Skip to content

rhythmictech/terraform-aws-securityhub

BranchesTags

Repository files navigation

terraform-aws-securityhub

This Terraform module configures AWS Security Hub for an AWS account or organization.

tflint trivy yamllint misspell pre-commit-check follow on Twitter

Features

  • Enables AWS Security Hub
  • Configures Security Hub settings
  • Allows enabling/disabling of specific security standards
  • Supports subscription to additional AWS product integrations
  • Supports configuration at the organization level
  • Supports central configuration policies

Usage

Example (Account Level)

module "securityhub" {
  source                           = "rhythmictech/securityhub/aws"
  enable_default_standards         = true
  control_finding_generator        = "SECURITY_CONTROL"
  auto_enable_controls             = true
  enable_cis_standard              = true
  enable_pci_dss_standard          = true
  enable_aws_foundational_standard = true
  product_subscriptions = [
    "aws/guardduty",
    "aws/inspector",
    "aws/macie"
  ]
}

Example (Organization Level)

module "securityhub" {
  source                                 = "rhythmictech/securityhub/aws"
  enable_organization_config             = true
  admin_account_id                       = "123456789012"
  auto_enable_new_accounts               = true
  auto_enable_standards_for_new_accounts = true
  enable_default_standards               = true
  control_finding_generator              = "SECURITY_CONTROL"
  auto_enable_controls                   = true
  enable_cis_standard                    = true
  enable_pci_dss_standard                = true
  enable_aws_foundational_standard       = true
  product_subscriptions = [
    "aws/guardduty",
    "aws/inspector",
    "aws/macie"
  ]
}

Example (Organization Level with CENTRAL configuration)

module "securityhub" {
  source                           = "rhythmictech/securityhub/aws"
  enable_organization_config       = true
  admin_account_id                 = "123456789012"
  configuration_type_central       = true
  enable_default_standards         = true
  control_finding_generator        = "SECURITY_CONTROL"
  auto_enable_controls             = true
  enable_cis_standard              = true
  enable_pci_dss_standard          = true
  enable_aws_foundational_standard = true
  product_subscriptions = [
    "aws/guardduty",
    "aws/inspector",
    "aws/macie"
  ]
}

Example (Organization Level with LOCAL configuration)

module "securityhub" {
  source                                 = "rhythmictech/securityhub/aws"
  enable_organization_config             = true
  admin_account_id                       = "123456789012"
  configuration_type_central             = false
  auto_enable_new_accounts               = true
  auto_enable_standards_for_new_accounts = true
  enable_default_standards               = true
  control_finding_generator              = "SECURITY_CONTROL"
  auto_enable_controls                   = true
  enable_cis_standard                    = true
  enable_pci_dss_standard                = true
  enable_aws_foundational_standard       = true
  product_subscriptions = [
    "aws/guardduty",
    "aws/inspector",
    "aws/macie"
  ]
}

Example (Organization Level with CENTRAL configuration and control management)

module "securityhub" {
  source                           = "rhythmictech/securityhub/aws"
  enable_organization_config       = true
  admin_account_id                 = "123456789012"
  configuration_type_central       = true
  enable_default_standards         = true
  control_finding_generator        = "SECURITY_CONTROL"
  auto_enable_controls             = true
  enable_cis_standard              = true
  enable_pci_dss_standard          = true
  enable_aws_foundational_standard = true
  product_subscriptions = [
    "aws/guardduty",
    "aws/inspector",
    "aws/macie"
  ]
  central_security_controls = {
    "arn:aws:securityhub:us-east-1:123456789012:control/cis-aws-foundations-benchmark/v/1.2.0/1.1" = {
      enabled         = false
      disabled_reason = "Not applicable to our environment"
    },
    "arn:aws:securityhub:us-east-1:123456789012:control/cis-aws-foundations-benchmark/v/1.2.0/1.2" = {
      enabled         = true
      disabled_reason = null
    }
  }
}

Example (Organization Level with CENTRAL configuration, control management, and configuration policies)

module "securityhub" {
  source                           = "rhythmictech/securityhub/aws"
  enable_organization_config       = true
  admin_account_id                 = "123456789012"
  configuration_type_central       = true
  enable_default_standards         = true
  control_finding_generator        = "SECURITY_CONTROL"
  auto_enable_controls             = true
  enable_cis_standard              = true
  enable_pci_dss_standard          = true
  enable_aws_foundational_standard = true
  product_subscriptions            = [
    "aws/guardduty",
    "aws/inspector",
    "aws/macie"
  ]
  central_configuration_policies = {
    "Default Policy" = {
      description    = "Default configuration policy for all accounts"
      enabled        = true
      enabled_standard_arns = [
        "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
        "arn:aws:securityhub:${local.region}::standards/pci-dss/v/3.2.1"
      ]
      enabled_control_identifiers = [
        "CIS.1.1",
        "CIS.1.2"
      ]
      disabled_control_identifiers = [
        "PCI.DSS.v3.2.1/3.4"
      ]
      custom_parameters = [
        {
          security_control_id = "CIS.1.1"
          parameter = {
            name       = "MaxPasswordAge"
            value_type = "CUSTOM"
            value = {
              int = 60
            }
          }
        }
      ]
    }
  }
}

Notes

  • The configuration_type_central variable determines whether to use CENTRAL or LOCAL configuration type for organization configuration.
  • When configuration_type_central is set to true, both auto_enable_new_accounts and auto_enable_standards_for_new_accounts must be set to false.
  • The central_configuration_policies variable allows you to create and manage configuration policies when using CENTRAL configuration. Each policy can have its own settings for enabling standards, controls, and custom parameters.
  • The product_subscriptions variable accepts a list of AWS products in the format 'vendor/product'. Refer to the variable description in variables.tf for a comprehensive list of available AWS products.
  • A 10-second delay is added after enabling Security Hub to ensure proper setup before subscribing to standards and products.
  • When configuring at the organization level, make sure you have the necessary permissions and that your AWS Organizations setup is complete.

Requirements

Name Version
terraform >= 1.1
aws >= 5
time ~> 0.12

Providers

Name Version
aws 5.66.0
time 0.12.1

Modules

No modules.

Resources

Name Type
aws_securityhub_account.this resource
aws_securityhub_configuration_policy.central_policies resource
aws_securityhub_configuration_policy_association.policy_associations resource
aws_securityhub_finding_aggregator.this resource
aws_securityhub_organization_admin_account.org_admin resource
aws_securityhub_organization_configuration.org_config resource
aws_securityhub_product_subscription.subscriptions resource
aws_securityhub_standards_control.central_controls resource
aws_securityhub_standards_subscription.standards resource
time_sleep.wait_securityhub_enable resource
aws_region.current data source

Inputs

Name Description Type Default Required
admin_account_id AWS account ID for the Security Hub administrator account (required if enable_organization_config is true) string null no
auto_enable_controls Whether to automatically enable new controls when they are added to standards that are enabled bool true no
auto_enable_new_accounts Automatically enable Security Hub for new accounts added to your organization (must be false when configuration_type_central is true) bool true no
auto_enable_standards_for_new_accounts Automatically enable Security Hub default standards for new accounts added to your organization (must be false when configuration_type_central is true). When true, sets auto_enable_standards to 'DEFAULT', otherwise 'NONE'. bool true no
central_configuration_policies Map of configuration policies to create in central configuration 
map(object({
    description                  = string
    enabled                      = bool
    enabled_standard_arns        = list(string)
    enabled_control_identifiers  = optional(list(string))
    disabled_control_identifiers = optional(list(string))
    custom_parameters = optional(list(object({
      security_control_id = string
      parameter = object({
        name        = string
        value_type  = string
        bool        = optional(bool)
        double      = optional(number)
        enum        = optional(string)
        enum_list   = optional(list(string))
        int         = optional(number)
        int_list    = optional(list(number))
        string      = optional(string)
        string_list = optional(list(string))
      })
    })))
    targets = list(string)
  }))
 {} no
central_security_controls Map of security controls to enable/disable in central configuration 
map(object({
    enabled         = bool
    disabled_reason = string
  }))
 {} no
cis_standard_version Version of the CIS AWS Foundations Benchmark to use string "3.0.0" no
configuration_type_central Whether to use CENTRAL configuration type for organization configuration bool false no
control_finding_generator Updates whether the calling account has consolidated control findings turned on string "SECURITY_CONTROL" no
enable_aws_foundational_standard Enable AWS Foundational Security Best Practices v1.0.0 bool true no
enable_cis_standard Enable CIS AWS Foundations Benchmark bool true no
enable_default_standards Whether to enable the default standards provided by Security Hub bool true no
enable_finding_aggregator Whether to enable the Security Hub finding aggregator (must be true if enable_organization_config is true) bool false no
enable_nist_standard Enable NIST SP 800-53 Rev. 5 standard bool false no
enable_organization_config Whether to enable Security Hub configuration at the organization level bool false no
enable_pci_dss_standard Enable PCI DSS v3.2.1 bool false no
finding_aggregator_linking_mode Specifies the linking mode for the finding aggregator string "ALL_REGIONS" no
finding_aggregator_regions List of regions to aggregate findings from when linking_mode is SPECIFIED_REGIONS list(string) null no
product_subscriptions List of product subscriptions to enable in Security Hub. Format: 'vendor/product'.
Available AWS products include:
- aws/guardduty
- aws/inspector
- aws/access-analyzer
- aws/macie
- aws/detective
- aws/health
- aws/config
- aws/firewall-manager
- aws/systems-manager
- aws/iam-access-analyzer
- aws/chatbot
- aws/auditmanager
- aws/cloudhsm
- aws/cloudsearch
- aws/cloudtrail
- aws/codebuild
- aws/cognito-idp
- aws/connect
- aws/dms
- aws/dynamodb
- aws/ebs
- aws/ec2
- aws/ecr
- aws/ecs
- aws/efs
- aws/eks
- aws/elasticache
- aws/elasticbeanstalk
- aws/elb
- aws/es
- aws/fsx
- aws/kinesis
- aws/lambda
- aws/network-firewall
- aws/opensearch
- aws/rds
- aws/redshift
- aws/route53
- aws/s3
- aws/sagemaker
- aws/secretsmanager
- aws/ses
- aws/shield
- aws/sns
- aws/sqs
- aws/ssm
- aws/waf

For the most up-to-date and complete list, refer to AWS documentation:
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-providers.html		 list(string) [] no

Outputs

No outputs.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages