Merge pull request #24 from binbashar/master

Make some of the existing rules optional and add...

README.md

@@ -3,13 +3,23 @@ Enables AWS Config and adds managed config rules with good defaults.
 The following AWS Config Rules are supported:
 
 * acm-certificate-expiration-check: Ensure ACM Certificates in your account are marked for expiration within the specified number of days.
+* approved-amis-by-tag: Checks whether running instances are using specified AMIs.
 * cloudtrail-enabled: Ensure CloudTrail is enabled.
+* cloud-trail-encryption-enabled: Ensure CloudTrail is configured to use server side encryption (SSE) with AWS KMS or CMK encryption.
+* cloud-trail-log-file-validation-enabled: Checks whether AWS CloudTrail creates a signed digest file with logs.
+* multi-region-cloud-trail-enabled: Ensure that there is at least one multi-region AWS CloudTrail enabled.
+* ec2-encrypted-volumes: Evaluates whether EBS volumes that are in an attached state are encrypted.
 * ec2-volume-inuse-check: Checks whether EBS volumes are attached to EC2 instances
+* eip_attached: Checks whether all EIP addresses that are allocated to a VPC are attached to EC2 or in-use ENIs.
 * guardduty-enabled-centralized: Checks whether Amazon GuardDuty is enabled in your AWS account and region.
 * iam-password-policy: Ensure the account password policy for IAM users meets the specified requirements.
 * iam-user-no-policies-check: Ensure that none of your IAM users have policies attached; IAM users must inherit permissions from IAM groups or roles.
+* iam-group-has-users-check: Checks whether IAM groups have at least one IAM user.
 * instances-in-vpc: Ensure all EC2 instances run in a VPC.
+* required-tags: Checks if resources are deployed with configured tags.
 * root-account-mfa-enabled: Ensure root AWS account has MFA enabled.
+* rds-instance-public-access-check: Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible.
+* rds-snapshots-public-prohibited: Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public.
 * rds-storage-encrypted: Checks whether storage encryption is enabled for your RDS DB instances.
 * s3-bucket-public-write-prohibited: Checks that your S3 buckets do not allow public write access.
 
@@ -38,14 +48,28 @@ module "aws_config" {
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | acm\_days\_to\_expiration | Specify the number of days before the rule flags the ACM Certificate as noncompliant. | string | `"14"` | no |
-| aggregate\_organization | Aggregate compliance data by organization | string | `"false"` | no |
+| aggregate\_organization | Aggregate compliance data by organization | bool | `"false"` | no |
+| ami\_required\_tag\_key\_value | Tag/s key and value which AMI has to have in order to be compliant: Example: key1:value1,key2:value2 | string | `""` | no |
+| check\_acm\_certificate\_expiration\_check | Enable acm-certificate-expiration-check rule | string | `"true"` | no |
+| check\_approved\_amis\_by\_tag | Enable approved-amis-by-tag rule | string | `"false"` | no |
 | check\_cloud\_trail\_encryption | Enable cloud-trail-encryption-enabled rule | string | `"false"` | no |
 | check\_cloud\_trail\_log\_file\_validation | Enable cloud-trail-log-file-validation-enabled rule | string | `"false"` | no |
+| check\_cloudtrail\_enabled | Enable cloudtrail-enabled rule | string | `"false"` | no |
+| check\_ec2\_encrypted\_volumes | Enable ec2-encrypted-volumes rule | string | `"true"` | no |
+| check\_ec2\_volume\_inuse\_check | Enable ec2-volume-inuse-check rule | string | `"true"` | no |
 | check\_eip\_attached | Enable eip-attached rule | string | `"false"` | no |
 | check\_guard\_duty | Enable guardduty-enabled-centralized rule | string | `"false"` | no |
+| check\_iam\_group\_has\_users\_check | Enable iam-group-has-users-check rule | string | `"true"` | no |
+| check\_iam\_password\_policy | Enable iam-password-policy rule | string | `"true"` | no |
+| check\_iam\_user\_no\_policies\_check | Enable iam-user-no-policies-check rule | string | `"true"` | no |
+| check\_instances\_in\_vpc | Enable instances-in-vpc rule | string | `"true"` | no |
 | check\_multi\_region\_cloud\_trail | Enable multi-region-cloud-trail-enabled rule | string | `"false"` | no |
 | check\_rds\_public\_access | Enable rds-instance-public-access-check rule | string | `"false"` | no |
+| check\_rds\_snapshots\_public\_prohibited | Enable rds-snapshots-public-prohibited rule | string | `"true"` | no |
+| check\_rds\_storage\_encrypted | Enable rds-storage-encrypted rule | string | `"true"` | no |
 | check\_required\_tags | Enable required-tags rule | string | `"false"` | no |
+| check\_root\_account\_mfa\_enabled | Enable root-account-mfa-enabled rule | string | `"false"` | no |
+| check\_s3\_bucket\_public\_write\_prohibited | Enable s3-bucket-public-write-prohibited rule | string | `"true"` | no |
 | config\_aggregator\_name | The name of the aggregator. | string | `"organization"` | no |
 | config\_delivery\_frequency | The frequency with which AWS Config delivers configuration snapshots. | string | `"Six_Hours"` | no |
 | config\_logs\_bucket | The S3 bucket for AWS Config logs. | string | n/a | yes |

config-aggregator.tf

@@ -40,5 +40,4 @@ resource "aws_config_configuration_aggregator" "organization" {
     all_regions = true
     role_arn    = aws_iam_role.aggregator[0].arn
   }
-}
-
+}

config-policies/ami-approved-tag.tpl

@@ -0,0 +1,3 @@
+{
+	"amisByTagKeyAndValue": "${ami_required_tag_key_value}"
+}

config-rules.tf

@@ -23,11 +23,20 @@ data "template_file" "aws_config_acm_certificate_expiration" {
   }
 }
 
+data "template_file" "aws_config_ami_approved_tag" {
+  template = "${file("${path.module}/config-policies/ami-approved-tag.tpl")}"
+
+  vars = {
+    ami_required_tag_key_value = var.ami_required_tag_key_value
+  }
+}
+
 #
 # AWS Config Rules
 #
 
 resource "aws_config_config_rule" "iam-password-policy" {
+  count            = var.check_iam_password_policy ? 1 : 0
   name             = "iam-password-policy"
   description      = "Ensure the account password policy for IAM users meets the specified requirements"
   input_parameters = data.template_file.aws_config_iam_password_policy.rendered
@@ -46,6 +55,7 @@ resource "aws_config_config_rule" "iam-password-policy" {
 }
 
 resource "aws_config_config_rule" "cloudtrail-enabled" {
+  count       = var.check_cloudtrail_enabled ? 1 : 0
   name        = "cloudtrail-enabled"
   description = "Ensure CloudTrail is enabled"
 
@@ -117,6 +127,7 @@ resource "aws_config_config_rule" "cloud-trail-log-file-validation-enabled" {
 }
 
 resource "aws_config_config_rule" "instances-in-vpc" {
+  count       = var.check_instances_in_vpc ? 1 : 0
   name        = "instances-in-vpc"
   description = "Ensure all EC2 instances run in a VPC"
 
@@ -132,6 +143,7 @@ resource "aws_config_config_rule" "instances-in-vpc" {
 }
 
 resource "aws_config_config_rule" "root-account-mfa-enabled" {
+  count       = var.check_root_account_mfa_enabled ? 1 : 0
   name        = "root-account-mfa-enabled"
   description = "Ensure root AWS account has MFA enabled"
 
@@ -149,6 +161,7 @@ resource "aws_config_config_rule" "root-account-mfa-enabled" {
 }
 
 resource "aws_config_config_rule" "acm-certificate-expiration-check" {
+  count            = var.check_acm_certificate_expiration_check ? 1 : 0
   name             = "acm-certificate-expiration-check"
   description      = "Ensures ACM Certificates in your account are marked for expiration within the specified number of days"
   input_parameters = data.template_file.aws_config_acm_certificate_expiration.rendered
@@ -164,6 +177,7 @@ resource "aws_config_config_rule" "acm-certificate-expiration-check" {
 }
 
 resource "aws_config_config_rule" "ec2-volume-inuse-check" {
+  count       = var.check_ec2_volume_inuse_check ? 1 : 0
   name        = "ec2-volume-inuse-check"
   description = "Checks whether EBS volumes are attached to EC2 instances"
 
@@ -176,6 +190,7 @@ resource "aws_config_config_rule" "ec2-volume-inuse-check" {
 }
 
 resource "aws_config_config_rule" "iam-user-no-policies-check" {
+  count       = var.check_iam_user_no_policies_check ? 1 : 0
   name        = "iam-user-no-policies-check"
   description = "Ensure that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles."
 
@@ -188,6 +203,7 @@ resource "aws_config_config_rule" "iam-user-no-policies-check" {
 }
 
 resource "aws_config_config_rule" "iam-group-has-users-check" {
+  count       = var.check_iam_group_has_users_check ? 1 : 0
   name        = "iam-group-has-users-check"
   description = "Checks whether IAM groups have at least one IAM user."
 
@@ -200,6 +216,7 @@ resource "aws_config_config_rule" "iam-group-has-users-check" {
 }
 
 resource "aws_config_config_rule" "rds-storage-encrypted" {
+  count       = var.check_rds_storage_encrypted ? 1 : 0
   name        = "rds-storage-encrypted"
   description = "Checks whether storage encryption is enabled for your RDS DB instances."
 
@@ -212,8 +229,7 @@ resource "aws_config_config_rule" "rds-storage-encrypted" {
 }
 
 resource "aws_config_config_rule" "rds-instance-public-access-check" {
-  count = var.check_rds_public_access ? 1 : 0
-
+  count       = var.check_rds_public_access ? 1 : 0
   name        = "rds-instance-public-access-check"
   description = "Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item."
 
@@ -226,6 +242,7 @@ resource "aws_config_config_rule" "rds-instance-public-access-check" {
 }
 
 resource "aws_config_config_rule" "rds-snapshots-public-prohibited" {
+  count       = var.check_rds_snapshots_public_prohibited ? 1 : 0
   name        = "rds-snapshots-public-prohibited"
   description = "Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public."
 
@@ -238,8 +255,7 @@ resource "aws_config_config_rule" "rds-snapshots-public-prohibited" {
 }
 
 resource "aws_config_config_rule" "guardduty-enabled-centralized" {
-  count = var.check_guard_duty ? 1 : 0
-
+  count       = var.check_guard_duty ? 1 : 0
   name        = "guardduty-enabled-centralized"
   description = "Checks whether Amazon GuardDuty is enabled in your AWS account and region."
 
@@ -254,6 +270,7 @@ resource "aws_config_config_rule" "guardduty-enabled-centralized" {
 }
 
 resource "aws_config_config_rule" "s3-bucket-public-write-prohibited" {
+  count       = var.check_s3_bucket_public_write_prohibited ? 1 : 0
   name        = "s3-bucket-public-write-prohibited"
   description = "Checks that your S3 buckets do not allow public write access."
 
@@ -266,8 +283,7 @@ resource "aws_config_config_rule" "s3-bucket-public-write-prohibited" {
 }
 
 resource "aws_config_config_rule" "eip_attached" {
-  count = var.check_eip_attached ? 1 : 0
-
+  count       = var.check_eip_attached ? 1 : 0
   name        = "eip-attached"
   description = "Checks whether all Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs)."
 
@@ -280,16 +296,15 @@ resource "aws_config_config_rule" "eip_attached" {
 }
 
 resource "aws_config_config_rule" "required-tags" {
-  count = var.check_required_tags ? 1 : 0
-
+  count       = var.check_required_tags ? 1 : 0
   name        = "required-tags"
   description = "Checks if resources are deployed with configured tags."
 
   scope {
     compliance_resource_types = var.required_tags_resource_types
   }
 
-  input_parameters = "${jsonencode(var.required_tags)}"
+  input_parameters = jsonencode(var.required_tags)
 
   source {
     owner             = "AWS"
@@ -298,3 +313,30 @@ resource "aws_config_config_rule" "required-tags" {
 
   depends_on = [aws_config_configuration_recorder.main]
 }
+
+resource "aws_config_config_rule" "approved-amis-by-tag" {
+  count            = var.check_approved_amis_by_tag ? 1 : 0
+  name             = "approved-amis-by-tag"
+  description      = "Checks whether running instances are using specified AMIs. Running instances that dont have at least one of the specified tags are noncompliant"
+  input_parameters = data.template_file.aws_config_ami_approved_tag.rendered
+
+  source {
+    owner             = "AWS"
+    source_identifier = "APPROVED_AMIS_BY_TAG"
+  }
+
+  depends_on = [aws_config_configuration_recorder.main]
+}
+
+resource "aws_config_config_rule" "ec2-encrypted-volumes" {
+  count       = var.check_ec2_encrypted_volumes ? 1 : 0
+  name        = "ec2-volumes-must-be-encrypted"
+  description = "Evaluates whether EBS volumes that are in an attached state are encrypted. Optionally, you can specify the ID of a KMS key to use to encrypt the volume."
+
+  source {
+    owner             = "AWS"
+    source_identifier = "ENCRYPTED_VOLUMES"
+  }
+
+  depends_on = [aws_config_configuration_recorder.main]
+}

variables.tf

@@ -12,8 +12,8 @@ variable "config_aggregator_name" {
 
 variable "aggregate_organization" {
   description = "Aggregate compliance data by organization"
-  type        = string
-  default     = "false"
+  type        = bool
+  default     = false
 }
 
 variable "config_logs_bucket" {
@@ -23,14 +23,14 @@ variable "config_logs_bucket" {
 
 variable "config_logs_prefix" {
   description = "The S3 prefix for AWS Config logs."
-  default     = "config"
   type        = string
+  default     = "config"
 }
 
 variable "config_max_execution_frequency" {
   description = "The maximum frequency with which AWS Config runs evaluations for a rule."
-  default     = "TwentyFour_Hours"
   type        = string
+  default     = "TwentyFour_Hours"
 }
 
 variable "config_delivery_frequency" {
@@ -79,6 +79,11 @@ variable "password_max_age" {
   default     = 90
 }
 
+variable "check_root_account_mfa_enabled" {
+  description = "Enable root-account-mfa-enabled rule"
+  default     = false
+}
+
 variable "check_guard_duty" {
   description = "Enable guardduty-enabled-centralized rule"
   default     = false
@@ -94,6 +99,11 @@ variable "check_multi_region_cloud_trail" {
   default     = false
 }
 
+variable "check_cloudtrail_enabled" {
+  description = "Enable cloudtrail-enabled rule"
+  default     = false
+}
+
 variable "check_cloud_trail_encryption" {
   description = "Enable cloud-trail-encryption-enabled rule"
   default     = false
@@ -126,3 +136,63 @@ variable "required_tags" {
   default     = {}
 }
 
+variable "check_instances_in_vpc" {
+  description = "Enable instances-in-vpc rule"
+  default     = true
+}
+
+variable "check_acm_certificate_expiration_check" {
+  description = "Enable acm-certificate-expiration-check rule"
+  default     = true
+}
+
+variable "check_iam_password_policy" {
+  description = "Enable iam-password-policy rule"
+  default     = true
+}
+
+variable "check_iam_group_has_users_check" {
+  description = "Enable iam-group-has-users-check rule"
+  default     = true
+}
+
+variable "check_iam_user_no_policies_check" {
+  description = "Enable iam-user-no-policies-check rule"
+  default     = true
+}
+
+variable "check_ec2_volume_inuse_check" {
+  description = "Enable ec2-volume-inuse-check rule"
+  default     = true
+}
+
+variable "check_approved_amis_by_tag" {
+  description = "Enable approved-amis-by-tag rule"
+  default     = false
+}
+
+variable "ami_required_tag_key_value" {
+  description = "Tag/s key and value which AMI has to have in order to be compliant: Example: key1:value1,key2:value2"
+  type        = string
+  default     = ""
+}
+
+variable "check_ec2_encrypted_volumes" {
+  description = "Enable ec2-encrypted-volumes rule"
+  default     = true
+}
+
+variable "check_rds_storage_encrypted" {
+  description = "Enable rds-storage-encrypted rule"
+  default     = true
+}
+
+variable "check_rds_snapshots_public_prohibited" {
+  description = "Enable rds-snapshots-public-prohibited rule"
+  default     = true
+}
+
+variable "check_s3_bucket_public_write_prohibited" {
+  description = "Enable s3-bucket-public-write-prohibited rule"
+  default     = true
+}

versions.tf

@@ -1,4 +1,9 @@
 
 terraform {
   required_version = ">= 0.12"
-}
+
+  required_providers {
+    aws      = ">= 2.40.0"
+    template = ">= 2.0"
+  }
+}