[Task]: Add AWS Security Hub to Terraform

HHS / simpler-grants-gov

https://simpler.grants.gov

Other

36 stars 9 forks source link

[Task]: Add AWS Security Hub to Terraform #914

Open acouch opened 8 months ago

acouch commented 8 months ago

Summary

AWS Security Hub provides continuous monitoring for NIST security controls.

This has been added to our account. This ticket is to export the settings to Terraform.

Acceptance criteria

[ ] AWS Security Hub configs in Terraform

coilysiren commented 8 months ago

This can be done with resource imports, at minimum here's the account:

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_account

resource "aws_securityhub_account" "account" {}

$ terraform import aws_securityhub_account.account AWS_ACCOUNT_ID

The go through the other terraform resources and import them as well, as needed.

jamesbursa commented 8 months ago

We can disable controls that are false positives (e.g. not applicable to the system or implemented in a way that Security Hub can't detect) using resource "securityhub_standards_control" with the disabled_reason argument.

Example of use: https://github.com/ministryofjustice/modernisation-platform-terraform-baselines/blob/95eb114b7e11ea505061d03232cdd31857b1cd27/modules/securityhub/main.tf#L22-L29