CIS Benchmark v1.3.0

README.md

@@ -118,6 +118,7 @@ This module is composed of several submodules and each of which can be used inde
 | alarm\_namespace | The namespace in which all alarms are set up. | `string` | `"CISBenchmark"` | no |
 | alarm\_sns\_topic\_name | The name of the SNS Topic which will be notified when any alarm is performed. | `string` | `"CISAlarm"` | no |
 | allow\_users\_to\_change\_password | Whether to allow users to change their own password. | `bool` | `true` | no |
+| analyzer\_name | The name for the IAM Access Analyzer resource to be created. | `string` | `"default-analyer"` | no |
 | audit\_log\_bucket\_custom\_policy\_json | Override policy for the audit log bucket. Allows addition of extra policies. | `string` | `"{}"` | no |
 | audit\_log\_bucket\_force\_destroy | A boolean that indicates all objects should be deleted from the audit log bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no |
 | audit\_log\_bucket\_name | The name of the S3 bucket to store various audit logs. | `any` | n/a | yes |
@@ -130,6 +131,7 @@ This module is composed of several submodules and each of which can be used inde
 | cloudtrail\_key\_deletion\_window\_in\_days | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. | `number` | `10` | no |
 | cloudtrail\_name | The name of the trail. | `string` | `"cloudtrail-multi-region"` | no |
 | cloudtrail\_s3\_key\_prefix | The prefix used when CloudTrail delivers events to the S3 bucket. | `string` | `"cloudtrail"` | no |
+| cloudtrail\_s3\_object\_level\_logging\_buckets | The list of S3 bucket ARNs on which to enable object-level logging. | `list` | <pre>[<br>  "arn:aws:s3:::"<br>]</pre> | no |
 | cloudtrail\_sns\_topic\_enabled | Specifies whether the trail is delivered to a SNS topic. | `bool` | `true` | no |
 | cloudtrail\_sns\_topic\_name | The name of the SNS topic to link to the trail. | `string` | `"cloudtrail-multi-region-sns-topic"` | no |
 | cloudwatch\_logs\_retention\_in\_days | Number of days to retain logs for. CIS recommends 365 days.  Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | `number` | `365` | no |

analyzer.tf

@@ -0,0 +1,213 @@
+locals {
+  is_analyzer_enabled = local.is_individual_account || local.is_master_account
+}
+
+# --------------------------------------------------------------------------------------------------
+# Analyzer Baseline
+# --------------------------------------------------------------------------------------------------
+module "analyzer_baseline_ap-northeast-1" {
+  source = "./modules/analyzer-baseline"
+
+  providers = {
+    aws = aws.ap-northeast-1
+  }
+  enabled         = local.is_analyzer_enabled && contains(var.target_regions, "ap-northeast-1")
+  analyzer_name   = var.analyzer_name
+  is_organization = local.is_master_account
+  tags            = var.tags
+}
+
+module "analyzer_baseline_ap-northeast-2" {
+  source = "./modules/analyzer-baseline"
+
+  providers = {
+    aws = aws.ap-northeast-2
+  }
+
+  enabled         = local.is_analyzer_enabled && contains(var.target_regions, "ap-northeast-2")
+  analyzer_name   = var.analyzer_name
+  is_organization = local.is_master_account
+  tags            = var.tags
+}
+
+module "analyzer_baseline_ap-south-1" {
+  source = "./modules/analyzer-baseline"
+
+  providers = {
+    aws = aws.ap-south-1
+  }
+
+  enabled         = local.is_analyzer_enabled && contains(var.target_regions, "ap-south-1")
+  analyzer_name   = var.analyzer_name
+  is_organization = local.is_master_account
+  tags            = var.tags
+}
+
+module "analyzer_baseline_ap-southeast-1" {
+  source = "./modules/analyzer-baseline"
+
+  providers = {
+    aws = aws.ap-southeast-1
+  }
+
+  enabled         = local.is_analyzer_enabled && contains(var.target_regions, "ap-southeast-1")
+  analyzer_name   = var.analyzer_name
+  is_organization = local.is_master_account
+  tags            = var.tags
+}
+
+module "analyzer_baseline_ap-southeast-2" {
+  source = "./modules/analyzer-baseline"
+
+  providers = {
+    aws = aws.ap-southeast-2
+  }
+
+  enabled         = local.is_analyzer_enabled && contains(var.target_regions, "ap-southeast-2")
+  analyzer_name   = var.analyzer_name
+  is_organization = local.is_master_account
+  tags            = var.tags
+}
+
+module "analyzer_baseline_ca-central-1" {
+  source = "./modules/analyzer-baseline"
+
+  providers = {
+    aws = aws.ca-central-1
+  }
+
+  enabled         = local.is_analyzer_enabled && contains(var.target_regions, "ca-central-1")
+  analyzer_name   = var.analyzer_name
+  is_organization = local.is_master_account
+  tags            = var.tags
+}
+
+module "analyzer_baseline_eu-central-1" {
+  source = "./modules/analyzer-baseline"
+
+  providers = {
+    aws = aws.eu-central-1
+  }
+
+  enabled         = local.is_analyzer_enabled && contains(var.target_regions, "eu-central-1")
+  analyzer_name   = var.analyzer_name
+  is_organization = local.is_master_account
+  tags            = var.tags
+}
+
+module "analyzer_baseline_eu-north-1" {
+  source = "./modules/analyzer-baseline"
+
+  providers = {
+    aws = aws.eu-north-1
+  }
+
+  enabled         = local.is_analyzer_enabled && contains(var.target_regions, "eu-north-1")
+  analyzer_name   = var.analyzer_name
+  is_organization = local.is_master_account
+  tags            = var.tags
+}
+
+module "analyzer_baseline_eu-west-1" {
+  source = "./modules/analyzer-baseline"
+
+  providers = {
+    aws = aws.eu-west-1
+  }
+
+  enabled         = local.is_analyzer_enabled && contains(var.target_regions, "eu-west-1")
+  analyzer_name   = var.analyzer_name
+  is_organization = local.is_master_account
+  tags            = var.tags
+}
+
+module "analyzer_baseline_eu-west-2" {
+  source = "./modules/analyzer-baseline"
+
+  providers = {
+    aws = aws.eu-west-2
+  }
+
+  enabled         = local.is_analyzer_enabled && contains(var.target_regions, "eu-west-2")
+  analyzer_name   = var.analyzer_name
+  is_organization = local.is_master_account
+  tags            = var.tags
+}
+
+module "analyzer_baseline_eu-west-3" {
+  source = "./modules/analyzer-baseline"
+
+  providers = {
+    aws = aws.eu-west-3
+  }
+
+  enabled         = local.is_analyzer_enabled && contains(var.target_regions, "eu-west-3")
+  analyzer_name   = var.analyzer_name
+  is_organization = local.is_master_account
+  tags            = var.tags
+}
+
+module "analyzer_baseline_sa-east-1" {
+  source = "./modules/analyzer-baseline"
+
+  providers = {
+    aws = aws.sa-east-1
+  }
+
+  enabled         = local.is_analyzer_enabled && contains(var.target_regions, "sa-east-1")
+  analyzer_name   = var.analyzer_name
+  is_organization = local.is_master_account
+  tags            = var.tags
+}
+
+module "analyzer_baseline_us-east-1" {
+  source = "./modules/analyzer-baseline"
+
+  providers = {
+    aws = aws.us-east-1
+  }
+
+  enabled         = local.is_analyzer_enabled && contains(var.target_regions, "us-east-1")
+  analyzer_name   = var.analyzer_name
+  is_organization = local.is_master_account
+  tags            = var.tags
+}
+
+module "analyzer_baseline_us-east-2" {
+  source = "./modules/analyzer-baseline"
+
+  providers = {
+    aws = aws.us-east-2
+  }
+
+  enabled         = local.is_analyzer_enabled && contains(var.target_regions, "us-east-2")
+  analyzer_name   = var.analyzer_name
+  is_organization = local.is_master_account
+  tags            = var.tags
+}
+
+module "analyzer_baseline_us-west-1" {
+  source = "./modules/analyzer-baseline"
+
+  providers = {
+    aws = aws.us-west-1
+  }
+
+  enabled         = local.is_analyzer_enabled && contains(var.target_regions, "us-west-1")
+  analyzer_name   = var.analyzer_name
+  is_organization = local.is_master_account
+  tags            = var.tags
+}
+
+module "analyzer_baseline_us-west-2" {
+  source = "./modules/analyzer-baseline"
+
+  providers = {
+    aws = aws.us-west-2
+  }
+
+  enabled         = local.is_analyzer_enabled && contains(var.target_regions, "us-west-2")
+  analyzer_name   = var.analyzer_name
+  is_organization = local.is_master_account
+  tags            = var.tags
+}

bucket.tf

@@ -74,6 +74,16 @@ data "aws_iam_policy_document" "audit_log" {
     }
   }
 
+  statement {
+    sid     = "AWSCloudTrailHeadForConfig"
+    actions = ["s3:ListBucket"]
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+    resources = [module.audit_log_bucket.this_bucket.arn]
+  }
+
   statement {
     sid     = "AWSCloudTrailAclCheckForCloudTrail"
     actions = ["s3:GetBucketAcl"]
@@ -128,10 +138,28 @@ data "aws_iam_policy_document" "audit_log" {
         type        = "AWS"
         identifiers = [for account in statement.value : "arn:aws:iam::${account.account_id}:root"]
       }
-      actions   = ["s3:GetBucketLocation", "s3:ListBucket"]
+      actions   = ["s3:GetBucketAcl", "s3:GetBucketLocation", "s3:ListBucket"]
       resources = [module.audit_log_bucket.this_bucket.arn]
     }
   }
+
+  dynamic "statement" {
+    for_each = local.is_master_account && length(var.member_accounts) > 0 ? [var.member_accounts] : []
+
+    content {
+      principals {
+        type        = "AWS"
+        identifiers = [for account in statement.value : "arn:aws:iam::${account.account_id}:root"]
+      }
+      actions   = ["s3:PutObject"]
+      resources = [for account in statement.value : "${module.audit_log_bucket.this_bucket.arn}/config/AWSLogs/${account.account_id}/Config/*"]
+      condition {
+        test     = "StringEquals"
+        variable = "s3:x-amz-acl"
+        values   = ["bucket-owner-full-control"]
+      }
+    }
+  }
 }
 
 resource "aws_s3_bucket_policy" "audit_log" {