This module configures Cloud Security Posture Management (CSPM) in support of the DoD Zero Trust strategy. The design relies on the AWS Control Tower Landing Zone baseline version 3.3 as a starting point. Additional services are delegated, activated, and configured across the entire AWS Organization including:
- GuardDuty
- Detective
- Inspector
- Security Hub
- Config
- CloudTrail
- IAM Identity Center
AWS Security Services Best Practices serves as a guide for the default configuration. Configurations for non-security services like AWS Config are also included to ensure compliance with the DoD Zero Trust strategy.
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. GuardDuty is enabled in all accounts in the AWS Organization. The audit account is the master account for GuardDuty. Member accounts are enabled and configured to send findings to the master account.
Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to help you visualize and conduct faster and more efficient security investigations.
Amazon Inspector is a vulnerability management service that continuously monitors your AWS workloads for software vulnerabilities and unintended network exposure. Amazon Inspector automatically discovers and scans running Amazon EC2 instances, container images in Amazon Elastic Container Registry (Amazon ECR), and AWS Lambda functions.
AWS Security Hub provides you with a comprehensive view of your security state within AWS and helps you check your environment against security industry standards and best practices. Security Hub is enabled in all accounts in the AWS Organization. The audit account is the master account for Security Hub. Member accounts are enabled and configured to send findings to the master account.
AWS Config provides a detailed view of the resources associated with your AWS account, including how they are configured, how they are related to one another, and how the configurations and their relationships have changed over time. AWS Config resources provisioned by AWS Control Tower are tagged automatically with aws-control-tower and a value of managed-by-control-tower.
AWS Control Tower configures AWS CloudTrail to enable centralized logging and auditing for all accounts. With CloudTrail, the management account can review administrative actions and lifecycle events for member accounts.
AWS Control Tower configures IAM Identity Center to provide a centralized view of identity and access management (IAM) activity across all accounts in the AWS Organization. IAM Identity Center provides a single location to view and manage IAM activity, including changes to IAM policies, roles, and users.
In Govcloud, create and add accounts to the AWS Organization. The accounts do not need to be placed into Organizational Units (OUs) ahead of time. Control Tower will place the log archive and audit accounts into the proper OUs. We recommend moving the hub-and-spoke account to the Sandbox OU after the module has finished provisioning. You may wish to create additional OUs like Production or Development to suit your specific needs. These OUs will inherit the baseline guardrails applied at the root of the Organization. The minimum accounts you need to create are:
- Management
- Hub-and-spoke
- Log archive
- Audit
Note
Enabling member accounts is not retroactive, so you must enable them manually.
- Login to the audit account
- Navigate to Accounts in the left hand pane
- Verify every account Status column shows Enabled
- If not, select the checkbox next to each account, click Actions, click Add member
Note
Enabling member accounts is not retroactive, so you must enable them manually.
- Login to the audit account
- Navigate to Settings -> Account management in the left hand pane
- Verify member accounts Status column shows Enabled
- If not, simply click the Enable all accounts button
No action required.
No action required.
If in the future you need to enroll/onboard new accounts to Control Tower, see these references:
- Enroll an existing AWS account | AWS Docs
- Field Notes: Enroll Existing AWS Accounts into AWS Control Tower | AWS Blogs for more information.
No action required.
Insight categories for Critical and High findings are automatically configured. Depending on your specific security posture you may wish to fine tune the Security Standard controls to reduce noise.
No action required.
No action required.
No action required.
Control Tower applies a basic configuration for IAM Identity Center in the management account. We choose not to delegate administration of IAM Identity Center to another account, instead leaving it in the management account. This is because the management account is the root account and has the highest level of permissions. We recommend that you do not delegate IAM Identity Center to another account unless you have a specific use case that requires it.
Customizations to IAM Identity Center such as transitioning to an external identity provider may be applied separately. See the AWS docs for more information.
| Name | Version |
|---|---|
| terraform | >= 1.8.0 |
| aws | >= 5.0.0 |
| random | >= 3.1.0 |
| Name | Version |
|---|---|
| aws.audit | >= 5.0.0 |
| aws.hubandspoke | >= 5.0.0 |
| aws.log | >= 5.0.0 |
| aws.management | >= 5.0.0 |
| Name | Source | Version |
|---|---|---|
| central_bucket | terraform-aws-modules/s3-bucket/aws | ~> 4.3 |
| s3_anfw_logs | terraform-aws-modules/s3-bucket/aws | ~> 4.3 |
| s3_lb_logs | terraform-aws-modules/s3-bucket/aws | ~> 4.3 |
| s3_org_cloudtrail_logs | terraform-aws-modules/s3-bucket/aws | ~> 4.3 |
| s3_org_config_logs | terraform-aws-modules/s3-bucket/aws | ~> 4.3 |
| s3_server_access_logs | terraform-aws-modules/s3-bucket/aws | ~> 4.3 |
| s3_vpc_flow_logs | terraform-aws-modules/s3-bucket/aws | ~> 4.3 |
| s3_waf_logs | terraform-aws-modules/s3-bucket/aws | ~> 4.3 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_id_map | Mapping of account names to govcloud account IDs. Update the example account IDs to suit your environment. Account descriptions are: - management: AWS Management account, usually the first account created - hubandspoke: AWS Hub-and-Spoke account, created manually - log: AWS Log Archive account, to be enrolled in AWS Control Tower - audit: AWS Audit account, to be enrolled in AWS Control Tower Example: { "management" = "111111111111" "hubandspoke" = "222222222222" "log" = "333333333333" "audit" = "444444444444" } |
map(string) |
n/a | yes |
| aws_organization_id | ID for existing AWS Govcloud Organization. | string |
n/a | yes |
| aws_region | Home region for Control Tower Landing Zone and tf backend state. | string |
"us-gov-west-1" |
no |
| central_bucket_name_prefix | Name prefix for S3 bucket in log account where logs are aggregated for all accounts. | string |
"org-central-logs" |
no |
| identifier | Name of the project or application. | string |
"demo" |
no |
| key_admin_arns | List of ARNs for additional key administrators who can manage keys in the log archive account. | list(string) |
[] |
no |
| Name | Description |
|---|---|
| central_bucket_arn | n/a |
| central_bucket_kms_key_arn | n/a |