secure-brigade-terraform

AWS Terraform files used in Secure Brigade

Manual Configuration

• MFA Root Accounts
• Enable accessing IAM User/Role to Billing Info in each account
• AWS SSO settings
• Terraform Backend S3 & its KMS key

TODO

priority

• vpc flowlog
• cloudtrail to azure sentinel
• github action as CI and codepipeline as CD

In General

• Fix warnings raised by AWS Configs in ap-northeast-1
• Fix warnings raised by AWS Configs in all regions Everything is aggregated in ap-northeast-1 of master account
• Split repository based on the domain (like development lifecycle)
  • ex: central-mgt-security, service env, compliance...
• Makefile
• Make Modules for common settings (refer to s3, and kms section)

Initial Configs

• CloudTrail
• GuardDuty
• Config
  • The above script misses enabling aws config in some aws accounts and region
• SecurityHub
• Trusted Advisor
• Flow Log <- requires some effort. Flow log itself does not support cross-account logging and s3 storing
• Inspector

Organization

• AWS Health
• Disable IAM User and Role Access to Billing Information in child accounts <- not required because organization handles it automatically
• Other settings (listed in IAM section)

Cloud Trail

• Enable CloudTail Insights w/ PR
• Fix S3 replication settings from cloudtrail bucket in compliance account <- removed from backlog.

Config

• Aggregate all ConfigHistory/ConfigSnapshot S3 bucket to shared-resources account (set lifecycle)
• Turn on configuration stream (SNS topic)

Route53

• Simplify DNS management in a multi-account environment with Route 53 Resolver

S3

• Centralize or Replicate config-bucket to one place and set lifecycle
• Create module to implement various default settings

IAM

• Change SSO policies so that AdministrativeAccount won't be able to modify billing settings
• Set Alarm/Log for root account usage (based on CIS Benchmark)
• Set IAM password Policies
• How to use service control policies to set permission guardrails across accounts in your AWS Organization
• Set up iam role so that terraform operation can assume role in cross account environment
• IAM to prohibit EC2 instances only use IMDSv2
• ABAC Configs using AWS SSO & Session tags
• tag sessions
• tag policies
• rds with iam
• Netflix's credential compromise detection
• IAM Permission boundary <- tried, but couldn't come out of the good use cases.
• alb oidc
• org role restriction
• Access Analyze
• S3 Access Points
• Monitor unused IAM roles with AWS Config

KMS

• digital signature
• Create module to implement various default settings

CodePipeline

• How to use CI/CD to deploy and configure AWS security services with Terraform
  

API Gateway

• JWT Authorizers

SSM

• Patch Manager
• Session Manager
• Difference between Secret Manager

Response

• diffy

EC2

• AWS Backup