Giter Club home page Giter Club logo

grace-config's Introduction

GRACE Config CircleCI

GRACE Config sets up AWS Config and provides some baseline AWS Config rules that assist with the monitoring of an AWS environment.

Table of Contents

Security Compliance

The GRACE Config subcomponent provides various levels of coverage for several NIST Special Publication 800-53 (Rev. 4) Security Controls. These security controls are designated for FIPS 199 Moderate Impact Systems. Additional information regarding the implementation method utilized can be found within the GRACE Component Control Coverage Repository.

Component ATO status: draft

Relevant controls:

Control CSP/AWS HOST/OS App/DB How is it implemented?
CM-2(3) Employs the use of the AWS Config Recorder and Snapshot service to generate and retain system configuration information securely in an S3 bucket.
SI-4(5) AWS Config Rules provide partial coverage for identifying and alerting on changes to several system configuration baselines. The Config Rules send any changes in the compliance state of the rule to a CloudWatch Event Rule that generates a notification to the specified target email address. These Config Rules are checked against configuration settings related to several services and resources, including: IAM, S3, CloudTrail, Config, CloudWatch, and GuardDuty.

top

Repository contents

  • config.tf contains the setup and configuration for AWS Config
  • rules.tf contains all of the declarations for AWS Config rules
  • iam.tf contains config-service IAM role declaration
  • variables.tf contains all configurable variables
  • outputs.tf contains all Terraform output variables

top

Usage

Simply import grace-config as a module into your Terraform for the destination AWS Environment.

module "config" {
    source = "github.com/GSA/grace-config?ref=v0.0.1"
    bucket = "<bucket_name>"
}

top

Terraform Module Inputs

Name Description Type Default Required
bucket The S3 bucket where AWS Config files will be stored string yes
bucket_prefix The Key prefix used for AWS Config file storage string awsconfig no
access_logging_bucket if provided, this is used during the s3_bucket_logging_enabled_check string no
enable_config The boolean value indicating whether AWS Config should be enabled bool true no
config_record_all_supported_types Specifies whether AWS Config records configuration changes for every supported type of regional resource (which includes any new type that will become supported in the future) bool true no
config_record_global_resource_types Specifies whether AWS Config includes all supported types of global resources with the resources that it records bool true no
config_snapshot_frequency The interval in which AWS Config creates snapshots of the environment (One_Hour, Three_Hours, Six_Hours, Twelve_Hours, TwentyFour_Hours) string Three_Hours no
enable_cloudwatch_alarm_action_check The boolean value indicating whether to check that all cloudwatch alarms have at least one action bool true no
enable_cloudtrail_enabled_check The boolean value indicating whether to check that CloudTrail is enabled bool true no
enable_iam_password_policy_check The boolean value indicating whether to check that the account password policy for IAM users meets the specified requirements bool true no
iam_password_policy_require_uppercase The boolean value indicating whether the password policy requires uppercase letters bool true no
iam_password_policy_require_lowercase The boolean value indicating whether the password policy requires lowercase letters bool true no
iam_password_policy_require_symbols The boolean value indicating whether the password policy requires symbols bool true no
iam_password_policy_require_numbers The boolean value indicating whether the password policy requires numbers bool true no
iam_password_policy_min_length The boolean value indicating the minimum password length number 16 no
iam_password_policy_history_length The boolean value indicating the number of passwords to remember and prevent reuse number 10 no
enable_cloudtrail_encryption_enabled_check The boolean value indicating whether to check that CloudTrail is using server-side encryption bool true no
enable_mfa_enabled_for_iam_users_check The boolean value indicating whether to check that all IAM Users (console-only) are configured for multi-factor authentication bool true no
enable_iam_inactive_credentials_check The boolean value indicating whether to check for stale passwords or access keys for all IAM users bool true no
iam_inactive_credentials_days The number of days before a credential should be considered inactive number 90 no
enable_root_account_mfa_enabled_check The boolean value indicating whether to check that the root account is configured with multi-factor authentication bool true no
enable_access_key_expiration_check The boolean value indicating whether to check for expired access keys (see access_key_expiration_days) bool true no
access_key_expiration_days The number of days before an access key is considered expired number 90 no
enable_cloudtrail_logfile_validation_check The boolean value indicating whether to check that CloudTrail is using a signed digest file bool true no
enable_cloudtrail_cloudwatch_logs_enabled_check The boolean value indicating whether to check that CloudTrail is logging to CloudWatch Logs bool true no
enable_s3_bucket_logging_enabled_check The boolean value indicating whether to check that S3 buckets having access logging enabled bool true no
enable_iam_root_access_key_check The boolean value indicating whether to check if the root user has an access key available bool true no
enable_s3_bucket_public_read_prohibited_check The boolean value indicating whether to check S3 buckets for public read access bool true no
enable_s3_bucket_public_write_prohibited_check The boolean value indicating whether to check S3 buckets for public write access bool true no
enable_s3_bucket_sse_enabled_check The boolean value indicating whether to check S3 buckets for server-side encryption bool true no
enable_s3_bucket_versioning_enabled_check The boolean value indicating whether to check S3 buckets for versioning enabled bool true no
enable_guardduty_enabled_check The boolean value indicating whether to check if GuardDuty is enabled bool true no

top

Terraform Module Outputs

Name Description
config_service_role_arn The Amazon Resource Name (ARN) identifying the AWS Config service IAM Role

top

Public domain

This project is in the worldwide public domain. As stated in CONTRIBUTING:

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

top

grace-config's People

Contributors

bryanlalexander avatar edryan04 avatar helicansitoula avatar tomlynch-gsa avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

gsa-tts

grace-config's Issues

update password requirements

Per NIST SP 800-63B:

Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. … No other complexity requirements for memorized secrets SHOULD be imposed.

Suggest updating the defaults to match.

grace-config/variables.tf

Lines 65 to 105 in 50ee1c6

variable "iam_password_policy_require_uppercase" {
type = bool
description = "(optional) The boolean value indicating whether the password policy requires uppercase letters"
default = true
}
variable "iam_password_policy_require_lowercase" {
type = bool
description = "(optional) The boolean value indicating whether the password policy requires lowercase letters"
default = true
}
variable "iam_password_policy_require_symbols" {
type = bool
description = "(optional) The boolean value indicating whether the password policy requires symbols"
default = true
}
variable "iam_password_policy_require_numbers" {
type = bool
description = "(optional) The boolean value indicating whether the password policy requires numbers"
default = true
}
variable "iam_password_policy_min_length" {
type = number
description = "(optional) The boolean value indicating the minimum password length"
default = 16
}
variable "iam_password_policy_history_length" {
type = number
description = "(optional) The boolean value indicating the number of passwords to remember and prevent reuse"
default = 10
}
variable "iam_password_policy_max_age_days" {
type = number
description = "(optional) The boolean value indicating the number of days before a password expires"
default = 90
}

Race condition creating delivery_channel before S3 bucket has been created

I'm using grace-config with grace-logging and I ran into an error where the bucket does not exist. I've lost the Terraform output, but I saw the delivery_channel was being modified before the bucket creation had started and Terraform failed because the bucket name does not exist. Re-running terraform apply worked the second time because the bucket had been created by then.

It looks like you have an undocumented module_depends_on, could that be used to work-around the issue? I remember that terraform modules had some issues declaring dependencies on each other. Not sure if there's a better solution with the recent release of 1.0.

module "config" {
  providers = {
    aws = aws.child
  }

  source                        = "github.com/GSA/grace-config?ref=v0.0.3"
  bucket                        = "gsa-tts-grace-config-logging-${var.name}"
  config_snapshot_frequency     = "TwentyFour_Hours"
  iam_inactive_credentials_days = "365"
  access_key_expiration_days    = "365"
  #module_depends_on             = module.logging.aws_s3_bucket.logging
}

module "logging" {
  providers = {
    aws = aws.child
  }

  source                     = "github.com/GSA/grace-logging?ref=v0.0.11"
  access_logging_bucket_name = "gsa-tts-grace-config-access-${var.name}"
  cloudtrail_name            = "gsa-tts-wide"
  logging_bucket_name        = "gsa-tts-grace-config-logging-${var.name}"
}

security controls covered by grace-config

If grace-alerting covers any particular NIST controls for a consumer, they should be listed and a generic statement of how it is accomplished should accompany it.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.