aws-samples / aws-control-tower-controls-terraform

This repository describes how to use AWS Control Tower controls, HashiCorp Terraform, and infrastructure as code (IaC) to implement and administer preventive, detective, and proactive security controls. A control (also known as a guardrail) is a high-level rule that provides ongoing governance for your overall AWS Control Tower environment.
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-and-manage-aws-control-tower-controls-by-using-terraform.html
MIT No Attribution
73 stars 27 forks source link

Proactive control #1

Open Galvin-wjw opened 1 year ago

Galvin-wjw commented 1 year ago

For the proactive control, CT.CLOUDFORMATION.PR.1 is the prerequisite.

But when I config tfvars like the below:

 {
    control_names = [
      "AWS-GR_SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED",
      "VQJENYWQLIKN", // prerequisite control CT.CLOUDFORMATION.PR.1
      "LZMEYSKSQSYC" //"CT.EC2.PR.3"Require that any Amazon EC2 security group rule does not use the source IP range 0.0.0.0/0 or ::/0 for ports other than 80 and 443
    ],
    organizational_unit_ids = ["ou-XXX"],

Terraform apply also returns

ValidationException: AWS Control Tower cannot enable the control CT.EC2.PR.3 on ou-xXX, because the prerequisite control CT.CLOUDFORMATION.PR.1 is not enabled for this OU.

I need to apply again to compete the configuration, Is it possible to add some process to handle this situation?

Maybe add prerequisite before the guardrails creation.

 resource "aws_controltower_control" "guardrails"
ikerei commented 1 year ago

Hi @Galvin-wjw thank you for raising the ticket. Currently this option is not supported, for the use of proactive controls it is required to apply the implementation of the CT.CLOUDFORMATION.PR.1 prerequisite before deploying the CTC module. This can be done in several ways for example using the Console or the API with the CTC tool deployed in a previous step of the CI/CD pipeline. We are working on the new feature to add this optional prerequisite in the module’s configuration. Additional information on this prerequisite is in the AWS documentation https://docs.aws.amazon.com/controltower/latest/userguide/proactive-controls.html.