GitHub - fraudnet/terraform-aws-config: Enables AWS Config and adds managed config rules with good defaults.

Enables AWS Config and adds managed config rules with good defaults.

The following AWS Config Rules are supported:

acm-certificate-expiration-check: Ensure ACM Certificates in your account are marked for expiration within the specified number of days.
cloudtrail-enabled: Ensure CloudTrail is enabled.
ec2-volume-inuse-check: Checks whether EBS volumes are attached to EC2 instances
guardduty-enabled-centralized: Checks whether Amazon GuardDuty is enabled in your AWS account and region.
iam-password-policy: Ensure the account password policy for IAM users meets the specified requirements.
iam-user-no-policies-check: Ensure that none of your IAM users have policies attached; IAM users must inherit permissions from IAM groups or roles.
instances-in-vpc: Ensure all EC2 instances run in a VPC.
root-account-mfa-enabled: Ensure root AWS account has MFA enabled.
rds-storage-encrypted: Checks whether storage encryption is enabled for your RDS DB instances.
s3-bucket-public-write-prohibited: Checks that your S3 buckets do not allow public write access.

Usage

module "aws_config" {
  source             = "trussworks/config/aws"
  config_logs_bucket = "my-aws-logs"
}

Name	Description	Type	Default	Required
acm_days_to_expiration	Specify the number of days before the rule flags the ACM Certificate as noncompliant.	string	`"14"`	no
check_guard_duty	Enable guardduty-enabled-centralized rule	string	`"false"`	no
check_rds_public_access	Enable rds-instance-public-access-check rule	string	`"false"`	no
config_delivery_frequency	The frequency with which AWS Config delivers configuration snapshots.	string	`"Six_Hours"`	no
config_logs_bucket	The S3 bucket for AWS Config logs.	string	n/a	yes
config_logs_prefix	The S3 prefix for AWS Config logs.	string	`"config"`	no
config_max_execution_frequency	The maximum frequency with which AWS Config runs evaluations for a rule.	string	`"TwentyFour_Hours"`	no
password_max_age	Number of days before password expiration.	string	`"90"`	no
password_min_length	Password minimum length.	string	`"14"`	no
password_require_lowercase	Require at least one lowercase character in password.	string	`"true"`	no
password_require_numbers	Require at least one number in password.	string	`"true"`	no
password_require_symbols	Require at least one symbol in password.	string	`"true"`	no
password_require_uppercase	Require at least one uppercase character in password.	string	`"true"`	no
password_reuse_prevention	Number of passwords before allowing reuse.	string	`"24"`	no

Name		Name	Last commit message	Last commit date
Latest commit History 61 Commits
.circleci		.circleci
automations		automations
config-policies		config-policies
iam-policies		iam-policies
.markdownlintrc		.markdownlintrc
.pre-commit-config.yaml		.pre-commit-config.yaml
LICENSE		LICENSE
README.md		README.md
catalog-info.yaml		catalog-info.yaml
compass.yml		compass.yml
config-rules.tf		config-rules.tf
config-service.tf		config-service.tf
iam.tf		iam.tf
main.tf		main.tf
s3-lifecycle.tf		s3-lifecycle.tf
s3-tags.tf		s3-tags.tf
variables.tf		variables.tf
versions.tf		versions.tf