terraform-aws-secure-baseline

Terraform Module Registry

A terraform module to set up your AWS account with the reasonably secure configuration baseline. Most configurations are based on CIS Amazon Web Services Foundations v1.4.0 and AWS Foundational Security Best Practices v1.0.0.

See Benchmark Compliance to check which items in various benchmarks are covered.

Features

Identity and Access Management

• Set up IAM Password Policy.
• Create an IAM role for contacting AWS support for incident handling.
• Enable AWS Config rules to audit root account status.
• Enable IAM Access Analyzer in each region.
• Enable S3 account-level Public Access Block configuration.

Logging & Monitoring

• Enable CloudTrail in all regions and deliver events to CloudWatch Logs.
• Object-level logging for all S3 buckets is enabled by default.
• CloudTrail Insights event logging is enabled by default.
• CloudTrail logs are encrypted using AWS Key Management Service.
• All logs are stored in the S3 bucket with access logging enabled.
• Logs are automatically archived into Amazon Glacier after the given period(defaults to 90 days).
• Set up CloudWatch alarms to notify you when critical changes happen in your AWS account.
• Enable AWS Config in each regions to automatically take configuration snapshots.
• Enable SecurityHub and subscribe available standards.
• Enable GuardDuty in each regions.

Networking & Computing

• Remove all rules associated with default route tables, default network ACLs and default security groups in the default VPC in all regions.
• Disable automatic public IP assignments in default subnets.
• Enable AWS Config rules to audit unrestricted common ports in Security Group rules.
• Enable VPC Flow Logs with the default VPC in all regions.
• Enable default EBS encryption for newly created volumes.

Usage

data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

module "secure_baseline" {
  source  = "nozaq/secure-baseline/aws"

  audit_log_bucket_name           = "YOUR_BUCKET_NAME"
  aws_account_id                  = data.aws_caller_identity.current.account_id
  region                          = data.aws_region.current.name
  support_iam_role_principal_arns = ["YOUR_IAM_USER"]

  providers = {
    aws                = aws
    aws.ap-northeast-1 = aws.ap-northeast-1
    aws.ap-northeast-2 = aws.ap-northeast-2
    aws.ap-northeast-3 = aws.ap-northeast-3
    aws.ap-south-1     = aws.ap-south-1
    aws.ap-southeast-1 = aws.ap-southeast-1
    aws.ap-southeast-2 = aws.ap-southeast-2
    aws.ca-central-1   = aws.ca-central-1
    aws.eu-central-1   = aws.eu-central-1
    aws.eu-north-1     = aws.eu-north-1
    aws.eu-west-1      = aws.eu-west-1
    aws.eu-west-2      = aws.eu-west-2
    aws.eu-west-3      = aws.eu-west-3
    aws.sa-east-1      = aws.sa-east-1
    aws.us-east-1      = aws.us-east-1
    aws.us-east-2      = aws.us-east-2
    aws.us-west-1      = aws.us-west-1
    aws.us-west-2      = aws.us-west-2
  }
}

Check the example to understand how these providers are defined. Note that you need to define a provider for each AWS region and pass them to the module. Currently this is the recommended way to handle multiple regions in one module. Detailed information can be found at Providers within Modules - Terraform Docs.

A new S3 bucket to store audit logs is automatically created by default, while the external S3 bucket can be specified. It is useful when you already have a centralized S3 bucket to store all logs. Please see external-bucket example for more detail.

Managing multiple accounts in AWS Organization

When you have multiple AWS accounts in your AWS Organization, secure-baseline module configures the separated environment for each AWS account. You can change this behavior to centrally manage security information and audit logs from all accounts in one master account. Check organization example for more detail.

Submodules

This module is composed of several submodules and each of which can be used independently. Modules in Package Sub-directories - Terraform describes how to source a submodule.

• alarm-baseline
• analyzer-baseline
• cloudtrail-baseline
• config-baseline
• ebs-baseline
• guardduty-baseline
• iam-baseline
• s3-baseline
• secure-bucket
• securityhub-baseline
• vpc-baseline

Requirements

Name	Version
terraform	>= 0.15
aws	>= 3.39.0

Providers

Name	Version
aws	>= 3.39.0

Modules

Name	Source	Version
alarm_baseline	./modules/alarm-baseline	n/a
analyzer_baseline_ap-northeast-1	./modules/analyzer-baseline	n/a
analyzer_baseline_ap-northeast-2	./modules/analyzer-baseline	n/a
analyzer_baseline_ap-northeast-3	./modules/analyzer-baseline	n/a
analyzer_baseline_ap-south-1	./modules/analyzer-baseline	n/a
analyzer_baseline_ap-southeast-1	./modules/analyzer-baseline	n/a
analyzer_baseline_ap-southeast-2	./modules/analyzer-baseline	n/a
analyzer_baseline_ca-central-1	./modules/analyzer-baseline	n/a
analyzer_baseline_eu-central-1	./modules/analyzer-baseline	n/a
analyzer_baseline_eu-north-1	./modules/analyzer-baseline	n/a
analyzer_baseline_eu-west-1	./modules/analyzer-baseline	n/a
analyzer_baseline_eu-west-2	./modules/analyzer-baseline	n/a
analyzer_baseline_eu-west-3	./modules/analyzer-baseline	n/a
analyzer_baseline_sa-east-1	./modules/analyzer-baseline	n/a
analyzer_baseline_us-east-1	./modules/analyzer-baseline	n/a
analyzer_baseline_us-east-2	./modules/analyzer-baseline	n/a
analyzer_baseline_us-west-1	./modules/analyzer-baseline	n/a
analyzer_baseline_us-west-2	./modules/analyzer-baseline	n/a
audit_log_bucket	./modules/secure-bucket	n/a
cloudtrail_baseline	./modules/cloudtrail-baseline	n/a
config_baseline_ap-northeast-1	./modules/config-baseline	n/a
config_baseline_ap-northeast-2	./modules/config-baseline	n/a
config_baseline_ap-northeast-3	./modules/config-baseline	n/a
config_baseline_ap-south-1	./modules/config-baseline	n/a
config_baseline_ap-southeast-1	./modules/config-baseline	n/a
config_baseline_ap-southeast-2	./modules/config-baseline	n/a
config_baseline_ca-central-1	./modules/config-baseline	n/a
config_baseline_eu-central-1	./modules/config-baseline	n/a
config_baseline_eu-north-1	./modules/config-baseline	n/a
config_baseline_eu-west-1	./modules/config-baseline	n/a
config_baseline_eu-west-2	./modules/config-baseline	n/a
config_baseline_eu-west-3	./modules/config-baseline	n/a
config_baseline_sa-east-1	./modules/config-baseline	n/a
config_baseline_us-east-1	./modules/config-baseline	n/a
config_baseline_us-east-2	./modules/config-baseline	n/a
config_baseline_us-west-1	./modules/config-baseline	n/a
config_baseline_us-west-2	./modules/config-baseline	n/a
ebs_baseline_ap-northeast-1	./modules/ebs-baseline	n/a
ebs_baseline_ap-northeast-2	./modules/ebs-baseline	n/a
ebs_baseline_ap-northeast-3	./modules/ebs-baseline	n/a
ebs_baseline_ap-south-1	./modules/ebs-baseline	n/a
ebs_baseline_ap-southeast-1	./modules/ebs-baseline	n/a
ebs_baseline_ap-southeast-2	./modules/ebs-baseline	n/a
ebs_baseline_ca-central-1	./modules/ebs-baseline	n/a
ebs_baseline_eu-central-1	./modules/ebs-baseline	n/a
ebs_baseline_eu-north-1	./modules/ebs-baseline	n/a
ebs_baseline_eu-west-1	./modules/ebs-baseline	n/a
ebs_baseline_eu-west-2	./modules/ebs-baseline	n/a
ebs_baseline_eu-west-3	./modules/ebs-baseline	n/a
ebs_baseline_sa-east-1	./modules/ebs-baseline	n/a
ebs_baseline_us-east-1	./modules/ebs-baseline	n/a
ebs_baseline_us-east-2	./modules/ebs-baseline	n/a
ebs_baseline_us-west-1	./modules/ebs-baseline	n/a
ebs_baseline_us-west-2	./modules/ebs-baseline	n/a
guardduty_baseline_ap-northeast-1	./modules/guardduty-baseline	n/a
guardduty_baseline_ap-northeast-2	./modules/guardduty-baseline	n/a
guardduty_baseline_ap-northeast-3	./modules/guardduty-baseline	n/a
guardduty_baseline_ap-south-1	./modules/guardduty-baseline	n/a
guardduty_baseline_ap-southeast-1	./modules/guardduty-baseline	n/a
guardduty_baseline_ap-southeast-2	./modules/guardduty-baseline	n/a
guardduty_baseline_ca-central-1	./modules/guardduty-baseline	n/a
guardduty_baseline_eu-central-1	./modules/guardduty-baseline	n/a
guardduty_baseline_eu-north-1	./modules/guardduty-baseline	n/a
guardduty_baseline_eu-west-1	./modules/guardduty-baseline	n/a
guardduty_baseline_eu-west-2	./modules/guardduty-baseline	n/a
guardduty_baseline_eu-west-3	./modules/guardduty-baseline	n/a
guardduty_baseline_sa-east-1	./modules/guardduty-baseline	n/a
guardduty_baseline_us-east-1	./modules/guardduty-baseline	n/a
guardduty_baseline_us-east-2	./modules/guardduty-baseline	n/a
guardduty_baseline_us-west-1	./modules/guardduty-baseline	n/a
guardduty_baseline_us-west-2	./modules/guardduty-baseline	n/a
iam_baseline	./modules/iam-baseline	n/a
s3_baseline	./modules/s3-baseline	n/a
securityhub_baseline_ap-northeast-1	./modules/securityhub-baseline	n/a
securityhub_baseline_ap-northeast-2	./modules/securityhub-baseline	n/a
securityhub_baseline_ap-northeast-3	./modules/securityhub-baseline	n/a
securityhub_baseline_ap-south-1	./modules/securityhub-baseline	n/a
securityhub_baseline_ap-southeast-1	./modules/securityhub-baseline	n/a
securityhub_baseline_ap-southeast-2	./modules/securityhub-baseline	n/a
securityhub_baseline_ca-central-1	./modules/securityhub-baseline	n/a
securityhub_baseline_eu-central-1	./modules/securityhub-baseline	n/a
securityhub_baseline_eu-north-1	./modules/securityhub-baseline	n/a
securityhub_baseline_eu-west-1	./modules/securityhub-baseline	n/a
securityhub_baseline_eu-west-2	./modules/securityhub-baseline	n/a
securityhub_baseline_eu-west-3	./modules/securityhub-baseline	n/a
securityhub_baseline_sa-east-1	./modules/securityhub-baseline	n/a
securityhub_baseline_us-east-1	./modules/securityhub-baseline	n/a
securityhub_baseline_us-east-2	./modules/securityhub-baseline	n/a
securityhub_baseline_us-west-1	./modules/securityhub-baseline	n/a
securityhub_baseline_us-west-2	./modules/securityhub-baseline	n/a
vpc_baseline_ap-northeast-1	./modules/vpc-baseline	n/a
vpc_baseline_ap-northeast-2	./modules/vpc-baseline	n/a
vpc_baseline_ap-northeast-3	./modules/vpc-baseline	n/a
vpc_baseline_ap-south-1	./modules/vpc-baseline	n/a
vpc_baseline_ap-southeast-1	./modules/vpc-baseline	n/a
vpc_baseline_ap-southeast-2	./modules/vpc-baseline	n/a
vpc_baseline_ca-central-1	./modules/vpc-baseline	n/a
vpc_baseline_eu-central-1	./modules/vpc-baseline	n/a
vpc_baseline_eu-north-1	./modules/vpc-baseline	n/a
vpc_baseline_eu-west-1	./modules/vpc-baseline	n/a
vpc_baseline_eu-west-2	./modules/vpc-baseline	n/a
vpc_baseline_eu-west-3	./modules/vpc-baseline	n/a
vpc_baseline_sa-east-1	./modules/vpc-baseline	n/a
vpc_baseline_us-east-1	./modules/vpc-baseline	n/a
vpc_baseline_us-east-2	./modules/vpc-baseline	n/a
vpc_baseline_us-west-1	./modules/vpc-baseline	n/a
vpc_baseline_us-west-2	./modules/vpc-baseline	n/a

Resources

Name	Type
aws_config_config_rule.iam_mfa	resource
aws_config_config_rule.no_policies_with_full_admin_access	resource
aws_config_config_rule.unused_credentials	resource
aws_config_config_rule.user_no_policies	resource
aws_config_configuration_aggregator.organization	resource
aws_iam_role.config_organization	resource
aws_iam_role.flow_logs_publisher	resource
aws_iam_role.recorder	resource
aws_iam_role_policy.flow_logs_publish_policy	resource
aws_iam_role_policy.recorder_publish_policy	resource
aws_iam_role_policy_attachment.config_organization	resource
aws_iam_role_policy_attachment.recorder_read_policy	resource
aws_s3_bucket_policy.audit_log	resource
aws_iam_policy_document.audit_log	data source
aws_iam_policy_document.audit_log_base	data source
aws_iam_policy_document.audit_log_cloud_trail	data source
aws_iam_policy_document.audit_log_config	data source
aws_iam_policy_document.audit_log_flow_logs	data source
aws_iam_policy_document.config_organization_assume_role_policy	data source
aws_iam_policy_document.flow_logs_publish_policy	data source
aws_iam_policy_document.flow_logs_publisher_assume_role_policy	data source
aws_iam_policy_document.recorder_assume_role_policy	data source
aws_iam_policy_document.recorder_publish_policy	data source
aws_organizations_organization.org	data source
aws_s3_bucket.external	data source

Inputs

Name	Description	Type	Default	Required
account_type	The type of the AWS account. The possible values are individual, master and member . Specify master and member to set up centalized logging for multiple accounts in AWS Organization. Use individual otherwise.	string	"individual"	no
alarm_namespace	The namespace in which all alarms are set up.	string	"CISBenchmark"	no
alarm_sns_topic_name	The name of the SNS Topic which will be notified when any alarm is performed.	string	"CISAlarm"	no
allow_users_to_change_password	Whether to allow users to change their own password.	bool	true	no
analyzer_name	The name for the IAM Access Analyzer resource to be created.	string	"default-analyzer"	no
audit_log_bucket_custom_policy_json	Override policy for the audit log bucket. Allows addition of extra policies.	string	"{}"	no
audit_log_bucket_force_destroy	A boolean that indicates all objects should be deleted from the audit log bucket so that the bucket can be destroyed without error. These objects are not recoverable.	bool	false	no
audit_log_bucket_name	The name of the S3 bucket to store various audit logs.	any	n/a	yes
audit_log_lifecycle_glacier_transition_days	The number of days after log creation when the log file is archived into Glacier.	number	90	no
aws_account_id	The AWS Account ID number of the account.	any	n/a	yes
aws_config_changes_enabled	The boolean flag whether the aws_config_changes alarm is enabled or not. No resources are created when set to false.	bool	true	no
cloudtrail_cfg_changes_enabled	The boolean flag whether the cloudtrail_cfg_changes alarm is enabled or not. No resources are created when set to false.	bool	true	no
cloudtrail_cloudwatch_logs_enabled	Specifies whether the trail is delivered to CloudWatch Logs.	bool	true	no
cloudtrail_cloudwatch_logs_group_name	The name of CloudWatch Logs group to which CloudTrail events are delivered.	string	"cloudtrail-multi-region"	no
cloudtrail_dynamodb_event_logging_tables	The list of DynamoDB table ARNs on which to enable event logging.	list	[ "arn:aws:dynamodb" ]	no
cloudtrail_iam_role_name	The name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group.	string	"CloudTrail-CloudWatch-Delivery-Role"	no
cloudtrail_iam_role_policy_name	The name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group.	string	"CloudTrail-CloudWatch-Delivery-Policy"	no
cloudtrail_key_deletion_window_in_days	Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.	number	10	no
cloudtrail_lambda_invocation_logging_lambdas	The list of lambda ARNs on which to enable invocation logging.	list	[ "arn:aws:lambda" ]	no
cloudtrail_name	The name of the trail.	string	"cloudtrail-multi-region"	no
cloudtrail_s3_key_prefix	The prefix used when CloudTrail delivers events to the S3 bucket.	string	"cloudtrail"	no
cloudtrail_s3_object_level_logging_buckets	The list of S3 bucket ARNs on which to enable object-level logging.	list	[ "arn:aws:s3:::" ]	no
cloudtrail_sns_topic_enabled	Specifies whether the trail is delivered to a SNS topic.	bool	true	no
cloudtrail_sns_topic_name	The name of the SNS topic to link to the trail.	string	"cloudtrail-multi-region-sns-topic"	no
cloudwatch_logs_retention_in_days	Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely.	number	365	no
config_aggregator_name	The name of the organizational AWS Config Configuration Aggregator.	string	"organization-aggregator"	no
config_aggregator_name_prefix	The prefix of the name for the IAM role attached to the organizational AWS Config Configuration Aggregator.	string	"config-for-organization-role"	no
config_baseline_enabled	Boolean whether config-baseline is enabled.	bool	true	no
config_delivery_frequency	The frequency which AWS Config sends a snapshot into the S3 bucket.	string	"One_Hour"	no
config_global_resources_all_regions	Record global resources in all regions. If false, only default region will record global resources.	bool	false	no
config_iam_role_name	The name of the IAM Role which AWS Config will use.	string	"Config-Recorder"	no
config_iam_role_policy_name	The name of the IAM Role Policy which AWS Config will use.	string	"Config-Recorder-Policy"	no
config_s3_bucket_key_prefix	The prefix used when writing AWS Config snapshots into the S3 bucket.	string	"config"	no
config_sns_topic_name	The name of the SNS Topic to be used to notify configuration changes.	string	"ConfigChanges"	no
console_signin_failures_enabled	The boolean flag whether the console_signin_failures alarm is enabled or not. No resources are created when set to false.	bool	true	no
create_manager_role	Define if the manager role should be created.	bool	true	no
create_master_role	Define if the master role should be created.	bool	true	no
create_password_policy	Define if the password policy should be created.	bool	true	no
create_support_role	Define if the support role should be created.	bool	true	no
disable_or_delete_cmk_enabled	The boolean flag whether the disable_or_delete_cmk alarm is enabled or not. No resources are created when set to false.	bool	true	no
guardduty_disable_email_notification	Boolean whether an email notification is sent to the accounts.	bool	false	no
guardduty_enabled	Boolean whether the guardduty-baseline module is enabled or disabled	bool	true	no
guardduty_finding_publishing_frequency	Specifies the frequency of notifications sent for subsequent finding occurrences.	string	"SIX_HOURS"	no
guardduty_invitation_message	Message for invitation.	string	"This is an automatic invitation message from guardduty-baseline module."	no
iam_changes_enabled	The boolean flag whether the iam_changes alarm is enabled or not. No resources are created when set to false.	bool	true	no
manager_iam_role_name	The name of the IAM Manager role.	string	"IAM-Manager"	no
manager_iam_role_policy_name	The name of the IAM Manager role policy.	string	"IAM-Manager-Policy"	no
master_account_id	The ID of the master AWS account to which the current AWS account is associated. Required if account_type is member.	string	""	no
master_iam_role_name	The name of the IAM Master role.	string	"IAM-Master"	no
master_iam_role_policy_name	The name of the IAM Master role policy.	string	"IAM-Master-Policy"	no
max_password_age	The number of days that an user password is valid.	number	0	no
member_accounts	A list of IDs and emails of AWS accounts which associated as member accounts.	list(object({ account_id = string email = string }))	[]	no
minimum_password_length	Minimum length to require for user passwords.	number	14	no
nacl_changes_enabled	The boolean flag whether the nacl_changes alarm is enabled or not. No resources are created when set to false.	bool	true	no
network_gw_changes_enabled	The boolean flag whether the network_gw_changes alarm is enabled or not. No resources are created when set to false.	bool	true	no
no_mfa_console_signin_enabled	The boolean flag whether the no_mfa_console_signin alarm is enabled or not. No resources are created when set to false.	bool	true	no
organizations_changes_enabled	The boolean flag whether the organizations_changes alarm is enabled or not. No resources are created when set to false.	bool	true	no
password_reuse_prevention	The number of previous passwords that users are prevented from reusing.	number	24	no
region	The AWS region in which global resources are set up.	any	n/a	yes
require_lowercase_characters	Whether to require lowercase characters for user passwords.	bool	false	no
require_numbers	Whether to require numbers for user passwords.	bool	false	no
require_symbols	Whether to require symbols for user passwords.	bool	false	no
require_uppercase_characters	Whether to require uppercase characters for user passwords.	bool	false	no
root_usage_enabled	The boolean flag whether the root_usage alarm is enabled or not. No resources are created when set to false.	bool	true	no
route_table_changes_enabled	The boolean flag whether the route_table_changes alarm is enabled or not. No resources are created when set to false.	bool	true	no
s3_block_public_acls	Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true.	bool	true	no
s3_block_public_policy	Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true.	bool	true	no
s3_bucket_policy_changes_enabled	The boolean flag whether the s3_bucket_policy_changes alarm is enabled or not. No resources are created when set to false.	bool	true	no
s3_ignore_public_acls	Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true.	bool	true	no
s3_restrict_public_buckets	Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true.	bool	true	no
security_group_changes_enabled	The boolean flag whether the security_group_changes alarm is enabled or not. No resources are created when set to false.	bool	true	no
securityhub_enable_aws_foundational_standard	Boolean whether AWS Foundations standard is enabled.	bool	true	no
securityhub_enable_cis_standard	Boolean whether CIS standard is enabled.	bool	true	no
securityhub_enable_pci_dss_standard	Boolean whether PCI DSS standard is enabled.	bool	false	no
securityhub_enable_product_arns	List of Security Hub product ARNs, <REGION> will be replaced. See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html for list.	list(string)	[]	no
securityhub_enabled	Boolean whether the securityhub-baseline module is enabled or disabled	bool	true	no
support_iam_role_name	The name of the the support role.	string	"IAM-Support"	no
support_iam_role_policy_name	The name of the support role policy.	string	"IAM-Support-Role"	no
support_iam_role_principal_arns	List of ARNs of the IAM principal elements by which the support role could be assumed.	list(any)	n/a	yes
tags	Specifies object tags key and value. This applies to all resources created by this module.	map	{}	no
target_regions	A list of regions to set up with this module.	list	[ "ap-northeast-1", "ap-northeast-2", "ap-northeast-3", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", "sa-east-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2" ]	no
unauthorized_api_calls_enabled	The boolean flag whether the unauthorized_api_calls alarm is enabled or not. No resources are created when set to false.	bool	true	no
use_external_audit_log_bucket	A boolean that indicates whether the specific audit log bucket already exists. Create a new S3 bucket if it is set to false.	bool	false	no
vpc_changes_enabled	The boolean flag whether the vpc_changes alarm is enabled or not. No resources are created when set to false.	bool	true	no
vpc_enable	Boolean whether the VPC baseline module should be enabled	bool	true	no
vpc_enable_flow_logs	The boolean flag whether to enable VPC Flow Logs in default VPCs	bool	true	no
vpc_flow_logs_destination_type	The type of the logging destination. Valid values: cloud-watch-logs, s3	string	"cloud-watch-logs"	no
vpc_flow_logs_log_group_name	The name of CloudWatch Logs group to which VPC Flow Logs are delivered.	string	"default-vpc-flow-logs"	no
vpc_flow_logs_retention_in_days	Number of days to retain logs if vpc_log_destination_type is cloud-watch-logs. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely.	number	365	no
vpc_flow_logs_s3_arn	ARN of the S3 bucket to which VPC Flow Logs are delivered if vpc_log_destination_type is s3.	string	""	no
vpc_flow_logs_s3_key_prefix	The prefix used when VPC Flow Logs delivers logs to the S3 bucket.	string	"flow-logs"	no
vpc_iam_role_name	The name of the IAM Role which VPC Flow Logs will use.	string	"VPC-Flow-Logs-Publisher"	no
vpc_iam_role_policy_name	The name of the IAM Role Policy which VPC Flow Logs will use.	string	"VPC-Flow-Logs-Publish-Policy"	no

Outputs

Name	Description
alarm_sns_topic	The SNS topic to which CloudWatch Alarms will be sent.
audit_bucket	The S3 bucket used for storing audit logs.
cloudtrail	The trail for recording events in all regions.
cloudtrail_kms_key	The KMS key used for encrypting CloudTrail events.
cloudtrail_log_delivery_iam_role	The IAM role used for delivering CloudTrail events to CloudWatch Logs.
cloudtrail_log_group	The CloudWatch Logs log group which stores CloudTrail events.
cloudtrail_sns_topic	The sns topic linked to the cloudtrail.
config_configuration_recorder	The configuration recorder in each region.
config_iam_role	The IAM role used for delivering AWS Config records to CloudWatch Logs.
config_sns_topic	The SNS topic that AWS Config delivers notifications to.
default_network_acl	The default network ACL.
default_route_table	The default route table.
default_security_group	The ID of the default security group.
default_vpc	The default VPC.
guardduty_detector	The GuardDuty detector in each region.
support_iam_role	The IAM role used for the support user.
vpc_flow_logs_group	The CloudWatch Logs log group which stores VPC Flow Logs in each region.
vpc_flow_logs_iam_role	The IAM role used for delivering VPC Flow Logs to CloudWatch Logs.

Compatibility

• Starting from v0.20, this module requires Terraform Provider for AWS v3.0 or later. Please use v0.19 if you need to use v2.x or earlier.
• Starting from v0.10, this module requires Terraform v0.12 or later. Please use v0.9 if you need to use Terraform v0.11 or ealier.