ACAI ACF Module: terraform-aws-acf-account-hardening
GitHub Repository | Terraform Registry
Solution
ACAI ACF specification-repo for AWS account hardening.
IMPORTANT: This module requires [ACAI Provisio][acai-provisio-url].
Features
- Account Password Policy
- S3 Block Public Access
- EBS Default Encryption
USAGE
Settings
locals {
provisio_settings = {
primary_region = "eu-central-1"
regions = [
"us-east-2",
"eu-north-1"
]
}
aws_account_password_policy = {
minimum_password_length = 32
max_password_age = 90
password_reuse_prevention = 7
require_lowercase_characters = true
require_numbers = true
require_uppercase_characters = true
require_symbols = true
allow_users_to_change_password = true
}
}
Rendering
module "account_hardening_default" {
source = "git::https://github.com/acai-solutions/terraform-aws-acf-account-hardening.git?ref=main"
provisio_settings = {
provisio_regions = local.provisio_settings
}
account_hardening_settings = {
aws_account_password_policy = local.aws_account_password_policy
s3_account_level_public_access_block = true
ebs_encryption = true
}
}
module "account_hardening_image_factory" {
source = "git::https://github.com/acai-solutions/terraform-aws-acf-account-hardening.git?ref=main"
provisio_settings = {
provisio_package_name = "account-hardening-without-ebs"
provisio_regions = local.provisio_settings
}
account_hardening_settings = {
aws_account_password_policy = local.aws_account_password_policy
s3_account_level_public_access_block = true
ebs_encryption = false # in the image factory account EBS encryption must be of for AMI sharing
}
}
Assigment to accounts
You need to prcisely assign differnt baselining to different AWS account of your organization?
Leveraging the [ACAI ACF Account Cache][acai-account-cache-url] and the [account selection query language][acai-account-cache-query-url] convention, this is very easy.
locals {
account_baseline = [
# ----------------------------------------------------------------
# account-hardening
# this will be applied to all accounts except the Image Factory Account
{
deployment_name = "account-hardening"
account_scope = <<EOF
{
"exclude" : {
"accountId" : [
"123456789012" # Image Factory Account
]
}
}
EOF
provisio_packages = [
"account-hardening"
]
},
# ----------------------------------------------------------------
# account-hardening-without-ebs
# this will be applied only to the Image Factory Account
{
deployment_name = "account-hardening-without-ebs"
account_scope = <<EOF
{
"exclude" : "*",
"forceInclude" : {
"accountId" : [
"123456789012" # Image Factory Account
]
}
}
EOF
provisio_packages = [
"account-hardening-without-ebs"
]
}
]
}
Provisioning
# ---------------------------------------------------------------------------------------------------------------------
# ¦ ACAI PROVOSIO CORE
# ---------------------------------------------------------------------------------------------------------------------
module "acai_provisio_core" {
source = "git::https://github.com/acai-customers/terraform-aws-acai-provisio.git?ref=main"
provisio_baselining_specification = {
terraform_version = "= 1.5.7"
provider_aws_version = "= 5.50"
provisio_regions = local.provisio_settings
package_specification = [
module.account_hardening_default,
module.account_hardening_image_factory
]
package_deployment = local.account_baseline
}
providers = {
aws = aws.Act_Baselining
}
}