ACE AWS Organizations Terraform Module

Description

This module sets up an AWS Organization with org-level services, including Guard Duty, Security Hub, AWS Config, and Cloudtrail.

FedRAMP Compliance: Moderate, High

Dependencies

• region-setup

Resource List

A high-level list of resources created as a part of this module.

• AWS Organization with org level services
  • Guard Duty
  • Security Hub
  • AWS Config
  • Cloudtrail
• AWS Organization policy
• IAM role and policy

Deployment Steps

This module can be called as outlined below.

• Change directories to the aws-org directory.
• From the terraform/aws/aws-org directory run terraform init.
• Run terraform plan to review the resources being created.
• If everything looks correct in the plan output, run terraform apply.

Usage

Include example for how to call the module below with generic variables

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "=4.58"
    }
  }
}


module "aws_org" {
  source = "github.com/Coalfire-CF/terraform-aws-organization"
  service_access_principals = [
    "cloudtrail.amazonaws.com",
    "config.amazonaws.com",
    "securityhub.amazonaws.com",
    "guardduty.amazonaws.com",
    "config-multiaccountsetup.amazonaws.com"
  ]
  feature_set                  = "ALL"
  aws_new_member_account_email = ["[email protected]"]
  aws_new_member_account_name  = ["aws_account_12345"]
  delegated_admin_account_id   = "12345678910"
  delegated_service_principal  = "principal"
  aws_region                   = var.aws_region
  partition                    = var.partition
  resource_prefix              = var.resource_prefix
  s3_kms_key_arn               = data.terraform_remote_state.setup.outputs.s3_key_arn
  aws_sec_hub_standards_arn    = ["arn:${var.partition}:securityhub:${var.region}::standards/cis-aws-foundations-benchmark/v/1.4.0", "arn:${var.partition}:securityhub:${var.region}::standards/aws-foundational-security-best-practices/v/1.0.0"]
}

Requirements

No requirements.

Providers

Name	Version
aws	n/a

Modules

Name	Source	Version
guardduty_kms_key	github.com/Coalfire-CF/terraform-aws-kms	n/a

Resources

Name	Type
aws_cloudtrail.org-trail	resource
aws_cloudwatch_log_group.guardduty	resource
aws_config_configuration_aggregator.organization	resource
aws_guardduty_detector.guardduty	resource
aws_guardduty_organization_admin_account.gh_admin_account	resource
aws_guardduty_organization_configuration.guardduty	resource
aws_guardduty_publishing_destination.gd_pub_dest	resource
aws_iam_role.aws_config_org_role	resource
aws_iam_role_policy_attachment.organization	resource
aws_organizations_account.account	resource
aws_organizations_delegated_administrator.delegated_admin	resource
aws_organizations_organization.org	resource
aws_organizations_organizational_unit.ou	resource
aws_organizations_policy.scp	resource
aws_organizations_policy_attachment.scp	resource
aws_organizations_resource_policy.org_resource_policy	resource
aws_s3_bucket.gd_bucket	resource
aws_s3_bucket_policy.gd_bucket_policy	resource
aws_securityhub_organization_admin_account.sechub_org_admin	resource
aws_securityhub_organization_configuration.sechub_org_config	resource
aws_securityhub_standards_subscription.cis	resource
aws_caller_identity.current	data source
aws_iam_policy_document.assume_role	data source
aws_iam_policy_document.bucket_pol	data source
aws_iam_policy_document.kms_pol	data source
aws_iam_policy_document.scp	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
aws_guardduty_datasources_enable_S3	Configuration for the collected datasources.	bool	true	no
aws_guardduty_datasources_enable_k8_audit_logs	Configuration for the collected datasources.	bool	true	no
aws_guardduty_datasources_enable_malware_protection_ebs	Configuration for the collected datasources.	bool	true	no
aws_new_member_account_email	The Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account.	any	null	no
aws_new_member_account_name	The Friendly name for the member account.	any	null	no
aws_region	n/a	string	n/a	yes
aws_sec_hub_standards_arn	n/a	list(string)	n/a	yes
create_org_cloudtrail	True/False statement whether to enable AWS Cloudtrail in the Organization	bool	true	no
create_org_config	True/False statement whether to enable AWS Config in the Organization	bool	true	no
create_org_guardduty	True/False statement whether to enable AWS GuardDuty in the Organization	bool	true	no
create_org_securityhub	True/False statement whether to enable AWS Security Hub in the Organization	bool	true	no
delegated_admin_account_id	The account ID number of the member account in the organization to register as a delegated administrator.	list(string)	null	no
delegated_service_principal	The service principal of the AWS service for which you want to make the member account a delegated administrator.	string	"principal"	no
feature_set	Feature set to be used with Org and member accounts Specify ALL(default) or CONSOLIDATED_BILLING.	string	"ALL"	no
finding_publishing_frequency	n/a	string	"ONE_HOUR"	no
org_account_name	value to be used for the org account name	string	n/a	yes
ou_creation_info	list of names of OU to create and their corresponding delegated admins	map(map(string))	{ "ou1": { "ou_name": "app_ou1", "ou_parent_id": "parent_id1" }, "ou2": { "ou_name": "app_ou2", "ou_parent_id": "parent_id2" } }	no
resource_prefix	n/a	string	n/a	yes
s3_kms_key_arn	n/a	string	n/a	yes
service_access_principals	List of AWS Service Access Principals that you want to enable for organization integration	list(string)	[ "cloudtrail.amazonaws.com", "config.amazonaws.com", "securityhub.amazonaws.com", "guardduty.amazonaws.com", "config-multiaccountsetup.amazonaws.com" ]	no

Outputs

Name	Description
accounts	List of org accounts including master
master_account_id	Master account ID

Contributing

Relative or absolute link to contributing.md

License

Coalfire Pages

Absolute link to any relevant Coalfire Pages

Copyright

Copyright © 2023 Coalfire Systems Inc.