- AWS Config Recorder
- AWS Config Delivery Channel (S3 + SNS)
- AWS IAM policies
- AWS Config Aggregator (Account or Organization)
- Uploads S3 Object(s) to X bucket for the Config Conformance Packs
- Config Conformance Packs x2: Operational-Best-Practices-for-FedRAMP and Operational-Best-Practices-for-NIST-800-53-rev-5 Modified from source Github
- Please be sure to update AWS Config Rules yaml files from here
- Due to the nature of this Github repository being opensource there are a few rules out of the box that were removed in order to get this module to properly scan the AWS Accounts
This module can be called as outlined below.
- Change directories to the
configdirectory. - From the
terraform/aws/configdirectory runterraform init. - Run
terraform planto review the resources being created. - If everything looks correct in the plan output, run
terraform apply.
Include example for how to call the module below with generic variables
module "config" {
source = "github.com/Coalfire-CF/terraform-aws-config"
resource_prefix = var.resource_prefix
s3_config_arn = data.terraform_remote_state.mgmt_account_setup.outputs.s3_config_arn
s3_config_id = data.terraform_remote_state.mgmt_account_setup.outputs.s3_config_id
config_kms_key_arn = data.terraform_remote_state.mgmt_account_setup.outputs.config_kms_key_arn
s3_kms_key_arn = data.terraform_remote_state.mgmt_account_setup.outputs.s3_kms_key_arn
sns_kms_key_id = data.terraform_remote_state.mgmt_account_setup.outputs.sns_kms_key_id
conformance_pack_names = ["Operational-Best-Practices-for-FedRAMP", "Operational-Best-Practices-for-NIST-800-53-rev-5"]
delivery_frequency = "TwentyFour_Hours"
## Aggregator
aws_regions = var.aws_regions
account_ids = local.share_accounts
aggregation_type = "organization"
}
| Name | Version |
|---|---|
| terraform | >=1.5.0 |
| aws | ~> 5.0 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_ids | If Aggregating by Account - AWS Account IDs for AWS Config Aggregator | list(string) |
[ |
no |
| aggregation_type | Aggregation Type | string |
n/a | yes |
| all_regions | AWS Config Aggregator pulls from all AWS Regions | bool |
false |
no |
| aws_regions | The AWS region(s) for AWS Config Aggregator | list(string) |
n/a | yes |
| config_kms_key_arn | AWS Config KMS Key Arn | string |
n/a | yes |
| conformance_pack_names | A list of conformance pack names to be deployed | list(string) |
n/a | yes |
| delivery_frequency | frequency for the config snapshots to be sent to S3 | string |
n/a | yes |
| is_enabled | Should config recorder be enabled? | bool |
true |
no |
| is_gov | AWS Config deployed in Gov account? | bool |
n/a | yes |
| packs_s3_key | S3 Bucket prefix for the Packs uploaded | string |
"packs" |
no |
| resource_prefix | The prefix for the s3 bucket names | string |
n/a | yes |
| s3_config_arn | S3 Bucket ARN for AWS Config | string |
n/a | yes |
| s3_config_id | S3 bucket ID for AWS Config | string |
n/a | yes |
| s3_kms_key_arn | AWS S3 KMS Key Arn | string |
n/a | yes |
| sns_kms_key_id | SNS KMS key ID | string |
n/a | yes |
| Name | Description |
|---|---|
| fedramp_conformance_pack_arn | n/a |
| nist_conformance_pack_arn | n/a |
Relative or absolute link to contributing.md
Absolute link to any relevant Coalfire Pages
Copyright © 2023 Coalfire Systems Inc.