Skip to content

trussworks/terraform-aws-config

AWS Config Terraform module

Enables AWS Config and adds managed config rules with good defaults.

Supported AWS Config Rules

ACM

  • acm-certificate-expiration-check: Ensure ACM Certificates in your account are marked for expiration within the specified number of days.

AMI

  • approved-amis-by-tag: Checks whether running instances are using specified AMIs.

CloudTrail

  • cloudtrail-enabled: Ensure CloudTrail is enabled.
  • cloud-trail-encryption-enabled: Ensure CloudTrail is configured to use server side encryption (SSE) with AWS KMS or CMK encryption.
  • cloud-trail-log-file-validation-enabled: Checks whether AWS CloudTrail creates a signed digest file with logs.
  • multi-region-cloud-trail-enabled: Ensure that there is at least one multi-region AWS CloudTrail enabled.
  • cloud-trail-cloud-watch-logs-enabled: Checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch logs.

CloudWatch Logs

  • cloudwatch-log-group-encrypted: Ensure that CloudWatch Logs are encrypted.
  • cw-loggroup-retention-period-check: Checks whether Amazon CloudWatch LogGroup retention period is set to specific number of days.

DynamoDB

  • dynamodb-table-encryption-enabled: Checks if the Amazon DynamoDB tables are encrypted and checks their status. The rule is COMPLIANT if the status is enabled or enabling. Not supported in all regions
  • dynamodb-table-encrypted-kms: Checks if Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS)

EC2

  • ec2-encrypted-volumes: Evaluates whether EBS volumes that are in an attached state are encrypted.
  • ec2-volume-inuse-check: Checks whether EBS volumes are attached to EC2 instances.
  • ebs-snapshot-public-restorable-check: Checks whether Amazon Elastic Block Store snapshots are not publicly restorable.
  • ebs-optimized-instance: Checks if EBS optimization is enabled for your EC2 instances that can be EBS-optimized.

ECR

  • ecr-private-image-scanning-enabled: Checks if a private Amazon Elastic Container Registry (ECR) repository has image scanning enabled. Not supported in all regions
  • ecr-private-lifecycle-policy-configured: Checks if a private Amazon Elastic Container Registry (ECR) repository has at least one lifecycle policy configured. Not supported in all regions

ECS

  • ecs-awsvpc-networking-enabled: Checks if the networking mode for active ECSTaskDefinitions is set to ‘awsvpc’. Not supported in all regions
  • ecs-containers-nonprivileged: Checks if the privileged parameter in the container definition of ECSTaskDefinitions is set to ‘true’. Not supported in all regions
  • ecs-containers-readonly-access: Checks if Amazon Elastic Container Service (Amazon ECS) Containers only have read-only access to its root filesystems. Not supported in all regions
  • ecs-no-environment-secrets: Checks if secrets are passed as container environment variables. Not supported in all regions

EFS

  • efs-encrypted-check: Checks if Amazon Elastic File System is configured to encrypt file data using AWS Key Management Service.

ELB

  • elb-logging-enabled: Checks if the Application Load Balancer and the Classic Load Balancer have logging enabled.
  • elb-deletion-protection-enabled: Checks if Elastic Load Balancing has deletion protection enabled.

VPC

  • eip-attached: Checks whether all EIP addresses that are allocated to a VPC are attached to EC2 or in-use ENIs.
  • instances-in-vpc: Ensure all EC2 instances run in a VPC.
  • vpc-default-security-group-closed: Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic.
  • vpc-sg-open-only-to-authorized-ports: Checks whether any security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible.
  • restricted-common-ports: Checks if the security groups in use do not allow unrestricted incoming TCP traffic to the specified ports.

GuardDuty

  • guardduty-enabled-centralized: Checks whether Amazon GuardDuty is enabled in your AWS account and region.

IAM

  • iam-password-policy: Ensure the account password policy for IAM users meets the specified requirements.
  • iam-user-no-policies-check: Ensure that none of your IAM users have policies attached; IAM users must inherit permissions from IAM groups or roles.
  • iam-group-has-users-check: Checks whether IAM groups have at least one IAM user.
  • root-account-mfa-enabled: Ensure root AWS account has MFA enabled.
  • iam-root-access-key: Ensure root AWS account does not have Access Keys.
  • mfa_enabled_for_iam_console_access: Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password.
  • iam-policy-no-statements-with-admin-access: Checks the IAM policies that you create for Allow statements that grant permissions to all actions on all resources.
  • iam-policy-no-statements-with-full-access: Checks if AWS Identity and Access Management (IAM) policies grant permissions to all actions on individual AWS resources. Not supported in all regions

Misc Security

  • restricted-ssh: Checks whether security groups that are in use disallow unrestricted incoming SSH traffic.
  • access_keys_rotated: Checks if the active access keys are rotated within the number of days specified in maxAccessKeyAge.
  • cmk_backing_key_rotation_enabled: Checks if automatic key rotation is enabled for every AWS Key Management Service customer managed symmetric encryption key.
  • nacl-no-unrestricted-ssh-rdp: Checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted. Not supported in all regions
  • internet-gateway-authorized-vpc-only: Checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs).

Tagging

  • required-tags: Checks if resources are deployed with configured tags.

RDS

  • rds-instance-public-access-check: Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible.
  • rds-snapshots-public-prohibited: Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public.
  • rds-storage-encrypted: Checks whether storage encryption is enabled for your RDS DB instances.
  • rds-snapshot-encrypted: Checks whether Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted.
  • rds-cluster-deletion-protection-enabled: Checks if an Amazon Relational Database Service (Amazon RDS) cluster has deletion protection enabled. Not supported in all regions
  • db-instance-backup-enabled: Checks if RDS DB instances have backups enabled.

S3

  • s3-bucket-public-write-prohibited: Checks that your S3 buckets do not allow public write access.
  • s3-bucket-public-read-prohibited: Checks if your Amazon S3 buckets do not allow public read access.
  • s3-bucket-ssl-requests-only: Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).
  • s3-bucket-level-public-access-prohibited: Checks if Amazon Simple Storage Service (Amazon S3) buckets are publicly accessible. Not supported in all regions
  • s3-bucket-acl-prohibited: Checks if Amazon Simple Storage Service (Amazon S3) Buckets allow user permissions through access control lists (ACLs). Not supported in all regions
  • s3-bucket-server-side-encryption-enabled: Checks if S3 bucket either has the S3 default encryption enabled or that S3 policy explicitly denies put-object requests without SSE that uses AES-256 or AWS KMS.

Usage

Note: This module sets up AWS IAM Roles and Policies, which are globally namespaced. If you plan to have multiple instances of AWS Config, make sure they have unique values for config_name.

Note: If you use this module in multiple regions, be sure to disable duplicate checks and global resource types.

module "aws_config" {
  source = "trussworks/config/aws"

  config_name        = "my-aws-config"
  config_logs_bucket = "my-aws-logs"
}

Requirements

Name Version
terraform >= 1.0
aws >= 2.70

Providers

Name Version
aws >= 2.70

Modules

No modules.

Resources

Name Type
aws_config_config_rule.access_keys_rotated resource
aws_config_config_rule.acm-certificate-expiration-check resource
aws_config_config_rule.approved-amis-by-tag resource
aws_config_config_rule.cloud-trail-cloud-watch-logs-enabled resource
aws_config_config_rule.cloud-trail-encryption-enabled resource
aws_config_config_rule.cloud-trail-log-file-validation-enabled resource
aws_config_config_rule.cloudtrail-enabled resource
aws_config_config_rule.cloudwatch_log_group_encrypted resource
aws_config_config_rule.cmk_backing_key_rotation_enabled resource
aws_config_config_rule.cw-loggroup-retention-period-check resource
aws_config_config_rule.db-instance-backup-enabled resource
aws_config_config_rule.dynamodb-table-encrypted-kms resource
aws_config_config_rule.dynamodb-table-encryption-enabled resource
aws_config_config_rule.ebs-optimized-instance resource
aws_config_config_rule.ebs_snapshot_public_restorable resource
aws_config_config_rule.ec2-encrypted-volumes resource
aws_config_config_rule.ec2-imdsv2-check resource
aws_config_config_rule.ec2-volume-inuse-check resource
aws_config_config_rule.ecr-private-image-scanning-enabled resource
aws_config_config_rule.ecr-private-lifecycle-policy-configured resource
aws_config_config_rule.ecs-awsvpc-networking-enabled resource
aws_config_config_rule.ecs-containers-nonprivileged resource
aws_config_config_rule.ecs-containers-readonly-access resource
aws_config_config_rule.ecs-no-environment-secrets resource
aws_config_config_rule.efs-encrypted-check resource
aws_config_config_rule.eip_attached resource
aws_config_config_rule.elb-deletion-protection-enabled resource
aws_config_config_rule.elb-logging-enabled resource
aws_config_config_rule.guardduty-enabled-centralized resource
aws_config_config_rule.iam-group-has-users-check resource
aws_config_config_rule.iam-password-policy resource
aws_config_config_rule.iam-policy-no-statements-with-admin-access resource
aws_config_config_rule.iam-policy-no-statements-with-full-access resource
aws_config_config_rule.iam-user-no-policies-check resource
aws_config_config_rule.iam_root_access_key resource
aws_config_config_rule.internet-gateway-authorized-vpc-only resource
aws_config_config_rule.mfa_enabled_for_iam_console_access resource
aws_config_config_rule.multi-region-cloud-trail-enabled resource
aws_config_config_rule.nacl-no-unrestricted-ssh-rdp resource
aws_config_config_rule.rds-cluster-deletion-protection-enabled resource
aws_config_config_rule.rds-instance-public-access-check resource
aws_config_config_rule.rds-snapshot-encrypted resource
aws_config_config_rule.rds-snapshots-public-prohibited resource
aws_config_config_rule.rds-storage-encrypted resource
aws_config_config_rule.required-tags resource
aws_config_config_rule.restricted-common-ports resource
aws_config_config_rule.restricted_ssh resource
aws_config_config_rule.root-account-mfa-enabled resource
aws_config_config_rule.s3-bucket-acl-prohibited resource
aws_config_config_rule.s3-bucket-level-public-access-prohibited resource
aws_config_config_rule.s3-bucket-public-read-prohibited resource
aws_config_config_rule.s3-bucket-public-write-prohibited resource
aws_config_config_rule.s3_bucket_ssl_requests_only resource
aws_config_config_rule.vpc-sg-open-only-to-authorized-ports resource
aws_config_config_rule.vpc_default_security_group_closed resource
aws_config_configuration_aggregator.organization resource
aws_config_configuration_recorder.main resource
aws_config_configuration_recorder_status.main resource
aws_config_delivery_channel.main resource
aws_iam_policy.aws-config-policy resource
aws_iam_role.aggregator resource
aws_iam_role.main resource
aws_iam_role_policy_attachment.aggregator resource
aws_iam_role_policy_attachment.aws-config-policy resource
aws_iam_role_policy_attachment.managed-policy resource
aws_caller_identity.current data source
aws_iam_policy_document.aws-config-role-policy data source
aws_iam_policy_document.aws_config_aggregator_role_policy data source
aws_iam_policy_document.aws_config_policy data source
aws_partition.current data source

Inputs

Name Description Type Default Required
access_key_max_age Maximum number of days without rotation. number 90 no
acm_days_to_expiration Specify the number of days before the rule flags the ACM Certificate as noncompliant. number 14 no
aggregate_organization Aggregate compliance data by organization bool false no
ami_required_tag_key_value Tag/s key and value which AMI has to have in order to be compliant: Example: key1:value1,key2:value2 string "" no
authorized_vpc_ids Comma-separated list of the authorized VPC IDs with attached IGWs. If parameter is not provided all attached IGWs will be NON_COMPLIANT. string "example,CSV" no
check_access_keys_rotated Enable access-keys-rotated rule bool true no
check_acm_certificate_expiration_check Enable acm-certificate-expiration-check rule bool true no
check_approved_amis_by_tag Enable approved-amis-by-tag rule bool false no
check_cloud_trail_encryption Enable cloud-trail-encryption-enabled rule bool false no
check_cloud_trail_log_file_validation Enable cloud-trail-log-file-validation-enabled rule bool false no
check_cloudtrail_enabled Enable cloudtrail-enabled rule bool true no
check_cloudwatch_log_group_encrypted Enable cloudwatch-log-group-encryption rule bool true no
check_cmk_backing_key_rotated Enable cmk_backing_key_rotation_enabled rule bool true no
check_cw_loggroup_retention_period Enable cloudwatch-log-group-retention-period-check rule bool false no
check_db_instance_backup_enabled Enable db-instance-backup-enabled rule bool false no
check_dynamodb_table_encrypted_kms Enable dynamodb-table-encrypted-kms rule bool false no
check_dynamodb_table_encryption_enabled Enable checkdynamodb-table-encryption-enabled rule bool true no
check_ebs_optimized_instance Enable ebs-optimized-instance-check rule bool false no
check_ebs_snapshot_public_restorable Enable ebs-snapshot-public-restorable rule bool true no
check_ec2_encrypted_volumes Enable ec2-encrypted-volumes rule bool true no
check_ec2_imdsv2 Enable IMDSv2 rule bool false no
check_ec2_volume_inuse_check Enable ec2-volume-inuse-check rule bool true no
check_ecr_private_image_scanning_enabled Enable ecr-private-image-scanning-enabled rule bool true no
check_ecr_private_lifecycle_policy_configured Enable ecr-private-lifecycle-policy-configured rule bool true no
check_ecs_awsvpc_networking_enabled Enable ecs-awsvpc-networking-enabled rule bool true no
check_ecs_containers_nonprivileged Enable ecs-containers-nonprivileged rule bool true no
check_ecs_containers_readonly_access Enable ecs-containers-readonly-access rule bool true no
check_ecs_no_environment_secrets Enable ecs-no-environment-secrets rule bool false no
check_eip_attached Enable eip-attached rule bool false no
check_elb_deletion_protection_enabled Enable elb-deletion-protection-enabled rule bool true no
check_elb_logging_enabled Enable elb-logging-enabled rule bool false no
check_guard_duty Enable guardduty-enabled-centralized rule bool false no
check_iam_group_has_users_check Enable iam-group-has-users-check rule bool true no
check_iam_password_policy Enable iam-password-policy rule bool true no
check_iam_policy_no_statements_with_admin_access Enable iam-policy-no-statements-with-admin-access rule bool true no
check_iam_policy_no_statements_with_full_access Enable iam-policy-no-statements-with-full-access rule bool true no
check_iam_root_access_key Enable iam-root-access-key rule bool true no
check_iam_user_no_policies_check Enable iam-user-no-policies-check rule bool true no
check_internet_gateway_authorized_vpc_only Enable internet-gateway-authorized-vpc-only rule bool false no
check_mfa_enabled_for_iam_console_access Enable mfa-enabled-for-iam-console-access rule bool true no
check_multi_region_cloud_trail Enable multi-region-cloud-trail-enabled rule bool false no
check_nacl_no_unrestricted_ssh_rdp Enable nacl-no-unrestricted-ssh-rdp rule bool true no
check_rds_cluster_deletion_protection_enabled Enable rds-cluster-deletion-protection-enabled rule bool true no
check_rds_public_access Enable rds-instance-public-access-check rule bool false no
check_rds_snapshot_encrypted Enable rds-snapshot-encrypted rule bool true no
check_rds_snapshots_public_prohibited Enable rds-snapshots-public-prohibited rule bool true no
check_rds_storage_encrypted Enable rds-storage-encrypted rule bool true no
check_required_tags Enable required-tags rule bool false no
check_restricted_common_ports Enable restricted-common-ports-check bool false no
check_restricted_ssh Enable restricted-ssh rule bool true no
check_root_account_mfa_enabled Enable root-account-mfa-enabled rule bool false no
check_s3_bucket_acl_prohibited Enable s3-bucket-acl-prohibited rule bool true no
check_s3_bucket_level_public_access_prohibited Enable s3-bucket-level-public-access-prohibited rule bool false no
check_s3_bucket_public_read_prohibited Enable s3-bucket-public-read-prohibited rule bool false no
check_s3_bucket_public_write_prohibited Enable s3-bucket-public-write-prohibited rule bool true no
check_s3_bucket_ssl_requests_only Enable s3-bucket-ssl-requests-only rule bool true no
check_vpc_default_security_group_closed Enable vpc-default-security-group-closed rule bool true no
check_vpc_sg_open_only_to_authorized_ports Enable vpc-sg-open-only-to-authorized-ports rule bool false no
cloud_trail_cloud_watch_logs_enabled Enable cloud_trail_cloud_watch_logs_enabled rule bool true no
config_aggregator_name The name of the aggregator. string "organization" no
config_delivery_frequency The frequency with which AWS Config delivers configuration snapshots. string "Six_Hours" no
config_logs_bucket The S3 bucket for AWS Config logs. If you have set enable_config_recorder to false then this can be an empty string. string n/a yes
config_logs_bucket_kms_key_arn The ARN of the AWS KMS key used to encrypt objects delivered by AWS Config. Must belong to the same Region as the destination S3 bucket. string null no
config_logs_prefix The S3 prefix for AWS Config logs. string "config" no
config_max_execution_frequency The maximum frequency with which AWS Config runs evaluations for a rule. string "TwentyFour_Hours" no
config_name The name of the AWS Config instance. string "aws-config" no
config_recording_frequency Default recording frequency for the AWS Config string "CONTINUOUS" no
config_recording_frequency_overrides Specific overrides of the recording frequency for the AWS Config set(object({ description = optional(string, null) resource_types = list(string) recording_frequency = string })) [] no
config_role_permissions_boundary The ARN of the permissions boundary to apply to IAM roles created for AWS Config string null no
config_sns_topic_arn An SNS topic to stream configuration changes and notifications to. string null no
cw_loggroup_retention_period Retention period for cloudwatch logs in number of days number 3653 no
dynamodb_arn_encryption_list Comma separated list of AWS KMS key ARNs allowed for encrypting Amazon DynamoDB Tables. string "example,CSV" no
ecs_no_environment_secrets Comma-separated list of key names to search for in the environment variables of container definitions within Task Definitions. Extra spaces will be removed. string "example,CSV" no
elb_logging_s3_buckets Comma-separated list of Amazon S3 bucket names for Amazon ELB to deliver the log files. string "example,CSV" no
enable_config_recorder Enables configuring the AWS Config recorder resources in this module. bool true no
enable_efs_encrypted_check Enable efs-encrypted-check rule bool false no
enable_multi_account_logs Enable sending of logs and snapshots from different Config accounts / regions into a single bucket bool false no
exclude_permission_boundary Boolean to exclude the evaluation of IAM policies used as permissions boundaries. If set to 'true', the rule will not include permissions boundaries in the evaluation. Otherwise, all IAM policies in scope are evaluated when set to 'false.' bool false no
expected_delivery_window_age Maximum age in hours of the most recent delivery to CloudWatch logs that satisfies compliance. number 12 no
include_global_resource_types Specifies whether AWS Config includes all supported types of global resources with the resources that it records. bool true no
kms_key_id Amazon Resource Name (ARN) of the KMS key that is used to encrypt the EFS file system. string "example,CSV" no
password_max_age Number of days before password expiration. number 90 no
password_min_length Password minimum length. number 14 no
password_require_lowercase Require at least one lowercase character in password. bool true no
password_require_numbers Require at least one number in password. bool true no
password_require_symbols Require at least one symbol in password. bool true no
password_require_uppercase Require at least one uppercase character in password. bool true no
password_reuse_prevention Number of passwords before allowing reuse. number 24 no
required_tags A map of required resource tags. Format is tagNKey, tagNValue, where N is int. Values are optional. map(string) {} no
required_tags_resource_types Resource types to check for tags. list(string) [] no
resource_types A list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail). See relevant part of AWS Docs for available types. list(string) [] no
s3_bucket_public_access_prohibited_exclusion Comma-separated list of known allowed public Amazon S3 bucket names. string "example,CSV" no
sns_kms_key_id The ARN of the KMS key used to encrypt the Amazon SNS topic. string null no
tags Tags to apply to AWS Config resources map(string) {} no
vpc_sg_authorized_ports Object with values as Comma-separated list of ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash. example, '443,1020-1025' object({ authorizedTcpPorts = optional(string, null) authorizedUdpPorts = optional(string, null) }) {} no

Outputs

Name Description
aws_config_role_arn The ARN of the AWS config role.
aws_config_role_name The name of the IAM role used by AWS config
required_tags_rule_arn The ARN of the required-tags config rule.

Upgrade Paths

Upgrading from 2.3.0 to 2.4.x

Version 2.4.0 changed how AWS Config IAM polices would be attached to IAM roles. When applying the upgrade, you will likely see a race condition resulting in the following error

Error: Provider produced inconsistent result after apply

A second terraform apply should resolve the issue.

Developer Setup

Install dependencies (macOS)

brew install pre-commit go terraform terraform-docs