new CA.</li>\n<li>Contrast this to protecting your CA private key. There are tradeoff's either way so choose the option that makes\nthe most sense for your organization.</li>\n</ul>\n</li>\n</ol>\n<h2 class=\"preview__body--subtitle\" id=\"alternative-solutions-considered\">Alternative Solutions Considered</h2>\n<h3 class=\"preview__body--subtitle\" id=\"terraforms-tls-provider\">Terraform's TLS Provider</h3>\n<p>A compelling alternative is to use Teraform's built-in <a href=\"https://www.terraform.io/docs/providers/tls/index.html\" class=\"preview__body--description--blue\" target=\"_blank\">TLS Provider</a>.\nThe primary concern with this approach is that the TLS private key generated by the <code>tls_private_key</code> Terraform resource\nis stored in plaintext in the Terraform state and is therefore not recommended for production use.</p>\n<h3 class=\"preview__body--subtitle\" id=\"lets-encrypt\">Let's Encrypt</h3>\n<p><a href=\"https://letsencrypt.org\" class=\"preview__body--description--blue\" target=\"_blank\">Let's Encrypt</a> behaves in every way like a traditional commercial Certificate Authority (CA),\nexcept that it's free. Because Let's Encrypt has good documentation around how to generate and and automatically renew a\nTLS Certificate, it seemed like a good solution to solve our problem.</p>\n<p>Unfortunately, Let's Encrypt is optimized for public services, not private ones. As a result, when issuing a new TLS\ncertificate, operators must prove ownership of their domain name by either provisioning a DNS record under <code>example.com</code>\nor provisioning an HTTP resource under a well-known URI on <code>https://example.com</code>. This means it's not possible to\ngenerate a TLS cert for a service with a private DNS address since Let's Encrypt would have no way of either resolving\nthe domain name (because it's private) or reaching the service to validate an HTTP document (because, again, it's private).</p>\n<p>While Let's Encrypt is not the ideal solution for the intent of this module, it's well-suited to automatically generating\nTLS certificates for any public services.</p>\n","repoName":"module-security","repoRef":"v0.65.10","serviceDescriptor":{"serviceName":"ssh-grunt","serviceRepoName":"module-security","serviceRepoOrg":"gruntwork-io","serviceMainReadmePath":"/modules/ssh-grunt","cloudProviders":["aws"],"description":"Manage SSH access to EC2 Instances using groups in AWS IAM or your Identity Provider (e.g., ADFS, Google, Okta, etc).","imageUrl":"grunt.png","licenseType":"subscriber","technologies":["Terraform","Go"],"compliance":[],"tags":[""]},"serviceCategoryName":"SSH access","fileName":"README.md","filePath":"/modules/tls-cert-private","title":"Repo Browser: ssh-grunt","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}