kogunlowo123/terraform-aws-security-baseline

# terraform-aws-security-baseline 用于建立全面 AWS 账户安全基线的生产就绪 Terraform 模块。涵盖 GuardDuty、Security Hub、AWS Config、CloudTrail、Macie、IAM Access Analyzer、Detective 和 IAM 加固。 ## 架构 本模块部署并配置以下 AWS 安全服务： | Service | Purpose | |---------|---------| | **Amazon GuardDuty** | 持续威胁检测，支持 S3、EKS 和恶意软件保护 | | **AWS Security Hub** | 集中化安全发现与合规检查 | | **AWS Config** | 资源清单、配置历史和合规审计 | | **AWS CloudTrail** | API 活动日志记录，支持 KMS 加密和 CloudWatch 集成 | | **Amazon Macie** | S3 中敏感数据的自动化发现 | | **IAM Access Analyzer** | 识别与外部实体共享的资源 | | **Amazon Detective** | 安全调查和根本原因分析 | | **IAM Password Policy** | 强制执行强密码要求 | ## 使用方法 ### 单账户基线 ``` module "security_baseline" { source = "kogunlowo123/security-baseline/aws" version = "1.0.0" name_prefix = "myapp" # S3 buckets must exist with appropriate policies config_delivery_s3_bucket = "myapp-config-bucket" cloudtrail_s3_bucket_name = "myapp-cloudtrail-bucket" tags = { Project = "security-baseline" ManagedBy = "terraform" } } ``` ### 带 IAM 加固的企业基线 ``` module "security_baseline" { source = "kogunlowo123/security-baseline/aws" version = "1.0.0" name_prefix = "enterprise" config_delivery_s3_bucket = "enterprise-config-bucket" cloudtrail_s3_bucket_name = "enterprise-cloudtrail-bucket" access_analyzer_type = "ORGANIZATION" enable_detective = true security_hub_standards = [ "cis-aws-foundations-benchmark/v/1.4.0", "aws-foundational-security-best-practices/v/1.0.0", ] tags = { Compliance = "cis-1.4" } } module "iam_baseline" { source = "kogunlowo123/security-baseline/aws//modules/iam-baseline" name_prefix = "enterprise" create_break_glass_user = true security_audit_trusted_arns = [ "arn:aws:iam::123456789012:root", ] } ``` ## 子模块 | Module | Description | |--------|-------------| | [guardduty-org](./modules/guardduty-org/) | 从委托管理员进行组织级 GuardDuty 部署 | | [scp-baseline](./modules/scp-baseline/) | 用于安全护栏的服务控制策略 | | [iam-baseline](./modules/iam-baseline/) | 包含紧急访问用户和审计角色的 IAM 基线 | ## CIS AWS Foundations Benchmark 1.4 映射 | CIS Control | Description | Module Resource | |-------------|-------------|-----------------| | 1.5-1.11 | IAM password policy requirements | `aws_iam_account_password_policy` | | 1.14 | Hardware MFA for root (manual) | Documentation | | 1.16 | IAM policies attached to groups/roles | `iam-baseline` module | | 1.20 | Support role for AWS Support | `iam-baseline` module | | 2.1.1 | CloudTrail enabled in all regions | `aws_cloudtrail` | | 2.1.2 | CloudTrail log file validation | `aws_cloudtrail` | | 2.1.4 | CloudTrail integrated with CloudWatch | `aws_cloudtrail` + `aws_cloudwatch_log_group` | | 2.2.1 | EBS default encryption | `scp-baseline` module | | 2.3.1 | RDS encryption | `scp-baseline` module | | 3.1 | CloudTrail logs encrypted with KMS | `aws_kms_key` + `aws_cloudtrail` | | 3.3 | S3 bucket access logging | Manual | | 3.7 | Config enabled in all regions | `aws_config_configuration_recorder` | | 4.1-4.15 | CloudWatch metric filters | Partial (CloudWatch log group created) | | 5.1 | Security Hub enabled | `aws_securityhub_account` | ## 支持的合规框架 - **CIS AWS Foundations Benchmark v1.4.0** -- 身份、日志记录、监控和网络的自动化控制 - **AWS Foundational Security Best Practices (FSBP)** -- 通过 Security Hub 实现的 AWS 定义安全标准 - **SOC 2 Type II** -- 日志记录、监控和访问控制 - **PCI DSS** -- 加密、访问日志记录和变更检测 - **HIPAA** -- 审计日志记录、加密和访问控制 - **NIST 800-53** -- 通过 Security Hub 映射的安全和隐私控制 ## 需求 | Name | Version | |------|---------| | terraform | >= 1.5.0 | | aws | >= 5.20.0 | ## 输入变量 | Name | Description | Type | Default | Required | |------|-------------|------|---------|----------| | `name_prefix` | Prefix for all named resources | `string` | n/a | **yes** | | `tags` | Map of tags for all resources | `map(string)` | `{}` | no | | `enable_guardduty` | Enable GuardDuty | `bool` | `true` | no | | `guardduty_s3_protection` | Enable S3 protection | `bool` | `true` | no | | `guardduty_eks_protection` | Enable EKS protection | `bool` | `true` | no | | `guardduty_malware_protection` | Enable malware protection | `bool` | `true` | no | | `enable_security_hub` | Enable Security Hub | `bool` | `true` | no | | `security_hub_standards` | Security Hub standards to enable | `list(string)` | CIS 1.4 + FSBP | no | | `enable_config` | Enable AWS Config | `bool` | `true` | no | | `config_delivery_s3_bucket` | S3 bucket for Config delivery | `string` | `""` | no | | `config_sns_topic_arn` | SNS topic ARN for Config notifications | `string` | `""` | no | | `config_all_supported_resource_types` | Record all supported resource types | `bool` | `true` | no | | `enable_cloudtrail` | Enable CloudTrail | `bool` | `true` | no | | `cloudtrail_s3_bucket_name` | S3 bucket for CloudTrail logs | `string` | `""` | no | | `cloudtrail_kms_key_arn` | KMS key ARN for CloudTrail encryption | `string` | `""` | no | | `cloudtrail_enable_log_file_validation` | Enable log file validation | `bool` | `true` | no | | `cloudtrail_is_multi_region` | Enable multi-region trail | `bool` | `true` | no | | `cloudtrail_include_global_events` | Include global service events | `bool` | `true` | no | | `cloudtrail_enable_insights` | Enable CloudTrail Insights | `bool` | `true` | no | | `enable_macie` | Enable Macie | `bool` | `true` | no | | `macie_finding_publishing_frequency` | Macie publishing frequency | `string` | `"FIFTEEN_MINUTES"` | no | | `enable_access_analyzer` | Enable Access Analyzer | `bool` | `true` | no | | `access_analyzer_type` | Access Analyzer type (ACCOUNT/ORGANIZATION) | `string` | `"ACCOUNT"` | no | | `enable_detective` | Enable Detective | `bool` | `false` | no | | `enable_iam_password_policy` | Configure IAM password policy | `bool` | `true` | no | | `password_policy_min_length` | Minimum password length | `number` | `14` | no | | `password_policy_require_symbols` | Require symbols | `bool` | `true` | no | | `password_policy_require_numbers` | Require numbers | `bool` | `true` | no | | `password_policy_require_uppercase` | Require uppercase | `bool` | `true` | no | | `password_policy_require_lowercase` | Require lowercase | `bool` | `true` | no | | `password_policy_max_age` | Password max age in days | `number` | `90` | no | | `password_policy_reuse_prevention` | Password reuse prevention count | `number` | `24` | no | | `password_policy_allow_users_to_change` | Allow users to change passwords | `bool` | `true` | no | ## 输出 | Name | Description | |------|-------------| | `guardduty_detector_id` | GuardDuty detector ID | | `guardduty_detector_arn` | GuardDuty detector ARN | | `securityhub_account_id` | Security Hub account ID | | `securityhub_account_arn` | Security Hub account ARN | | `securityhub_standards_subscription_arns` | Enabled standards subscription ARNs | | `config_recorder_id` | Config recorder ID | | `config_delivery_channel_id` | Config delivery channel ID | | `config_role_arn` | Config recorder IAM role ARN | | `cloudtrail_id` | CloudTrail trail name | | `cloudtrail_arn` | CloudTrail trail ARN | | `cloudtrail_home_region` | CloudTrail home region | | `cloudtrail_cloudwatch_log_group_arn` | CloudWatch log group ARN for CloudTrail | | `cloudtrail_cloudwatch_role_arn` | CloudTrail CloudWatch IAM role ARN | | `cloudtrail_kms_key_arn` | KMS key ARN for CloudTrail encryption | | `cloudtrail_kms_key_id` | KMS key ID for CloudTrail encryption | | `macie_account_id` | Macie account ID | | `access_analyzer_id` | Access Analyzer ID | | `access_analyzer_arn` | Access Analyzer ARN | | `detective_graph_id` | Detective graph ID | | `detective_graph_arn` | Detective graph ARN | | `iam_password_policy_expire_passwords` | Whether passwords expire | ## 示例 - [基础单账户](./examples/basic/) -- 单个 AWS 账户的最小基线 - [完整企业版](./examples/complete/) -- 包含所有服务和 IAM 加固的完整企业基线 ## 许可证 MIT License。详见 [LICENSE](./LICENSE)。

标签：Amazon Detective, Amazon Macie, AMSI绕过, Anthropic, AWS, AWS Config, CIS基准, CloudTrail, DPI, EC2, ECS, GuardDuty, IaC, IAM Access Analyzer, IAM加固, KMS加密, ProjectDiscovery, S3安全, Security Hub, StruQ, Terraform, 亚马逊云科技, 人工智能安全, 企业安全, 合规性, 威胁检测, 安全基线, 密码策略, 开源模块, 指令注入, 教学环境, 数据保护, 网络资产管理, 账号安全, 速率限制