From 233cdec5dfe903124469cc711fcb02e83f7335a9 Mon Sep 17 00:00:00 2001 From: "vitalii.v2" Date: Wed, 6 Jul 2022 09:52:45 +0600 Subject: [PATCH 1/5] update TFSEC.md --- docs/TFSEC.md | 41 +++++++++++++++----------- terraform/layer1-aws/aws-cloudtrail.tf | 3 +- terraform/layer1-aws/variables.tf | 8 ++--- 3 files changed, 29 insertions(+), 23 deletions(-) diff --git a/docs/TFSEC.md b/docs/TFSEC.md index 4d0d3cdc..26b08411 100644 --- a/docs/TFSEC.md +++ b/docs/TFSEC.md @@ -1,23 +1,28 @@ We use GitHub Actions and [tfsec](https://github.com/aquasecurity/tfsec) to check our terraform code using static analysis to spot potential security issues. However, we needed to skip some checks. The list of those checks is below: -| Layer | Security issue | Description | Why skipped? | -| ---------------------------------------------- | -------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | -| layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.cluster_egress_internet[0]' defines a fully open egress security group rule. | We use recommended option. [More info](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) | -| layer1-aws/aws-eks.tf | aws-eks-enable-control-plane-logging | Resource 'module.eks:aws_eks_cluster.this[0]' is missing the control plane log type 'scheduler' | By default we enable only audit logs. Can be changed via variable eks_cluster_enabled_log_types | -| layer1-aws/aws-eks.tf | aws-eks-encrypt-secrets | Resource 'module.eks:aws_eks_cluster.this[0]' has no encryptionConfigBlock block | By default encryption is disabled, but can be enabled via setting *eks_cluster_encryption_config_enable = true* in your tfvars file. | -| layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access | Resource 'module.eks:aws_eks_cluster.this[0]' has public access is explicitly set to enabled | By default we create public accessible EKS cluster from anywhere | -| layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access-to-cidr | Resource 'module.eks:aws_eks_cluster.this[0]' has public access cidr explicitly set to wide open | By default we create public accessible EKS cluster from anywhere | -| layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.workers_egress_internet[0]' defines a fully open egress security group rule | We use recommended option. [More info](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) | -| modules/aws-ec2-pritunl/security_groups.tf | aws-vpc-no-public-egress-sgr | Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.egress_with_cidr_blocks[0]' defines a fully open egress security group rule. | This is a VPN server and it need to have egress traffic to anywhere by default | -| modules/aws-ec2-pritunl/security_groups.tf | aws-vpc-no-public-egress-sgr | Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.ingress_with_cidr_blocks[1]' defines a fully open ingress security group rule. | This is a VPN server and by default it needs to have ingress traffic from anywhere | -| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_secrets[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources. | We use this policy for external-secrets and grant it access to all secrets. | -| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_autoscaler[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use condition to allow run actions only for certain autoscaling groups | -| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.eks_alb_ingress[0]:module.aws_iam_aws_loadbalancer_controller:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use recommended [policy](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json) | -| layer2-k8s/eks-elk.tf | general-secrets-sensitive-in-attribute-value | Block 'locals.' includes potentially sensitive data. Password literal text | tfsec complains on local.elk_metricbeat_values | -| layer2-k8s/eks-elk.tf | general-secrets-sensitive-in-attribute-value | Block 'locals.' includes potentially sensitive data. Password literal text | tfsec complains on local.elk_filebeat_values | -| layer2-k8s/eks-elk.tf | general-secrets-sensitive-in-attribute-value | Block 'locals.' includes potentially sensitive data. Password literal text | tfsec complains on local.elk_apm_values | -| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_dns[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use the policy from the [documentation](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy) | -| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_cert_manager[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | Certmanager uses Route53 to create DNS records and validate wildcard certificates. By default we allow it to manage all zones | +| Layer | Security issue | Description | Why skipped? | +| ------------------------------------ |----------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------| +| layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.cluster_egress_internet[0]' defines a fully open egress security group rule. | We use recommended option. [More info](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) | +| layer1-aws/aws-eks.tf | aws-eks-enable-control-plane-logging | Resource 'module.eks:aws_eks_cluster.this[0]' is missing the control plane log type 'scheduler' | By default we enable only audit logs. Can be changed via variable eks_cluster_enabled_log_types | +| layer1-aws/aws-eks.tf | aws-eks-encrypt-secrets | Resource 'module.eks:aws_eks_cluster.this[0]' has no encryptionConfigBlock block | By default encryption is disabled, but can be enabled via setting *eks_cluster_encryption_config_enable = true* in your tfvars file. | +| layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access | Resource 'module.eks:aws_eks_cluster.this[0]' has public access is explicitly set to enabled | By default we create public accessible EKS cluster from anywhere | +| layer1-aws/aws-eks.tf | aws-eks-no-public-cluster-access-to-cidr | Resource 'module.eks:aws_eks_cluster.this[0]' has public access cidr explicitly set to wide open | By default we create public accessible EKS cluster from anywhere | +| layer1-aws/aws-eks.tf | aws-vpc-no-public-egress-sgr | Resource 'module.eks:aws_security_group_rule.workers_egress_internet[0]' defines a fully open egress security group rule | We use recommended option. [More info](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) | +| layer1-aws/aws-cloudtrail.tf | aws-cloudtrail-enable-at-rest-encryption | Resource 'aws_cloudtrail' is missing kms key to use to encrypt the logs delivered by CloudTrail. | Since this is a paid service, and a lot of information can be written in the cloudtrail, we do not use this function | +| layer1-aws/aws-cloudtrail.tf | aws-s3-enable-bucket-logging | Resource 'aws_s3_bucket' is missing the enabled logging for s3 cloudtrail bucket. | By default, s3 bucket logging for cloudtrail is disabled. Can be changed via resource aws_s3_bucket_logging | +| layer1-aws/aws-cloudtrail.tf | aws-s3-enable-versioning | Resource 'aws_s3_bucket' is missing the enabled versioning for s3 cloudtrail bucket. | By default, s3 bucket versioning for cloudtrail is disabled. Can be changed via resource aws_s3_bucket_versioning | +| layer1-aws/aws-cloudtrail.tf | aws-s3-enable-bucket-encryption | Resource 'aws_s3_bucket' is missing the enabled encryption for s3 cloudtrail bucket. | By default, s3 bucket encryption for cloudtrail is disabled. Can be changed via resource aws_s3_bucket_server_side_encryption_configuration | +| layer1-aws/aws-cloudtrail.tf | aws-s3-encryption-customer-key | Resource 'aws_s3_bucket' is missing encryption customer-provided encryption keys. | By default, s3 bucket encryption for cloudtrail is disabled. Can be changed via resource aws_s3_bucket_server_side_encryption_configuration | +| modules/aws-ec2-pritunl/security_groups.tf | aws-vpc-no-public-egress-sgr | Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.egress_with_cidr_blocks[0]' defines a fully open egress security group rule. | This is a VPN server and it need to have egress traffic to anywhere by default | +| modules/aws-ec2-pritunl/security_groups.tf | aws-vpc-no-public-egress-sgr | Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.ingress_with_cidr_blocks[1]' defines a fully open ingress security group rule. | This is a VPN server and by default it needs to have ingress traffic from anywhere | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_secrets[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources. | We use this policy for external-secrets and grant it access to all secrets. | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_autoscaler[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use condition to allow run actions only for certain autoscaling groups | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.eks_alb_ingress[0]:module.aws_iam_aws_loadbalancer_controller:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use recommended [policy](https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json) | +| layer2-k8s/eks-elk.tf | general-secrets-sensitive-in-attribute-value | Block 'locals.' includes potentially sensitive data. Password literal text | tfsec complains on local.elk_metricbeat_values | +| layer2-k8s/eks-elk.tf | general-secrets-sensitive-in-attribute-value | Block 'locals.' includes potentially sensitive data. Password literal text | tfsec complains on local.elk_filebeat_values | +| layer2-k8s/eks-elk.tf | general-secrets-sensitive-in-attribute-value | Block 'locals.' includes potentially sensitive data. Password literal text | tfsec complains on local.elk_apm_values | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_external_dns[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | We use the policy from the [documentation](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy) | +| modules/aws-iam-eks-trusted/main.tf | aws-iam-no-policy-wildcards | Resource 'module.aws_iam_cert_manager[0]:aws_iam_role_policy.this' defines a policy with wildcarded resources | Certmanager uses Route53 to create DNS records and validate wildcard certificates. By default we allow it to manage all zones | | modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.monitoring_namespace[0]:kubernetes_network_policy.this[3]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | | modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[5]' allows egress traffic to the internet | We don't want to deny egress traffic in a default installation | | modules/kubernetes-namespace/network-policy.tf | kubernetes-network-no-public-egress | Resource 'module.ingress_nginx_namespace[0]:kubernetes_network_policy.this[0]' allows all egress traffic by default | We don't want to deny egress traffic in a default installation | diff --git a/terraform/layer1-aws/aws-cloudtrail.tf b/terraform/layer1-aws/aws-cloudtrail.tf index 755154f5..b4f8aa70 100644 --- a/terraform/layer1-aws/aws-cloudtrail.tf +++ b/terraform/layer1-aws/aws-cloudtrail.tf @@ -1,3 +1,4 @@ +#tfsec:ignore:aws-cloudtrail-enable-at-rest-encryption resource "aws_cloudtrail" "main" { name = local.name s3_bucket_name = aws_s3_bucket.cloudtrail.id @@ -8,7 +9,7 @@ resource "aws_cloudtrail" "main" { tags = local.tags } - +#tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-enable-bucket-encryption tfsec:ignore:aws-s3-encryption-customer-key resource "aws_s3_bucket" "cloudtrail" { bucket = "${local.name}-aws-cloudtrail-logs" diff --git a/terraform/layer1-aws/variables.tf b/terraform/layer1-aws/variables.tf index ee039b07..00b2374c 100644 --- a/terraform/layer1-aws/variables.tf +++ b/terraform/layer1-aws/variables.tf @@ -9,15 +9,15 @@ variable "aws_account_password_policy" { type = any default = { create = true - minimum_password_length = "14" # Minimum length to require for user passwords - password_reuse_prevention = "10" # The number of previous passwords that users are prevented from reusing + minimum_password_length = 14 # Minimum length to require for user passwords + password_reuse_prevention = 10 # The number of previous passwords that users are prevented from reusing require_lowercase_characters = true # If true, password must contain at least 1 lowercase symbol require_numbers = true # If true, password must contain at least 1 number symbol require_uppercase_characters = true # If true, password must contain at least 1 uppercase symbol require_symbols = true # If true, password must contain at least 1 special symbol allow_users_to_change_password = true # Whether to allow users to change their own password - max_password_age = "90" # How many days user's password is valid - hard_expiry = false # Don't allow users to set a new password after their password has expired + max_password_age = 90 # How many days user's password is valid + hard_expiry = false # Don't allow users to set a new password after their password has expired } } From 521e7ff19f19b41d6a2ff8e40e67080f9a769319 Mon Sep 17 00:00:00 2001 From: "vitalii.v2" Date: Mon, 11 Jul 2022 14:32:17 +0600 Subject: [PATCH 2/5] enable bucket cloudtrail encryption --- docs/TFSEC.md | 1 - terraform/layer1-aws/aws-cloudtrail.tf | 13 ++++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/docs/TFSEC.md b/docs/TFSEC.md index 26b08411..c9b7689f 100644 --- a/docs/TFSEC.md +++ b/docs/TFSEC.md @@ -11,7 +11,6 @@ We use GitHub Actions and [tfsec](https://github.com/aquasecurity/tfsec) to chec | layer1-aws/aws-cloudtrail.tf | aws-cloudtrail-enable-at-rest-encryption | Resource 'aws_cloudtrail' is missing kms key to use to encrypt the logs delivered by CloudTrail. | Since this is a paid service, and a lot of information can be written in the cloudtrail, we do not use this function | | layer1-aws/aws-cloudtrail.tf | aws-s3-enable-bucket-logging | Resource 'aws_s3_bucket' is missing the enabled logging for s3 cloudtrail bucket. | By default, s3 bucket logging for cloudtrail is disabled. Can be changed via resource aws_s3_bucket_logging | | layer1-aws/aws-cloudtrail.tf | aws-s3-enable-versioning | Resource 'aws_s3_bucket' is missing the enabled versioning for s3 cloudtrail bucket. | By default, s3 bucket versioning for cloudtrail is disabled. Can be changed via resource aws_s3_bucket_versioning | -| layer1-aws/aws-cloudtrail.tf | aws-s3-enable-bucket-encryption | Resource 'aws_s3_bucket' is missing the enabled encryption for s3 cloudtrail bucket. | By default, s3 bucket encryption for cloudtrail is disabled. Can be changed via resource aws_s3_bucket_server_side_encryption_configuration | | layer1-aws/aws-cloudtrail.tf | aws-s3-encryption-customer-key | Resource 'aws_s3_bucket' is missing encryption customer-provided encryption keys. | By default, s3 bucket encryption for cloudtrail is disabled. Can be changed via resource aws_s3_bucket_server_side_encryption_configuration | | modules/aws-ec2-pritunl/security_groups.tf | aws-vpc-no-public-egress-sgr | Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.egress_with_cidr_blocks[0]' defines a fully open egress security group rule. | This is a VPN server and it need to have egress traffic to anywhere by default | | modules/aws-ec2-pritunl/security_groups.tf | aws-vpc-no-public-egress-sgr | Resource 'module.pritunl[0]:module.ec2_sg:aws_security_group_rule.ingress_with_cidr_blocks[1]' defines a fully open ingress security group rule. | This is a VPN server and by default it needs to have ingress traffic from anywhere | diff --git a/terraform/layer1-aws/aws-cloudtrail.tf b/terraform/layer1-aws/aws-cloudtrail.tf index b4f8aa70..fb1c7c22 100644 --- a/terraform/layer1-aws/aws-cloudtrail.tf +++ b/terraform/layer1-aws/aws-cloudtrail.tf @@ -9,7 +9,7 @@ resource "aws_cloudtrail" "main" { tags = local.tags } -#tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-enable-bucket-encryption tfsec:ignore:aws-s3-encryption-customer-key +#tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning resource "aws_s3_bucket" "cloudtrail" { bucket = "${local.name}-aws-cloudtrail-logs" @@ -37,6 +37,17 @@ resource "aws_s3_bucket_lifecycle_configuration" "cloudtrail" { } } +#tfsec:ignore:aws-s3-encryption-customer-key +resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail" { + bucket = aws_s3_bucket.cloudtrail.bucket + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + resource "aws_s3_bucket_public_access_block" "cloudtrail" { bucket = aws_s3_bucket.cloudtrail.id restrict_public_buckets = true From 6cea8baa8e0a91acda7c14e07a357036baa0deb7 Mon Sep 17 00:00:00 2001 From: "vitalii.v2" Date: Mon, 11 Jul 2022 15:14:44 +0600 Subject: [PATCH 3/5] enable encryption in bucket resource --- terraform/layer1-aws/aws-cloudtrail.tf | 29 ++++++++++++++++---------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/terraform/layer1-aws/aws-cloudtrail.tf b/terraform/layer1-aws/aws-cloudtrail.tf index fb1c7c22..f1f63443 100644 --- a/terraform/layer1-aws/aws-cloudtrail.tf +++ b/terraform/layer1-aws/aws-cloudtrail.tf @@ -9,10 +9,18 @@ resource "aws_cloudtrail" "main" { tags = local.tags } -#tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning +#tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-encryption-customer-key resource "aws_s3_bucket" "cloudtrail" { bucket = "${local.name}-aws-cloudtrail-logs" + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } + } + tags = local.tags } @@ -37,16 +45,15 @@ resource "aws_s3_bucket_lifecycle_configuration" "cloudtrail" { } } -#tfsec:ignore:aws-s3-encryption-customer-key -resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail" { - bucket = aws_s3_bucket.cloudtrail.bucket - - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "AES256" - } - } -} +#resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail" { +# bucket = aws_s3_bucket.cloudtrail.bucket +# +# rule { +# apply_server_side_encryption_by_default { +# sse_algorithm = "AES256" +# } +# } +#} resource "aws_s3_bucket_public_access_block" "cloudtrail" { bucket = aws_s3_bucket.cloudtrail.id From 4e008f5855650967ac78a2eb9b12062463bcb2ce Mon Sep 17 00:00:00 2001 From: "vitalii.v2" Date: Tue, 12 Jul 2022 16:55:37 +0600 Subject: [PATCH 4/5] revert resource encryption_configuration --- .github/workflows/terraform-ci.yml | 2 +- terraform/layer1-aws/aws-cloudtrail.tf | 30 +++++++++++--------------- 2 files changed, 13 insertions(+), 19 deletions(-) diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml index 56db82c7..7c829134 100644 --- a/.github/workflows/terraform-ci.yml +++ b/.github/workflows/terraform-ci.yml @@ -75,7 +75,7 @@ jobs: needs: terraform-validate runs-on: ubuntu-latest container: - image: tfsec/tfsec + image: aquasec/tfsec options: --user root steps: - name: Checkout diff --git a/terraform/layer1-aws/aws-cloudtrail.tf b/terraform/layer1-aws/aws-cloudtrail.tf index f1f63443..4997caec 100644 --- a/terraform/layer1-aws/aws-cloudtrail.tf +++ b/terraform/layer1-aws/aws-cloudtrail.tf @@ -9,18 +9,11 @@ resource "aws_cloudtrail" "main" { tags = local.tags } -#tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-encryption-customer-key + +#tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning resource "aws_s3_bucket" "cloudtrail" { bucket = "${local.name}-aws-cloudtrail-logs" - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "AES256" - } - } - } - tags = local.tags } @@ -45,15 +38,16 @@ resource "aws_s3_bucket_lifecycle_configuration" "cloudtrail" { } } -#resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail" { -# bucket = aws_s3_bucket.cloudtrail.bucket -# -# rule { -# apply_server_side_encryption_by_default { -# sse_algorithm = "AES256" -# } -# } -#} +#tfsec:ignore:aws-s3-encryption-customer-key +resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail" { + bucket = aws_s3_bucket.cloudtrail.bucket + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} resource "aws_s3_bucket_public_access_block" "cloudtrail" { bucket = aws_s3_bucket.cloudtrail.id From 849dc064dd0f24c9969fd4b4ab83fe54afe6101a Mon Sep 17 00:00:00 2001 From: "vitalii.v2" Date: Tue, 12 Jul 2022 18:15:34 +0600 Subject: [PATCH 5/5] update readme --- terraform/layer1-aws/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/layer1-aws/README.md b/terraform/layer1-aws/README.md index 11a9f2ea..16fc65e9 100644 --- a/terraform/layer1-aws/README.md +++ b/terraform/layer1-aws/README.md @@ -41,6 +41,7 @@ | [aws_s3_bucket_lifecycle_configuration.cloudtrail](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_lifecycle_configuration) | resource | | [aws_s3_bucket_policy.cloudtrail](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_public_access_block.cloudtrail](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.cloudtrail](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_sns_topic.security_alerts](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/sns_topic) | resource | | [aws_sns_topic_policy.security_alerts](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/sns_topic_policy) | resource | | [aws_sns_topic_subscription.security_alerts](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/sns_topic_subscription) | resource | @@ -60,7 +61,7 @@ |------|-------------|------|---------|:--------:| | [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list` | `[]` | no | | [allowed\_ips](#input\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no | -| [aws\_account\_password\_policy](#input\_aws\_account\_password\_policy) | n/a | `any` | 
{
  "allow_users_to_change_password": true,
  "create": true,
  "hard_expiry": false,
  "max_password_age": "90",
  "minimum_password_length": "14",
  "password_reuse_prevention": "10",
  "require_lowercase_characters": true,
  "require_numbers": true,
  "require_symbols": true,
  "require_uppercase_characters": true
}
| no | +| [aws\_account\_password\_policy](#input\_aws\_account\_password\_policy) | n/a | `any` | 
{
  "allow_users_to_change_password": true,
  "create": true,
  "hard_expiry": false,
  "max_password_age": 90,
  "minimum_password_length": 14,
  "password_reuse_prevention": 10,
  "require_lowercase_characters": true,
  "require_numbers": true,
  "require_symbols": true,
  "require_uppercase_characters": true
}
| no | | [aws\_cis\_benchmark\_alerts](#input\_aws\_cis\_benchmark\_alerts) | AWS CIS Benchmark alerts configuration | `any` | 
{
  "email": "demo@example.com",
  "enabled": "false",
  "rules": {
    "aws_config_changes_enabled": true,
    "cloudtrail_configuration_changes_enabled": true,
    "console_login_failed_enabled": true,
    "consolelogin_without_mfa_enabled": true,
    "iam_policy_changes_enabled": true,
    "kms_cmk_delete_or_disable_enabled": true,
    "nacl_changes_enabled": true,
    "network_gateway_changes_enabled": true,
    "organization_changes_enabled": true,
    "parameter_store_actions_enabled": true,
    "route_table_changes_enabled": true,
    "s3_bucket_policy_changes_enabled": true,
    "secrets_manager_actions_enabled": true,
    "security_group_changes_enabled": true,
    "unauthorized_api_calls_enabled": true,
    "usage_of_root_account_enabled": true,
    "vpc_changes_enabled": true
  }
}
| no | | [az\_count](#input\_az\_count) | Count of avaiablity zones, min 2 | `number` | `3` | no | | [cidr](#input\_cidr) | Default CIDR block for VPC | `string` | `"10.0.0.0/16"` | no |