Terraform Module for AWS Security Hub
Terraform module that creates AWS Security Hub resources.
Usage
Standalone
module "security_hub" {
source = "../../../"
enable_default_standards = false
control_finding_generator = "STANDARD_CONTROL"
auto_enable_controls = true
product_config = [{
enable = true
arn = "arn:aws:securityhub:${data.aws_region.current.name}::product/aws/guardduty"
}]
standards_config = {
aws_foundational_security_best_practices = {
enable = true
status = "ENABLED"
}
cis_aws_foundations_benchmark_v120 = {
enable = false
}
cis_aws_foundations_benchmark_v140 = {
enable = true
status = "ENABLED"
}
nist_sp_800_53_rev5 = {
enable = false
}
pci_dss = {
enable = false
}
}
action_target = [{
name = "Send to Amazon SNS"
identifier = "SendToSNS"
description = "This is a custom action to send findings to SNS Topic"
}]
}
resource "aws_securityhub_standards_control" "ensure_iam_password_policy_prevents_password_reuse" {
standards_control_arn = "arn:aws:securityhub:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:control/cis-aws-foundations-benchmark/v/1.4.0/1.10"
control_status = "DISABLED"
disabled_reason = "Password policies are managed by external resource"
depends_on = [module.security_hub]
}
resource "aws_securityhub_insight" "this" {
filters {
created_at {
date_range {
unit = "DAYS"
value = 7
}
}
network_source_ipv4 {
cidr = "10.0.0.0/16"
}
criticality {
gte = "80"
}
resource_tags {
comparison = "EQUALS"
key = "Environment"
value = "Development"
}
}
group_by_attribute = "AwsAccountId"
name = "insight"
depends_on = [module.standalone_security_hub]
}
Organizations
module "delegated_admin" {
source = "aws-ia/terraform-aws-security-hub/aws//modules/organizations_admin/"
admin_account_id = data.aws_caller_identity.current.account_id
auto_enable_standards = "DEFAULT"
depends_on = [module.security_hub]
}
module "member_account" {
source = "aws-ia/terraform-aws-security-hub/aws//modules/organizations_member/"
providers = {
aws = aws
aws.member = aws.member
}
member_config = [{
account_id = "281190191734"
email = "required@example.com"
invite = false
}]
depends_on = [module.security_hub]
}
module "security_hub" {
source = "aws-ia/terraform-aws-security-hub"
enable_default_standards = false
control_finding_generator = "STANDARD_CONTROL"
auto_enable_controls = true
product_config = [{
enable = true
arn = "arn:aws:securityhub:${data.aws_region.current.name}::product/aws/guardduty"
}]
standards_config = {
aws_foundational_security_best_practices = {
enable = true
status = "ENABLED"
}
cis_aws_foundations_benchmark_v120 = {
enable = false
}
cis_aws_foundations_benchmark_v140 = {
enable = true
status = "ENABLED"
}
nist_sp_800_53_rev5 = {
enable = false
}
pci_dss = {
enable = false
}
}
action_target = [{
name = "Send to Amazon SNS"
identifier = "SendToSNS"
description = "This is a custom action to send findings to SNS Topic"
}]
}
resource "aws_securityhub_insight" "this" {
filters {
aws_account_id {
comparison = "EQUALS"
value = "123456789012"
}
aws_account_id {
comparison = "EQUALS"
value = "098765432109"
}
created_at {
date_range {
unit = "DAYS"
value = 7
}
}
network_source_ipv4 {
cidr = "10.0.0.0/16"
}
criticality {
gte = "80"
}
resource_tags {
comparison = "EQUALS"
key = "Environment"
value = "Development"
}
}
group_by_attribute = "AwsAccountId"
name = "insight-per-account-id"
depends_on = [module.security_hub]
}
Overview Diagrams
Standalone
Organizations
Terraform Module
Requirements
Providers
Name |
Version |
aws |
>= 4.47 |
time |
>= 0.9 |
Modules
No modules.
Resources
Inputs
Name |
Description |
Type |
Default |
Required |
action_target |
Creates Security Hub custom action. name - The description for the custom action target. identifier - The ID for the custom action target. description - The name of the custom action target. |
list(object({ name = string identifier = string description = string })) |
[] |
no |
auto_enable_controls |
Whether to automatically enable new controls when they are added to standards that are enabled. By default, this is set to true, and new controls are enabled automatically. To not automatically enable new controls, set this to false. |
bool |
true |
no |
control_finding_generator |
Updates whether the calling account has consolidated control findings turned on. If the value for this field is set to SECURITY_CONTROL, Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards. If the value for this field is set to STANDARD_CONTROL, Security Hub generates separate findings for a control check when the check applies to multiple enabled standards. For accounts that are part of an organization, this value can only be updated in the administrator account. |
string |
"STANDARD_CONTROL" |
no |
enable_default_standards |
Whether to enable the security standards that Security Hub has designated as automatically enabled including: AWS Foundational Security Best Practices v1.0.0 and CIS AWS Foundations Benchmark v1.2.0. Defaults to true . |
bool |
true |
no |
linking_mode |
Indicates whether to aggregate findings from all of the available Regions or from a specified list. The options are ALL_REGIONS, ALL_REGIONS_EXCEPT_SPECIFIED or SPECIFIED_REGIONS. When ALL_REGIONS or ALL_REGIONS_EXCEPT_SPECIFIED are used, Security Hub will automatically aggregate findings from new Regions as Security Hub supports them and you opt into them. |
string |
"ALL_REGIONS" |
no |
product_config |
The ARN of the product that generates findings that you want to import into Security Hub. |
list(object({ enable = bool arn = string })) |
null |
no |
specified_regions |
List of regions to include or exclude (required if linking_mode is set to ALL_REGIONS_EXCEPT_SPECIFIED or SPECIFIED_REGIONS) |
list(string) |
null |
no |
standards_config |
aws_foundational_security_best_practices - AWS Foundational Security Best Practices cis_aws_foundations_benchmark_v120 - CIS AWS Foundations Benchmark v1.2.0 cis_aws_foundations_benchmark_v140 - CIS AWS Foundations Benchmark v1.4.0 nist_sp_800_53_rev5 - NIST SP 800-53 Rev. 5 pci_dss - PCI DSS |
object({ aws_foundational_security_best_practices = object({ enable = bool status = optional(string) disabled_reason = optional(string) }) cis_aws_foundations_benchmark_v120 = object({ enable = bool status = optional(string) disabled_reason = optional(string) }) cis_aws_foundations_benchmark_v140 = object({ enable = bool status = optional(string) disabled_reason = optional(string) }) nist_sp_800_53_rev5 = object({ enable = bool status = optional(string) disabled_reason = optional(string) }) pci_dss = object({ enable = bool status = optional(string) disabled_reason = optional(string) }) }) |
{ "aws_foundational_security_best_practices": { "enable": true, "status": "ENABLED" }, "cis_aws_foundations_benchmark_v120": { "enable": true, "status": "ENABLED" }, "cis_aws_foundations_benchmark_v140": { "enable": false }, "nist_sp_800_53_rev5": { "enable": false }, "pci_dss": { "enable": false } } |
no |
Outputs