Terraform module that creates AWS Security Hub resources.
module "security_hub" {
source = "../../../"
enable_default_standards = false
control_finding_generator = "STANDARD_CONTROL"
auto_enable_controls = true
product_config = [{
enable = true
arn = "arn:aws:securityhub:${data.aws_region.current.name}::product/aws/guardduty"
}]
standards_config = {
aws_foundational_security_best_practices = {
enable = true
status = "ENABLED"
}
cis_aws_foundations_benchmark_v120 = {
enable = false
}
cis_aws_foundations_benchmark_v140 = {
enable = true
status = "ENABLED"
}
nist_sp_800_53_rev5 = {
enable = false
}
pci_dss = {
enable = false
}
}
action_target = [{
name = "Send to Amazon SNS"
identifier = "SendToSNS"
description = "This is a custom action to send findings to SNS Topic"
}]
}
resource "aws_securityhub_standards_control" "ensure_iam_password_policy_prevents_password_reuse" {
standards_control_arn = "arn:aws:securityhub:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:control/cis-aws-foundations-benchmark/v/1.4.0/1.10"
control_status = "DISABLED"
disabled_reason = "Password policies are managed by external resource"
depends_on = [module.security_hub]
}
resource "aws_securityhub_insight" "this" {
filters {
created_at {
date_range {
unit = "DAYS"
value = 7
}
}
network_source_ipv4 {
cidr = "10.0.0.0/16"
}
criticality {
gte = "80"
}
resource_tags {
comparison = "EQUALS"
key = "Environment"
value = "Development"
}
}
group_by_attribute = "AwsAccountId"
name = "insight"
depends_on = [module.standalone_security_hub]
}
module "delegated_admin" {
source = "aws-ia/terraform-aws-security-hub/aws//modules/organizations_admin/"
admin_account_id = data.aws_caller_identity.current.account_id
auto_enable_standards = "DEFAULT"
depends_on = [module.security_hub]
}
module "member_account" {
source = "aws-ia/terraform-aws-security-hub/aws//modules/organizations_member/"
providers = {
aws = aws
aws.member = aws.member
}
member_config = [{
account_id = "281190191734"
email = "[email protected]"
invite = false
}]
depends_on = [module.security_hub]
}
module "security_hub" {
source = "aws-ia/terraform-aws-security-hub"
enable_default_standards = false
control_finding_generator = "STANDARD_CONTROL"
auto_enable_controls = true
product_config = [{
enable = true
arn = "arn:aws:securityhub:${data.aws_region.current.name}::product/aws/guardduty"
}]
standards_config = {
aws_foundational_security_best_practices = {
enable = true
status = "ENABLED"
}
cis_aws_foundations_benchmark_v120 = {
enable = false
}
cis_aws_foundations_benchmark_v140 = {
enable = true
status = "ENABLED"
}
nist_sp_800_53_rev5 = {
enable = false
}
pci_dss = {
enable = false
}
}
action_target = [{
name = "Send to Amazon SNS"
identifier = "SendToSNS"
description = "This is a custom action to send findings to SNS Topic"
}]
}
resource "aws_securityhub_insight" "this" {
filters {
aws_account_id {
comparison = "EQUALS"
value = "123456789012"
}
aws_account_id {
comparison = "EQUALS"
value = "098765432109"
}
created_at {
date_range {
unit = "DAYS"
value = 7
}
}
network_source_ipv4 {
cidr = "10.0.0.0/16"
}
criticality {
gte = "80"
}
resource_tags {
comparison = "EQUALS"
key = "Environment"
value = "Development"
}
}
group_by_attribute = "AwsAccountId"
name = "insight-per-account-id"
depends_on = [module.security_hub]
}
Name | Version |
---|---|
terraform | >= 1.0.0 |
aws | >= 4.47 |
time | >= 0.9 |
Name | Version |
---|---|
aws | >= 4.47 |
time | >= 0.9 |
No modules.
Name | Type |
---|---|
aws_securityhub_account.this | resource |
aws_securityhub_action_target.this | resource |
aws_securityhub_finding_aggregator.this | resource |
aws_securityhub_product_subscription.this | resource |
aws_securityhub_standards_subscription.this | resource |
time_sleep.wait_securityhub_enable | resource |
aws_region.current | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
action_target | Creates Security Hub custom action.name - The description for the custom action target.identifier - The ID for the custom action target.description - The name of the custom action target. |
list(object({ |
[] |
no |
auto_enable_controls | Whether to automatically enable new controls when they are added to standards that are enabled. By default, this is set to true, and new controls are enabled automatically. To not automatically enable new controls, set this to false. | bool |
true |
no |
control_finding_generator | Updates whether the calling account has consolidated control findings turned on. If the value for this field is set to SECURITY_CONTROL, Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards. If the value for this field is set to STANDARD_CONTROL, Security Hub generates separate findings for a control check when the check applies to multiple enabled standards. For accounts that are part of an organization, this value can only be updated in the administrator account. | string |
"STANDARD_CONTROL" |
no |
enable_default_standards | Whether to enable the security standards that Security Hub has designated as automatically enabled including: AWS Foundational Security Best Practices v1.0.0 and CIS AWS Foundations Benchmark v1.2.0. Defaults to true . |
bool |
true |
no |
linking_mode | Indicates whether to aggregate findings from all of the available Regions or from a specified list. The options are ALL_REGIONS, ALL_REGIONS_EXCEPT_SPECIFIED or SPECIFIED_REGIONS. When ALL_REGIONS or ALL_REGIONS_EXCEPT_SPECIFIED are used, Security Hub will automatically aggregate findings from new Regions as Security Hub supports them and you opt into them. | string |
"ALL_REGIONS" |
no |
product_config | The ARN of the product that generates findings that you want to import into Security Hub. | list(object({ |
null |
no |
specified_regions | List of regions to include or exclude (required if linking_mode is set to ALL_REGIONS_EXCEPT_SPECIFIED or SPECIFIED_REGIONS) | list(string) |
null |
no |
standards_config | aws_foundational_security_best_practices - AWS Foundational Security Best Practicescis_aws_foundations_benchmark_v120 - CIS AWS Foundations Benchmark v1.2.0cis_aws_foundations_benchmark_v140 - CIS AWS Foundations Benchmark v1.4.0nist_sp_800_53_rev5 - NIST SP 800-53 Rev. 5pci_dss - PCI DSS |
object({ |
{ |
no |
Name | Description |
---|---|
action_target | Security Hub custome action targets. |
finding_aggregator | Security Hub finding aggregator configuration. |
product_subscription | Security Hub products subscriptions. |
securityhub_account | Security Hub AWS account configuration. |
standards_subscription | Security Hub compliance standards subscriptions. |