Skip to content
Permalink
master
Switch branches/tags
Go to file
 
 
Cannot retrieve contributors at this time

Defendable Design for AWS

The Defendable Design project builds standard, self-healing designs for strong security, using serverless and cloud-native tools.

Defendable Design for AWS (DD-AWS) uses Terraform to orchestrate AWS-native functionality, including AWS CloudTrail, AWS Config and AWS Lambda to provide strong security fundamentals, monitoring and automatic response.

Deploying DD-AWS via Terraform:

  • Uses AWS KMS for encryption at rest
  • Enables AWS Config
  • Enables CloudTrail
  • Configures an IAM password policy
  • Deploys a series of Config Rules that check for common problems
  • Configures alerts for dangerous CloudTrail events
  • Deploys tools that automatically:
    • Reverse dangerous security group changes
    • Lock down public S3 buckets
  • Deploys alert integration for Slack.

How to get started

  1. Install Terraform
  2. Download and unpack the latest release, or clone the whole repo.
  3. Configure AWS credentials
  4. [Optional] Create a Incoming Webhook for Slack
    1. Go to https://my.slack.com/services/new/incoming-webhook/
    2. Choose the channel where messages will be sent and click "Add Incoming WebHooks Integration".
    3. Copy the webhook URL and supply it as the slack_webhook_url variable to terraform apply.
      Terraform will automatically encrypt the url for you.
  5. [Optional] Enable auto-response for remediating violations:
    • Edit terraform.tfvars and change enable_auto_response from "false" to "true"
  6. Set a region (defaults to Sydney):
  7. From PowerShell run ./setup_remote_tfstate.ps1 to create an S3 bucket for storing your Terraform state
    • On a non-Windows system, create the state bucket and run terraform init manually.
  8. Deploy:
    1. Run:
      • Without Slack integration:
        terraform apply
      • With Slack integration:
        terraform apply -var "slack_webhook_url=https://hooks.slack.com/services/YOUR/WEBHOOK/URL/HERE"
    2. Review the proposed changes to your AWS account
    3. Type yes when you're ready to go