Skip to content
Enables AWS Config and adds managed config rules with good defaults.
Branch: master
Clone or download
Latest commit dd22640 Mar 11, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci
config-policies Add MaxPasswordAge Dec 13, 2017
iam-policies Use a more consistent name for s3 bucket variable Dec 13, 2017
.markdownlintrc Added precommit hooks, circleci, license Dec 7, 2017
.pre-commit-config.yaml added new rules: guardduty-enabled-centralized, rds-storage-encrypted… Feb 12, 2019
LICENSE Added precommit hooks, circleci, license Dec 7, 2017
README.md new rule rds-instance-public-access-check Mar 11, 2019
config-rules.tf new rule rds-instance-public-access-check Mar 11, 2019
config-service.tf Add compliance check to ensure RDS instances are encrypted. Also, cle… Aug 8, 2018
iam.tf Add compliance check to ensure RDS instances are encrypted. Also, cle… Aug 8, 2018
main.tf
variables.tf new rule rds-instance-public-access-check Mar 11, 2019

README.md

Enables AWS Config and adds managed config rules with good defaults.

The following AWS Config Rules are supported:

  • acm-certificate-expiration-check: Ensure ACM Certificates in your account are marked for expiration within the specified number of days.
  • cloudtrail-enabled: Ensure CloudTrail is enabled.
  • ec2-volume-inuse-check: Checks whether EBS volumes are attached to EC2 instances
  • guardduty-enabled-centralized: Checks whether Amazon GuardDuty is enabled in your AWS account and region.
  • iam-password-policy: Ensure the account password policy for IAM users meets the specified requirements.
  • iam-user-no-policies-check: Ensure that none of your IAM users have policies attached; IAM users must inherit permissions from IAM groups or roles.
  • instances-in-vpc: Ensure all EC2 instances run in a VPC.
  • root-account-mfa-enabled: Ensure root AWS account has MFA enabled.
  • rds-storage-encrypted: Checks whether storage encryption is enabled for your RDS DB instances.
  • s3-bucket-public-write-prohibited: Checks that your S3 buckets do not allow public write access.

Usage

module "aws_config" {
  source             = "trussworks/config/aws"
  config_logs_bucket = "my-aws-logs"
}

Inputs

Name Description Type Default Required
acm_days_to_expiration Specify the number of days before the rule flags the ACM Certificate as noncompliant. string "14" no
check_guard_duty Enable guardduty-enabled-centralized rule string "false" no
check_rds_public_access Enable rds-instance-public-access-check rule string "false" no
config_delivery_frequency The frequency with which AWS Config delivers configuration snapshots. string "Six_Hours" no
config_logs_bucket The S3 bucket for AWS Config logs. string n/a yes
config_logs_prefix The S3 prefix for AWS Config logs. string "config" no
config_max_execution_frequency The maximum frequency with which AWS Config runs evaluations for a rule. string "TwentyFour_Hours" no
password_max_age Number of days before password expiration. string "90" no
password_min_length Password minimum length. string "14" no
password_require_lowercase Require at least one lowercase character in password. string "true" no
password_require_numbers Require at least one number in password. string "true" no
password_require_symbols Require at least one symbol in password. string "true" no
password_require_uppercase Require at least one uppercase character in password. string "true" no
password_reuse_prevention Number of passwords before allowing reuse. string "24" no
You can’t perform that action at this time.