Skip to content

aws-samples/aws-macie-customization-terraform-samples

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
deployment
deployment
 
 
images
images
 
 
modules
modules
 
 
prerequisites
prerequisites
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Amazon Macie Organization Setup Using Terraform

Introduction

The Macie Organization solution will enable Amazon Macie by delegating administration to an Audit account within the Organization Management Account and configuring Macie within the delegated administrator account for all the existing and future AWS Organization accounts. Macie is also configured to send the findings to a central S3 bucket encrypted with a KMS key.

Target Architecture

Architecture

Prerequisites

Terraform templates are available to deploy below pre-requisites with Readme document in Prerequisites directory in this repository.

AUDIT ACCOUNT

In this step , KMS key will be created in Audit account . This will be used to encrypt objects in S3 bucket which we are going to have in log archive account.

  1. KMS Key creation steps in Control Tower Audit account
  2. Clone the repository to local using git clone
  3. Go to prerequisites/AUDIT folder
  4. Update terrform.tfvars file with the appropriate details
  5. Run terraform commands to deploy these resources in Audit account.
export AWS_REGION={{ REGION }}
terraform init
terraform plan
terraform apply

LOG ARCHIVE ACCOUNT

In this step, S3 bucket will be created in log archive account with the KMS key which is created in previous step.

  1. S3 bucket creation steps in Control Tower Audit account
  2. Clone the repository to local using git clone
  3. Go to prerequisites/LOGARCHIVE folder
  4. Update terrform.tfvars file with the appropriate details
  5. Run terraform commands to deploy these resources in Audit account.
terraform init
terraform plan
terraform apply

Organization Management Account:

Delegate Administration to Control Tower Audit account

  1. Clone the repository to local using git clone
  2. Go to prerequisites/MANAGEMENT folder
  3. Update terrform.tfvars file with the appropriate details
  4. Run terraform commands to deploy these resources in Audit account.
terraform init
terraform plan
terraform apply
  1. Log in to Management account and validate Macie Administration has been delegated to Audit account
  2. Also validate Macie enabled on Audit account

Requirements

No requirements.

Providers

No providers.

Modules

Name Source Version
Delegation_Admin_Access ../../modules/delegation-access-module n/a

Resources

Name Type
aws_macie2_organization_admin_account.admin_account resource

Inputs

Name Description Type Default Required
audit_account_id Account id which we want to delegate access string n/a yes

Outputs

No outputs.

Deployment

Audit account:

Macie customization in Audit Account

  1. Clone the repository to local using git clone
  2. Go to deployment folder
  3. Update terrform.tfvars file with the appropriate details
  4. Run terraform commands to deploy these resources in Audit account.
terraform init
terraform plan
terraform apply
  1. Log in to Audit account and validate Macie is monitoring all the accounts s3 buckets and export findings configuration is in place.
  2. Also validate Auto enable is turned on

Requirements

No requirements.

Providers

No providers.

Modules

Name Source Version
Macie_customization ../../modules/macie-customization-module n/a

Resources

Name Type
aws_macie2_classification_export_configuration.macieconfiguration resource
aws_macie2_member.this resource
null_resource.Autoenablemode resource
aws_caller_identity.current data source

Inputs

Name Description Type Default Required
LogArchiveAccountId Account id of LogArchiveAccount string n/a yes
MacieOrgDeliveryKeyAlias kms key arn which is created part of pre-requisites string n/a yes
ManagementAccountId Account id of ManagementAccount string n/a yes
autoenablemode Auto enable option to enable macie automatically for new accounts string "yes" no
exports3bucket Bucket name which is created part of pre-requisites string n/a yes
member_accounts Member account lists 
list(object({
        Accountid = string
        Emailaddress = string
  }))
 n/a yes

Outputs

No outputs.

Verify Solution Deployment

  1. Log into the Management account and navigate to the Macie page
    1. Validate that the delegated admin account is set
  2. Log into the Audit account and navigate to the Macie page
    1. Verify the correct Macie configurations have been applied
    2. Verify all existing accounts have been enabled
    3. Verify the findings export is configured for the S3 bucket
    4. Generate sample findings to verify S3 delivery
  3. Log into the Log archive account and navigate to the S3 page
    1. Verify the sample findings have been delivered

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

About

No description, website, or topics provided.

Resources

Readme

License

MIT-0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

4 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages