Terraform module to setup and manage various components of the SBP AWS Landing Zone.
Overview of Landing Zone tools & services:
The SBP AWS Landing Zone consists of 3 repositories:
- MCAF Landing Zone module (current repository): the foundation of the Landing Zone and manages the 3 core accounts: audit, logging, management
- MCAF Account Vending Machine (AVM) module: providing an AWS AVM. This module sets up an AWS account with one or more Terraform Cloud/Enterprise (TFE) workspace(s) backed by a VCS project
- MCAF Account Baseline module: optional module providing baseline configuration for AWS accounts
Important
Before deploying this module, ensure the following pre-requisites are met:
- AWS Control Tower is deployed in the
core-management
account. - AWS Control Tower governed regions include at least
us-east-1
(and your designated home region).
Refer to examples/basic for an example of minimal setup.
Home Region
The mandatory regions.home_region
variable specifies the AWS Control Tower home region. This must match the region defined in your AWS provider that deploys this module.
To find your home region:
- Log in to the core-management account.
- Navigate to AWS Control Tower → Landing Zone Settings.
- The home region is listed under Home Region.
Linked Regions
The optional regions.linked_regions
variable defines the AWS Control Tower governed regions. This module ensures proper configuration of AWS Security Hub and AWS Config for all specified linked regions to collect data from them.
To find your linked regions:
- Log in to the core-management account.
- Navigate to AWS Control Tower → Landing Zone Settings.
- Linked regions are listed under Landing Zone Regions.
Note: By default, us-east-1
is included as a linked region to ensure data collection from global services. To restrict deployment of non-global resources in this region, use the allowed_regions
functionality described in the section below.
Important
All specified linked regions need to be an AWS Control Tower governed region. This ensures that an AWS Config recorder is enabled by AWS Control Tower in all governed regions. AWS Security Hub will only function correctly if an AWS Config recorder exists in all linked regions.
Allowed Regions
The optional regions.allowed_regions
variable defines the allowed regions within your AWS Organization. This triggers the deployment of a Service Control Policy (SCP), which is attached to the root of your AWS Organization.
Scenario 1: Home region only (no deployment in other regions)
- Home region:
eu-central-1
- Requirement: Prevent deployment in all other regions.
You need to configure the regions
variable as follows:
regions = {
allowed_regions = ["eu-central-1"]
home_region = "eu-central-1"
}
Note: Ensure that us-east-1
is included as a governed region in AWS Control Tower since the linked_region
variable defaults to this value.
Scenario 2: Home region with additional governed regions
- Home region:
eu-central-1
- Requirement: Also allow deploying resources in
eu-west-1
.
You need to configure the regions
variable as follows:
regions = {
allowed_regions = ["eu-central-1", "eu-west-1]
home_region = "eu-central-1"
linked_regions = ["eu-west-1", "us-east-1"]
}
Setting the ses_root_accounts_mail_forward
variable creates the necessary AWS Simple Email Service (SES) resources to accept mail sent to an AWS hosted domain and forward it to an external recipient or recipients. This can be used to enable secure mailboxes/IT service catalog aliases for all root accounts. Emails are received via AWS SES and forwarded to an email forwarder lambda which sends the email to the destination email server as specified in the recipient_mapping
variable of ses_root_accounts_mail_forward
.
Before setting the ses_root_accounts_mail_forward
variable, make sure that an AWS Route53 hosted zone is created. For example aws.yourcompany.com. Pass this domain using the domain
variable of ses_root_accounts_mail_forward
.
Example:
ses_root_accounts_mail_forward = {
domain = "aws.yourcompany.com"
from_email = "[email protected]"
recipient_mapping = {
"[email protected]" = [
"[email protected]"
]
}
}
By default, you have to create the email addresses for the accounts created using the MCAF Account Vending Machine (AVM) module yourself. Using this functionality you can pass aliases of the mailbox created. E.g. root+<account-name>@aws.yourcompany.com.
By default, all CloudTrail logs will be stored in a S3 bucket in the logging
account of your AWS Organization. However, this module also supports creating an additional CloudTrail configuration to publish logs to any S3 bucket chosen by you. This trail will be set at the Organization level, meaning that logs from all accounts will be published to the provided bucket.
NOTE: Before enabling this feature, make sure that the bucket policy authorizing CloudTrail to deliver logs is in place and that you have enabled trusted access between AWS Organizations and CloudTrail. If these two steps are not in place, Terraform will fail to create the trail.
Example:
additional_auditing_trail = {
name = "additional_auditing_trail"
bucket = "bucket_name"
}
This module provisions by default a set of basic AWS Config Rules. In order to add extra rules, a list of rule identifiers can be passed via the variable aws_config.rule_identifiers
.
If you would like to authorize other accounts to aggregate AWS Config data, the account IDs can also be passed via the variable aws_config.aggregator_account_ids
.
NOTE: This module already authorizes the audit
account to aggregate Config data from all other accounts in the organization, so there is no need to specify the audit
account ID in the aggregator_account_ids
list.
Example:
aws_config = {
aggregator_account_ids = ["123456789012"]
rule_identifiers = ["ACCESS_KEYS_ROTATED", "ALB_WAF_ENABLED"]
}
This module supports enabling GuardDuty at the organization level which means that all new accounts that are created in, or added to, the organization are added as member accounts to the audit
account GuardDuty detector.
The feature can be controlled via the aws_guardduty
variable and is enabled by default.
Note: In case you are migrating an existing AWS organization to this module, all existing accounts except for the management
and logging
accounts have to be enabled like explained here.
The module creates 3 AWS KMS keys, one for the management account, one for the audit account, and one for the log archive account. We recommend to further scope down the AWS KMS key policy in the management account by providing a secure policy using kms_key_policy
. The default policy "Base Permissions" can be overwritten and should be limited to the root account only, for example by using the statement below:
statement {
sid = "Base Permissions"
actions = ["kms:*"]
effect = "Allow"
resources = ["*"]
condition {
test = "StringEquals"
variable = "aws:PrincipalType"
values = ["Account"]
}
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::${data.aws_caller_identity.management.account_id}:root"
]
}
}
Note that you have to add additional policies allowing for example access to the pipeline user or role. Only applying this policy will result in a The new key policy will not allow you to update the key policy in the future
exception.
This module supports enabling Security Hub at an organization level, meaning all accounts that are created in or enrolled to the organization will be added as member accounts to the audit
account Security Hub delegated administrator.
The feature can be controlled via the aws_security_hub
variable and is enabled by default.
Note: by default auto-enable default standards
has been turned off since the default standards are not updated regularly enough. At time of writing only the AWS Foundational Security Best Practices v1.0.0 standard
and the CIS AWS Foundations Benchmark v1.2.0 standard
are enabled by by default while this module enables the following standards:
AWS Foundational Security Best Practices v1.0.0
CIS AWS Foundations Benchmark v1.4.0
PCI DSS v3.2.1
The enabling of the standards in all member account is controlled via mcaf-account-baseline.
This module supports managing AWS SSO resources to control user access to all accounts belonging to the AWS Organization.
This feature can be controlled via the aws_sso_permission_sets
variable by passing a map (key-value pair) where every key corresponds to an AWS SSO Permission Set name and the value follows the structure below:
assignments
: list of maps (key-value pair) of AWS Account IDs as keys and a list of AWS SSO Group names that should have access to the account using the permission set definedinline_policy
: valid IAM policy in JSON format (maximum length of 10240 characters)managed_policy_arns
: list of strings that contain the ARN's of the managed policies that should be attached to the permission setsession_duration
: length of time in the ISO-8601 standard
Example:
aws_sso_permission_sets = {
PlatformAdmin = {
inline_policy = file("${path.module}/template_files/sso/platform_admin.json")
session_duration = "PT2H"
managed_policy_arns = [
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
assignments = [
{
for account in [ 123456789012, 012456789012 ] : account => [
okta_group.aws["AWSPlatformAdmins"].name
]
},
{
for account in [ 925556789012 ] : account => [
okta_group.aws["AWSPlatformUsers"].name
]
}
]
}
PlatformUser = {
session_duration = "PT12H"
managed_policy_arns = [
"arn:aws:iam::aws:policy/ReadOnlyAccess",
"arn:aws:iam::aws:policy/AWSSupportAccess"
]
assignments = [
{
for account in [ 123456789012, 012456789012 ] : account => [
okta_group.aws["AWSPlatformAdmins"].name,
okta_group.aws["AWSPlatformUsers"].name
]
}
]
inline_policy = jsonencode(
{
Version = "2012-10-17",
Statement = concat(
[
{
Effect = "Allow",
Action = "support:*",
Resource = "*"
}
],
jsondecode(data.aws_iam_policy.lambda_readonly.policy).Statement
)
}
)
}
}
This module supports an optional Datadog-AWS integration. This integration makes it easier for you to forward metrics and logs from your AWS account to Datadog.
In order to enable the integration, you can pass an object to the variable datadog
containing the following attributes:
api_key
: sets the Datadog API keyenable_integration
: set totrue
to configure the Datadog AWS integrationinstall_log_forwarder
: set totrue
to install the Datadog Forwarder
In case you don't want to use the integration, you can configure the Datadog provider like in the example below:
provider "datadog" {
validate = false
}
This should prevent the provider from asking you for a Datadog API Key and allow the module to be provisioned without the integration resources.
By default, this module monitors and notifies activities performed by the root
user of all core accounts and AWS SSO Roles. All notifications will be sent to the SNS Topic LandingZone-IAMActivity
in the audit
account.
These are the type of events that will be monitored:
- Any activity made by the root user of the account.
- Any manual changes made by AWS SSO roles (read-only operations and console logins are not taken into account).
In case you would like to disable this functionality, you can set the variable monitor_iam_activity
to false
.
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. See this page for an introduction to SCPs and the value they add.
This module allows using various SCPs as described below. We try to adhere to best practices of not attaching SCPs to the root of the organization when possible; in the event you need to pass a list of OU names, be sure to have the exact name as the matching is case sensitive.
Enabling this SCP removes a member account's ability to disable Security Hub.
This is SCP is enabled by default, but can be disabled by setting aws_deny_disabling_security_hub
attribute to false
in aws_service_control_policies
.
Example:
aws_service_control_policies = {
aws_deny_disabling_security_hub = false
}
Enabling this SCP removes a member account's ability to leave the AWS organization.
This is SCP is enabled by default, but can be disabled by setting aws_deny_leaving_org
attribute to false
in aws_service_control_policies
.
Example:
aws_service_control_policies = {
aws_deny_leaving_org = false
}
By default, all EC2s still allow access to the original metadata service, which means that if an attacker finds an EC2 running a proxy or WAF, or finds and SSRF vulnerability, they likely can steal the IAM role of the EC2. By enforcing IMDSv2, you can mitigate that risk. Be aware that this potentially could break some applications that have not yet been updated to work with the new IMDSv2.
This is SCP is enabled by default, but can be disabled by setting aws_require_imdsv2
attribute to false
in aws_service_control_policies
.
Example:
aws_service_control_policies = {
aws_require_imdsv2 = false
}
See the section Specifying the correct regions
.
If you would like to restrict the root user's ability to log into accounts in an OU, you can pass a list of OU names to the aws_deny_root_user_ous
attribute in aws_service_control_policies
.
Example showing SCP applied to all OUs except the Root OU:
data "aws_organizations_organization" "default" {}
data "aws_organizations_organizational_units" "default" {
parent_id = data.aws_organizations_organization.default.roots[0].id
}
module "landing_zone" {
...
aws_service_control_policies {
aws_deny_root_user_ous = [
for ou in data.aws_organizations_organizational_units.default.children : ou.name if ou.name != "Root"
]
}
In case you would like to exempt specific IAM entities from the region restriction, leave the AWS organization and from the ability to disable Security Hub SCP's, you can pass a list of ARN patterns using the principal_exceptions
attribute in aws_service_control_policies
. This can be useful for roles used by AWS ControlTower, for example.
Example:
aws_service_control_policies = {
principal_exceptions = ["arn:aws:iam::*:role/RoleAllowedToBypassRestrictions"]
}
Tag policies are a type of policy that can help you standardize tags across resources in your organization's accounts. In a tag policy, you specify tagging rules applicable to resources when they are tagged. See this page for an introduction to tag policies and the value they add.
To create a tag policy, set the aws_required_tags
variable using a map of OU names and their tag policies. To enforce a tag for all services and resource types that support enforcement, set enforced_for
to ["all"]
.
Please note the OU path key is case sensitive and tag policies will be created per tag key.
Example:
module "landing_zone" {
...
aws_required_tags = {
"Root/Environments/Production" = [
{
name = "Tag1"
values = ["A", "B"]
enforced_for = ["all"]
}
]
"Root/Environments/Non-Production" = [
{
name = "Tag2"
enforced_for = ["secretsmanager:*"]
}
]
}
}
Topic Name | Variable | Content |
---|---|---|
aws-controltower-AggregateSecurityNotifications |
aws_config_sns_subscription |
Aggregated AWS Config notifications |
LandingZone-SecurityHubFindings |
aws_security_hub_sns_subscription |
Aggregated Security Hub findings |
LandingZone-IAMActivity |
monitor_iam_activity_sns_subscription |
IAM activity findings |
Example for https protocol and specified webhook endpoint:
module "landing_zone" {
...
aws_config_sns_subscription = {
endpoint = "https://app.datadoghq.com/intake/webhook/sns?api_key=qwerty0123456789"
protocol = "https"
}
}
Name | Version |
---|---|
terraform | >= 1.6 |
aws | >= 5.54.0 |
datadog | > 3.0.0 |
mcaf | >= 0.4.2 |
Name | Version |
---|---|
aws | >= 5.54.0 |
aws.audit | >= 5.54.0 |
aws.logging | >= 5.54.0 |
mcaf | >= 0.4.2 |
Name | Source | Version |
---|---|---|
audit_manager_reports | schubergphilis/mcaf-s3/aws | ~> 0.14.1 |
aws_config_s3 | schubergphilis/mcaf-s3/aws | ~> 0.14.1 |
aws_sso_permission_sets | ./modules/permission-set | n/a |
datadog_audit | schubergphilis/mcaf-datadog/aws | ~> 0.8.5 |
datadog_logging | schubergphilis/mcaf-datadog/aws | ~> 0.8.5 |
datadog_master | schubergphilis/mcaf-datadog/aws | ~> 0.8.5 |
kms_key | schubergphilis/mcaf-kms/aws | ~> 0.3.0 |
kms_key_audit | schubergphilis/mcaf-kms/aws | ~> 0.3.0 |
kms_key_logging | schubergphilis/mcaf-kms/aws | ~> 0.3.0 |
ses-root-accounts-mail-alias | schubergphilis/mcaf-ses/aws | ~> 0.1.4 |
ses-root-accounts-mail-forward | schubergphilis/mcaf-ses-forwarder/aws | ~> 0.3.0 |
tag_policy_assignment | ./modules/tag-policy-assignment | n/a |
Name | Description | Type | Default | Required |
---|---|---|---|---|
control_tower_account_ids | Control Tower core account IDs | object({ |
n/a | yes |
regions | Region configuration. See the README for more information on the configuration options. | object({ |
n/a | yes |
additional_auditing_trail | CloudTrail configuration for additional auditing trail | object({ |
null |
no |
aws_account_password_policy | AWS account password policy parameters for the audit, logging and master account | object({ |
{ |
no |
aws_auditmanager | AWS Audit Manager config settings | object({ |
{ |
no |
aws_config | AWS Config settings | object({ |
{ |
no |
aws_config_sns_subscription | Subscription options for the aws-controltower-AggregateSecurityNotifications (AWS Config) SNS topic | map(object({ |
{} |
no |
aws_ebs_encryption_by_default | Set to true to enable AWS Elastic Block Store encryption by default | bool |
true |
no |
aws_guardduty | AWS GuardDuty settings | object({ |
{} |
no |
aws_inspector | AWS Inspector settings, at least one of the scan options must be enabled | object({ |
{ |
no |
aws_required_tags | AWS Required tags settings | map(list(object({ |
null |
no |
aws_security_hub | AWS Security Hub settings | object({ |
{} |
no |
aws_security_hub_sns_subscription | Subscription options for the LandingZone-SecurityHubFindings SNS topic | map(object({ |
{} |
no |
aws_service_control_policies | AWS SCP's parameters to disable required/denied policies, set a list of allowed AWS regions, and set principals that are exempt from the restriction | object({ |
{} |
no |
aws_sso_permission_sets | Map of AWS IAM Identity Center permission sets with AWS accounts and group names that should be granted access to each account | map(object({ |
{} |
no |
datadog | Datadog integration options for the core accounts | object({ |
null |
no |
datadog_excluded_regions | List of regions where metrics collection will be disabled. | list(string) |
[] |
no |
kms_key_policy | A list of valid KMS key policy JSON documents | list(string) |
[] |
no |
kms_key_policy_audit | A list of valid KMS key policy JSON document for use with audit KMS key | list(string) |
[] |
no |
kms_key_policy_logging | A list of valid KMS key policy JSON document for use with logging KMS key | list(string) |
[] |
no |
monitor_iam_activity | Whether IAM activity should be monitored | bool |
true |
no |
monitor_iam_activity_sns_subscription | Subscription options for the LandingZone-IAMActivity SNS topic | map(object({ |
{} |
no |
path | Optional path for all IAM users, user groups, roles, and customer managed policies created by this module | string |
"/" |
no |
ses_root_accounts_mail_forward | SES config to receive and forward root account emails | object({ |
null |
no |
tags | Map of tags | map(string) |
{} |
no |
Name | Description |
---|---|
aws_config_s3_bucket_arn | ARN of the AWS Config S3 bucket |
kms_key_arn | ARN of KMS key for master account |
kms_key_audit_arn | ARN of KMS key for audit account |
kms_key_audit_id | ID of KMS key for audit account |
kms_key_id | ID of KMS key for master account |
kms_key_logging_arn | ARN of KMS key for logging account |
kms_key_logging_id | ID of KMS key for logging account |
monitor_iam_activity_sns_topic_arn | ARN of the SNS Topic in the Audit account for IAM activity monitoring notifications |
Copyright: Schuberg Philis
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
To make local development easier, we have added a pre-commit configuration to the repo. to use it, follow these steps:
Install the following tools:
brew install tflint
Install pre-commit:
pip3 install pre-commit --upgrade
To run the pre-commit hooks to see if everything working as expected, (the first time run might take a few minutes):
pre-commit run -a
To install the pre-commit hooks to run before each commit:
pre-commit install