Skip to content

Latest commit

 

History

History
 
 

securityhub-baseline

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
migrations.tf
migrations.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

securityhub-baseline

Features

  • Enable SecurityHub.
  • Subscribe CIS benchmark standard.
  • Subscribe PCI DSS standard.
  • Subscribe AWS Foundational security best practices standard.

Requirements

Name Version
terraform >= 1.1.4
aws >= 4.3

Providers

Name Version
aws >= 4.3

Inputs

Name Description Type Required
aggregate_findings Boolean whether to enable finding aggregator for every region bool no
configuration_policies Configuration policy definitions for Security Hub. Note: this only works if delegated admin account is used. 
map(object({
    description       = string,
    enabled           = bool,
    standard_arns     = list(string),
    disabled_controls = optional(list(string)),
    enabled_controls  = optional(list(string)),
    control_custom_parameters = optional(list(object({
      control = string,
      parameters = list(object({
        name        = string,
        custom      = optional(bool, true),
        bool        = optional(bool),
        double      = optional(number),
        enum        = optional(string),
        enum_list   = optional(list(string)),
        int         = optional(number),
        int_list    = optional(list(number)),
        string      = optional(string),
        string_list = optional(list(string)),
      })),
    })), []),
  }))
 no
delegated_admin_account_id AWS account ID within AWS Organization that should become delegated administrator of SecurityHub. This overrides the global master_account_id for SecurityHub and enforces AWS Organization-based account management instead of invite-based. string no
enable_aws_foundational_standard Boolean whether AWS Foundations standard is enabled. bool no
enable_cis_standard Boolean whether CIS standard is enabled. bool no
enable_pci_dss_standard Boolean whether PCI DSS standard is enabled. bool no
enable_product_arns List of Security Hub product ARNs, <REGION> will be replaced. See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html for list. list(string) no
master_account_id AWS account ID for master account. string no
member_accounts A list of IDs and emails of AWS accounts to be associated as member accounts. 
list(object({
    account_id = string
    email      = string
  }))
 no
policy_assignments Assignments of Security Hub configuration policies to target accounts or OUs. Note: this only works if delegated admin account is used. 
map(object({
    target_id   = string,
    policy_name = string,
  }))
 no

Outputs

No outputs.