This project applies a security-baseline to an AWS organization. The state-machine runs using an eventbridge rule so that configuration is checked on an interval and re-applied. Currently, the baseline supports the following services:
- Amazon GuardDuty
You will need to setup the following before running this SAM application.
- Configure an assumable role on your Org Master Payer account to allow the Security/Audit account to manage GuardDuty via cross account access
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
} - Attach the following policies to the new role
AmazonGuardDutyFullAccessAWSOrganizationsFullAccess
- Ensure you have cross-account deployment access for Terraform, as multiple AWS providers are supported for security-baseline
- Update the
security-baseline/infra/providers.tffollowing the example insecurity-baseline/infra/providers.tf.examplewith deployment roles - Update
security-baseline/infra/terraform.tfwith relevent bucket name and key - Update any changes to
security-baseline/config/config.jsonfor the used regions, GuardDuty detectors configuration, and desired accounts to ignore.
Project is easily managed from local command line deployment, but may need to be tweaked to fit a pipeline with Github Actions, Jenkins, CircleCi, etc.
Deploy from local cli with regular terraform commands:
terraform applyIf deployed via command line, easy to clean up with regular terraform commands
terraform destroyClean up the following:
- Any roles created required to run cross-account terraform
- Terraform state and bucket in S3
Other services that could be added for continual checking/management:
- Security Hub
- AWS Account & Contacts Management
- SCP organization
Name shamefully stolen from a similar project authored in Ruby by Rich Adams Ruby. 😂