Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
- Introduction
- Prerequisites
- Getting Started Using AWS SRA with Terraform and AWS Control Tower
- Getting Started Using AWS SRA with Terraform and AWS Organizations
- Implementation Instructions
- Available solutions
The AWS Security Reference Architecture (SRA) code library, a comprehensive public code repository, offers a suite of example code designed to help organizations implement robust security controls within their AWS environments. Recognizing the increasing complexity and evolving security requirements of cloud infrastructures, AWS has expanded the accessibility and usability of the SRA by enabling deployment through Terraform. This integration marks a significant advancement, providing developers and cloud engineers with a more flexible and efficient method to enforce security best practices and configurations directly into their AWS cloud environments.
The SRA Terraform edition was driven by valuable customer feedback, highlighting a strong demand for more versatile and automation-friendly options to apply AWS’s security guidance. Customers expressed a need for tools that could seamlessly integrate into their existing Infrastructure as Code (IaC) workflows, allowing for a more streamlined and scalable approach to cloud security. By building the code to deploy SRA via Terraform, AWS responds to this need, empowering users to deploy the Security Reference Architecture with ease and precision tailored to their specific needs. This development not only enhances security posture management but also aligns with the dynamic and automated nature of cloud computing, ensuring that AWS users have the necessary resources to protect their environments effectively.
- Terraform version >= 1.0
- Clone the SRA code library github repository
- Trusted Access enabled for CloudFormation StackSets
- Setup the environment to configure AWS Control Tower within a new or existing AWS account. Existing AWS Control Tower environments can also be
used but may require existing service configurations to be removed.
- NOTE: The
aws_sra_examples/terraform/common/variables.tf
file, by default, should be setup already with the proper values for a control tower environment. So, it should not need to be modified for this deployment.
- NOTE: The
- Deploy the common prerequisites using Terraform (command line)
- Deploy solutions using Terraform (command line)
- See Installing the AWS SRA Solutions below.
- Setup the environment to configure AWS Organizations within a new or existing AWS account. Existing AWS Organizations environments can also be used but may
require existing service configurations to be removed.
- The
Security Tooling
andLog Archive
accounts must be created or already be part of the existing AWS Organizations environment (though they may be named differently in your environment). - It is recommended that the OU structure is setup in alignment with the AWS SRA design guidance
- The
- Deploy the common prerequisites using Terraform (command line)
- Edit the
aws_sra_examples/terraform/common/variables.tf
or pass in the variables in the command-line.- The
control_tower
variable must be"false"
- The
governed_regions
variable must be set for the environments regions - The
security_account_id
variable must be set to the security tooling account Id - The
log_archive_account_id
variable must be set to the log archive account Id
- The
- See Installaing the AWS Common Pre-Requisite Solution below.
- Edit the
- Deploy solutions using Terraform (command line)
- See Installing the AWS SRA Solutions below.
This will install the common pre-requisites solution including lambda and SSM parameter resources into your environment for usage by other AWS SRA solutions in its code library.
- From the location where the SRA code library was cloned to, change to the
./aws_sra_examples/terraform/common
folder
cd aws_sra_examples/terraform/common
- Run terraform init
terraform init
- Run terraform plan (this is optional to review before applying)
terraform plan
- Run terraform apply
terraform apply
After the apply operation is complete, Terraform will have created two files in your ./aws_sra_examples/terraform/solutions
folder: backend.tfvars
and config.tfvars
- From the location where the SRA code library was cloned to, change to the ./aws_sra_examples/terraform/common folder
cd aws_sra_examples/terraform/solutions
- Edit the
aws_sra_examples/terraform/solutions/config.tfvars
file, choose which AWS SRA Solutions to deploy and their settings. This can be done during initial setup or as an update later but nothing will be done unless at least one solution is set to be deployed.
Inside the aws_sra_examples/terraform/solutions
directory is a python script, terraform_stack.py
, that handles the deployment of all resources and configurations to all accounts and all specified governed regions.
- Run terraform init using
terraform_stack.py
script
python3 terraform_stack.py init
- Run terraform plan using
terraform_stack.py
script (this is optional to review before applying)
python3 terraform_stack.py plan
- Run terraform apply using
terraform_stack.py
script
python3 terraform_stack.py apply
- Edit the
aws_sra_examples/terraform/solutions/config.tfvars
file and change the variable for the updated setting. (e.g. update the AWS SRA security hub solution that was previously deployed to enable the NIST standard by changing theenable_nist_standard variable
setting totrue
) - Run terraform apply using
terraform_stack.py
script from inside theaws_sra_examples/terraform/solutions
directory
python3 terraform_stack.py apply
-
Edit the
aws_sra_examples/terraform/solutions/config.tfvars
file and change the disable variable for the solutions being removed. (e.g. update the AWS SRA guardduty solution that was previously deployed to disable itself by changing thedisable_guard_duty
setting totrue
) -
Run terraform apply using
terraform_stack.py
script from inside theaws_sra_examples/terraform/solutions
directory
python3 terraform_stack.py apply
- Edit the
aws_sra_examples/terraform/solutions/config.tfvars
file and change the deployment (enable) variable for the solutions being removed. (e.g. update theconfig.tfvars
file by setting theenable_gd
setting tofalse
) - Run terraform apply using
terraform_stack.py
script from inside theaws_sra_examples/terraform/solutions
directory
python3 terraform_stack.py apply
This is a list of the currently available AWS SRA solutions in the terraform edition.
Solution |
---|
CloudTrail |
IAM Access Analyzer |
IAM Password Policy |
Inspector |
Macie |
GuardDuty |
Security Hub |
Register Delegated Administrator |