Skip to content

ACAI ACF Module: terraform-aws-acf-account-hardening

GitHub Repository | Terraform Registry

Solution

ACAI ACF specification-repo for AWS account hardening.

IMPORTANT: This module requires [ACAI Provisio][acai-provisio-url].

Features

  • Account Password Policy
  • S3 Block Public Access
  • EBS Default Encryption

USAGE

Settings

locals {
  provisio_settings = {
    primary_region = "eu-central-1"
    regions        = [
      "us-east-2",
      "eu-north-1"
    ]
  }
  aws_account_password_policy = {
    minimum_password_length        = 32
    max_password_age               = 90
    password_reuse_prevention      = 7
    require_lowercase_characters   = true
    require_numbers                = true
    require_uppercase_characters   = true
    require_symbols                = true
    allow_users_to_change_password = true
  }
}

Rendering

module "account_hardening_default" {
  source = "git::https://github.com/acai-solutions/terraform-aws-acf-account-hardening.git?ref=main"

  provisio_settings = {
    provisio_regions = local.provisio_settings
  }
  account_hardening_settings = {
    aws_account_password_policy          = local.aws_account_password_policy
    s3_account_level_public_access_block = true
    ebs_encryption                       = true
  }
}

module "account_hardening_image_factory" {
  source = "git::https://github.com/acai-solutions/terraform-aws-acf-account-hardening.git?ref=main"

  provisio_settings = {
    provisio_package_name = "account-hardening-without-ebs"
    provisio_regions      = local.provisio_settings
  }
  account_hardening_settings = {
    aws_account_password_policy          = local.aws_account_password_policy
    s3_account_level_public_access_block = true
    ebs_encryption                       = false # in the image factory account EBS encryption must be of for AMI sharing
  }
}

Assigment to accounts

You need to prcisely assign differnt baselining to different AWS account of your organization?

Leveraging the [ACAI ACF Account Cache][acai-account-cache-url] and the [account selection query language][acai-account-cache-query-url] convention, this is very easy.

locals {
  account_baseline = [

# ----------------------------------------------------------------
# account-hardening 
# this will be applied to all accounts except the Image Factory Account
    {
      deployment_name = "account-hardening"
      account_scope   = <<EOF
{
  "exclude" : {
    "accountId" : [
      "123456789012" # Image Factory Account
    ]
  }
}
      EOF
      provisio_packages = [
        "account-hardening"
      ]
    }, 

# ----------------------------------------------------------------
# account-hardening-without-ebs    
# this will be applied only to the Image Factory Account
    {
      deployment_name = "account-hardening-without-ebs"
      account_scope   = <<EOF
{
  "exclude" : "*",
  "forceInclude" : {
    "accountId" : [
      "123456789012" # Image Factory Account
    ]
  }
}
EOF
      provisio_packages = [
        "account-hardening-without-ebs"
      ]
    }
  ]
}

Provisioning

# ---------------------------------------------------------------------------------------------------------------------
# ¦ ACAI PROVOSIO CORE
# ---------------------------------------------------------------------------------------------------------------------
module "acai_provisio_core" {
  source = "git::https://github.com/acai-customers/terraform-aws-acai-provisio.git?ref=main"

  provisio_baselining_specification = {
    terraform_version     = "= 1.5.7"
    provider_aws_version  = "= 5.50"
    provisio_regions      = local.provisio_settings
    package_specification = [
      module.account_hardening_default,
      module.account_hardening_image_factory
    ]
    package_deployment = local.account_baseline
  }
  providers = {
    aws = aws.Act_Baselining
  }
}