feature: control the AWS Security Hub standards in member accounts

schubergphilis · Jul 25, 2023 · 20d06af · 20d06af
1 parent b64e63a
commit 20d06af
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -28,6 +28,16 @@ aws_config = {
 }
 ```
 
+## AWS Security Hub
+
+This module enables the following standards by default:
+
+- `AWS Foundational Security Best Practices v1.0.0`
+- `CIS AWS Foundations Benchmark v1.4.0`
+- `PCI DSS v3.2.1`
+
+You are able to control the enabled standards via `var.aws_security_hub_standards_arns`.
+
 ## Monitoring IAM Activity
 
 This module offers the capability of monitoring IAM activity of both the Root user and AWS SSO roles. To enable this feature, you have to provide the ARN of the SNS Topic that should receive events in case any activity is detected.

diff --git a/data.tf b/data.tf
@@ -2,3 +2,5 @@ data "aws_cloudwatch_log_group" "cloudtrail" {
   count = var.monitor_iam_activity_sso ? 1 : 0
   name  = "aws-controltower/CloudTrailLogs"
 }
+
+data "aws_region" "current" {}
diff --git a/locals.tf b/locals.tf
@@ -16,4 +16,12 @@ locals {
       SSO = "{ $.readOnly IS FALSE  && $.userIdentity.sessionContext.sessionIssuer.userName = \"AWSReservedSSO_*\" && $.eventName != \"ConsoleLogin\" }"
     } : {}
   )
+
+  security_hub_standards_arns_default = [
+    "arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0",
+    "arn:aws:securityhub:${data.aws_region.current.name}::standards/cis-aws-foundations-benchmark/v/1.4.0",
+    "arn:aws:securityhub:${data.aws_region.current.name}::standards/pci-dss/v/3.2.1"
+  ]
+
+  security_hub_standards_arns = var.aws_security_hub_standards_arns != null ? var.aws_security_hub_standards_arns : local.security_hub_standards_arns_default
 }
diff --git a/main.tf b/main.tf
@@ -54,3 +54,9 @@ resource "aws_iam_account_password_policy" "default" {
   require_symbols                = var.account_password_policy.require_symbols
   require_uppercase_characters   = var.account_password_policy.require_uppercase_characters
 }
+
+resource "aws_securityhub_standards_subscription" "default" {
+  for_each = toset(local.security_hub_standards_arns)
+
+  standards_arn = each.value
+}
diff --git a/variables.tf b/variables.tf
@@ -49,6 +49,12 @@ variable "aws_kms_key_arn" {
   description = "The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volumes"
 }
 
+variable "aws_security_hub_standards_arns" {
+  type        = list(string)
+  default     = null
+  description = "A list of the ARNs of the standards you want to enable in AWS Security Hub. If you do not provide a list the default standards are enabled"
+}
+
 variable "monitor_iam_activity_sns_topic_arn" {
   type        = string
   default     = null