Skip to content

Latest commit



41 lines (37 loc) · 2.57 KB

File metadata and controls

41 lines (37 loc) · 2.57 KB

Defendable Design for AWS

The Defendable Design project builds standard, self-healing designs for strong security, using serverless and cloud-native tools.

Defendable Design for AWS (DD-AWS) uses Terraform to orchestrate AWS-native functionality, including AWS CloudTrail, AWS Config and AWS Lambda to provide strong security fundamentals, monitoring and automatic response.

Deploying DD-AWS via Terraform:

  • Uses AWS KMS for encryption at rest
  • Enables AWS Config
  • Enables CloudTrail
  • Configures an IAM password policy
  • Deploys a series of Config Rules that check for common problems
  • Configures alerts for dangerous CloudTrail events
  • Deploys tools that automatically:
    • Reverse dangerous security group changes
    • Lock down public S3 buckets
  • Deploys alert integration for Slack.

How to get started

  1. Install Terraform
  2. Download and unpack the latest release, or clone the whole repo.
  3. Configure AWS credentials
  4. [Optional] Create a Incoming Webhook for Slack
    1. Go to
    2. Choose the channel where messages will be sent and click "Add Incoming WebHooks Integration".
    3. Copy the webhook URL and supply it as the slack_webhook_url variable to terraform apply.
      Terraform will automatically encrypt the url for you.
  5. [Optional] Enable auto-response for remediating violations:
    • Edit terraform.tfvars and change enable_auto_response from "false" to "true"
  6. Set a region (defaults to Sydney):
  7. From PowerShell run ./setup_remote_tfstate.ps1 to create an S3 bucket for storing your Terraform state
    • On a non-Windows system, create the state bucket and run terraform init manually.
  8. Deploy:
    1. Run:
      • Without Slack integration:
        terraform apply
      • With Slack integration:
        terraform apply -var "slack_webhook_url="
    2. Review the proposed changes to your AWS account
    3. Type yes when you're ready to go