Terraform module for enabling and configuring the MoJ Security Guidance baseline for AWS accounts, alongside some extra reasonable security, identity and compliance services.
- Security email setting
- GuardDuty
- CloudTrail
- Config and Config rules
- Tagging
- Regions
- Identity and Access Management
- Encryption
- World Access
- SecurityHub
- AWS Backup
- AWS IAM Access Analyzer
- AWS IAM password policy
- AWS IAM role for Support
- EBS encryption
- SecurityHub alarms
- VPC logging for default VPCs
- IMDSv2 by default
module "baselines" {
source = "github.com/ministryofjustice/modernisation-platform-terraform-baselines"
providers = {
aws = aws
aws.replication-region = aws.eu-west-2 # Region to replicate S3 buckets into
aws.ap-northeast-1 = aws.ap-northeast-1
aws.ap-northeast-2 = aws.ap-northeast-2
aws.ap-south-1 = aws.ap-south-1
aws.ap-southeast-1 = aws.ap-southeast-1
aws.ap-southeast-2 = aws.ap-southeast-2
aws.ca-central-1 = aws.ca-central-1
aws.eu-central-1 = aws.eu-central-1
aws.eu-north-1 = aws.eu-north-1
aws.eu-west-1 = aws.eu-west-1
aws.eu-west-2 = aws.eu-west-2
aws.eu-west-3 = aws.eu-west-3
aws.sa-east-1 = aws.sa-east-1
aws.us-east-1 = aws.us-east-1
aws.us-east-2 = aws.us-east-2
aws.us-west-1 = aws.us-west-1
aws.us-west-2 = aws.us-west-2
}
# Enable IAM Access Analyzer in eu-west-2
enabled_access_analyzer_regions = ["eu-west-2"]
root_account_id = "123456789"
tags = {}
}
You can specify submodules from this directory to use individually, by setting the source with a double-slash (//). Note that this only uses the module in the calling region, unless you specify different module blocks with other Terraform providers. Each module has its own README.
module "ebs-encryption" {
source = "github.com/ministryofjustice/modernisation-platform-terraform-baselines//modules/ebs"
}
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| root_account_id | The AWS Organisations root account ID that this account should be part of | string | yes | |
| tags | Tags to apply to resources, where applicable | map | {} | no |
| enabled_access_analyzer_regions | Regions to enable IAM Access Analyzer in | list | [] | no |
| enabled_backup_regions | Regions to enable AWS Backup in | list | [] | no |
| enabled_config_regions | Regions to enable AWS Config in | list | [] | no |
| enabled_ebs_encryption_regions | Regions to enable EBS encryption in | list | [] | no |
| enabled_guardduty_regions | Regions to enable GuardDuty in | list | [] | no |
| enabled_securityhub_regions | Regions to enable SecurityHub in | list | [] | no |
| enabled_vpc_regions | Regions to enable default VPC configuration and VPC Flow Logs in | list | [] | no |
None
If you're looking to raise an issue with this module, please create a new issue in the Modernisation Platform repository.