Skip to content

DefendableDesign/DD-AWS

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

48 Commits

modules

modules

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

main.tf

main.tf

 
 

setup_remote_tfstate.ps1

setup_remote_tfstate.ps1

 
 

terraform.tfvars

terraform.tfvars

 
 

variables.tf

variables.tf

 
 

Repository files navigation

Defendable Design for AWS

The Defendable Design project builds standard, self-healing designs for strong security, using serverless and cloud-native tools.

Defendable Design for AWS (DD-AWS) uses Terraform to orchestrate AWS-native functionality, including AWS CloudTrail, AWS Config and AWS Lambda to provide strong security fundamentals, monitoring and automatic response.

Deploying DD-AWS via Terraform:

  • Uses AWS KMS for encryption at rest
  • Enables AWS Config
  • Enables CloudTrail
  • Configures an IAM password policy
  • Deploys a series of Config Rules that check for common problems
  • Configures alerts for dangerous CloudTrail events
  • Deploys tools that automatically:
    • Reverse dangerous security group changes
    • Lock down public S3 buckets
  • Deploys alert integration for Slack.

How to get started

  1. Install Terraform
  2. Download and unpack the latest release, or clone the whole repo.
  3. Configure AWS credentials
  4. [Optional] Create a Incoming Webhook for Slack
    1. Go to https://my.slack.com/services/new/incoming-webhook/
    2. Choose the channel where messages will be sent and click "Add Incoming WebHooks Integration".
    3. Copy the webhook URL and supply it as the slack_webhook_url variable to terraform apply.
      Terraform will automatically encrypt the url for you.
  5. [Optional] Enable auto-response for remediating violations:
    • Edit terraform.tfvars and change enable_auto_response from "false" to "true"
  6. Set a region (defaults to Sydney):
  7. From PowerShell run ./setup_remote_tfstate.ps1 to create an S3 bucket for storing your Terraform state
    • On a non-Windows system, create the state bucket and run terraform init manually.
  8. Deploy:
    1. Run:
      • Without Slack integration:
        terraform apply
      • With Slack integration:
        terraform apply -var "slack_webhook_url=https://hooks.slack.com/services/YOUR/WEBHOOK/URL/HERE"
    2. Review the proposed changes to your AWS account
    3. Type yes when you're ready to go

About

A standard design for self-healing security on AWS.

defendable.design

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

5 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases 6

Better Benchmark Coverage v0.2.2 Latest
Mar 18, 2018
+ 5 releases

Packages

No packages published

Languages