Defendable Design for AWS

The Defendable Design project builds standard, self-healing designs for strong security, using serverless and cloud-native tools.

Defendable Design for AWS (DD-AWS) uses Terraform to orchestrate AWS-native functionality, including AWS CloudTrail, AWS Config and AWS Lambda to provide strong security fundamentals, monitoring and automatic response.

Deploying DD-AWS via Terraform:

• Uses AWS KMS for encryption at rest
• Enables AWS Config
• Enables CloudTrail
• Configures an IAM password policy
• Deploys a series of Config Rules that check for common problems
• Configures alerts for dangerous CloudTrail events
• Deploys tools that automatically:
  • Reverse dangerous security group changes
  • Lock down public S3 buckets
• Deploys alert integration for Slack.

How to get started

1. Install Terraform
2. Download and unpack the latest release, or clone the whole repo.
3. Configure AWS credentials
4. [Optional] Create a Incoming Webhook for Slack
   1. Go to https://my.slack.com/services/new/incoming-webhook/
   2. Choose the channel where messages will be sent and click "Add Incoming WebHooks Integration".
   3. Copy the webhook URL and supply it as the slack_webhook_url variable to terraform apply.
      Terraform will automatically encrypt the url for you.
5. [Optional] Enable auto-response for remediating violations:
   • Edit terraform.tfvars and change enable_auto_response from "false" to "true"
6. Set a region (defaults to Sydney):
   • Edit terraform.tfvars and change region to your preferred AWS region (refer to AWS documentation for supported regions)
7. From PowerShell run ./setup_remote_tfstate.ps1 to create an S3 bucket for storing your Terraform state
   • On a non-Windows system, create the state bucket and run terraform init manually.
8. Deploy:
   1. Run:
      • Without Slack integration:
        terraform apply
      • With Slack integration:
        terraform apply -var "slack_webhook_url=https://hooks.slack.com/services/YOUR/WEBHOOK/URL/HERE"
   2. Review the proposed changes to your AWS account
   3. Type yes when you're ready to go