// terraform-aws-security-baseline

Comprehensive AWS account security baseline with GuardDuty, Security Hub, AWS Config, CloudTrail, Macie, IAM Access Analyzer, Detective, and IAM hardening.

Terraform ≥ 1.5.0 AWS ≥ 5.20.0 MIT License

Executive Summary

This module establishes a production-grade security baseline for AWS accounts. It enables and configures eight core security services: GuardDuty for threat detection (S3, EKS, malware), Security Hub for centralized findings with CIS and FSBP standards, AWS Config for resource compliance, CloudTrail for API audit logging with KMS encryption and CloudWatch integration, Macie for sensitive data discovery, IAM Access Analyzer for external access detection, Detective for investigation, and IAM password policy enforcement. All services are toggleable and every resource follows consistent naming and tagging.

Overview

Security Services

GuardDuty, Security Hub, Config, CloudTrail, Macie, Access Analyzer, Detective, IAM Policy

Compliance Frameworks

CIS 1.4, FSBP, SOC 2, PCI DSS, HIPAA, NIST 800-53

Sub-Modules

guardduty-org, scp-baseline, iam-baseline

30+

Input Variables

Granular control over every security service and policy setting

Architecture Diagram

GuardDutyS3, EKS, Malware

DetectiveInvestigation

↓

Security HubCIS 1.4, FSBP

↑

AWS ConfigResource compliance

CloudTrailAPI logging + KMS

MacieS3 sensitive data

Access AnalyzerExternal access

↓

CloudWatch Logs365-day retention

S3 BucketsConfig + CloudTrail delivery

KMS KeyCloudTrail encryption

↓

IAM Password PolicyCIS Controls

Break-Glass Useriam-baseline module

Audit Rolesiam-baseline module

Component Breakdown

Service	Resource(s)	Purpose
GuardDuty	`aws_guardduty_detector`	Continuous threat detection with S3, EKS, and malware protection
Security Hub	`aws_securityhub_account`, `standards_subscription`	Centralized security findings with CIS and FSBP standards
AWS Config	`aws_config_configuration_recorder`, `delivery_channel`	Resource inventory, configuration history, compliance auditing
CloudTrail	`aws_cloudtrail`, `aws_cloudwatch_log_group`, `aws_kms_key`	Multi-region API logging with KMS encryption and CloudWatch integration
Macie	`aws_macie2_account`	Automated sensitive data discovery in S3 buckets
Access Analyzer	`aws_accessanalyzer_analyzer`	Identifies resources shared with external entities (ACCOUNT or ORGANIZATION)
Detective	`aws_detective_graph`	Security investigation and root cause analysis
IAM Password Policy	`aws_iam_account_password_policy`	Enforces min 14 char, symbols, numbers, 90-day max age, 24 reuse prevention

Data Flow

API Calls

→

CloudTrail

→

CloudWatch Logs

→

Security Hub

←

GuardDuty Findings

All security services feed findings into Security Hub for centralized visibility. CloudTrail logs are encrypted with KMS and stored in both CloudWatch and S3. Config compliance results feed into Security Hub standards checks.

Security Controls

Multi-Region CloudTrail

API logging across all regions with log file integrity validation and CloudTrail Insights

KMS Encryption

CloudTrail logs encrypted with dedicated KMS key, auto-created if not provided

CIS Benchmark 1.4

Maps to CIS controls 1.5-1.11, 2.1-2.3, 3.1-3.7, 4.1-4.15, 5.1

IAM Hardening

14-char minimum password, 90-day rotation, 24-password reuse prevention

Threat Intelligence

GuardDuty S3 protection, EKS audit logs, malware scanning for EBS

Data Protection

Macie discovers PII/sensitive data in S3, Access Analyzer detects external sharing

Industry Adaptation

Framework	Coverage
CIS AWS Foundations 1.4	Automated controls for IAM, logging, monitoring, networking
AWS FSBP	AWS-defined security standards via Security Hub
SOC 2 Type II	Logging, monitoring, and access control controls
PCI DSS	Encryption, access logging, and change detection
HIPAA	Audit logging, encryption, and access controls
NIST 800-53	Security and privacy controls via Security Hub mapping

Production Readiness Checklist

Create dedicated S3 buckets for Config and CloudTrail delivery before applying
Enable all security services (defaults are true except Detective)
Set access_analyzer_type = "ORGANIZATION" for org-wide analysis
Enable cloudtrail_enable_insights for anomaly detection
Review Security Hub findings weekly and remediate critical items
Deploy iam-baseline sub-module for break-glass user and audit roles
Deploy scp-baseline for service control policy guardrails
Enable Detective for investigation capabilities
Configure SNS notifications for Config changes
Set up CloudWatch alarms for CIS metric filters

Configuration Reference

Required Variables

Variable	Type	Description
`name_prefix`	string	Prefix for all named resources

Key Optional Variables

Variable	Default	Description
`enable_guardduty`	true	Enable GuardDuty
`enable_security_hub`	true	Enable Security Hub
`enable_config`	true	Enable AWS Config
`enable_cloudtrail`	true	Enable CloudTrail
`enable_macie`	true	Enable Macie
`enable_access_analyzer`	true	Enable IAM Access Analyzer
`enable_detective`	false	Enable Detective
`enable_iam_password_policy`	true	Configure IAM password policy
`password_policy_min_length`	14	Minimum password length
`cloudtrail_is_multi_region`	true	Multi-region trail

Deployment

module "security_baseline" {
  source = "kogunlowo123/security-baseline/aws"

  name_prefix               = "myapp"
  config_delivery_s3_bucket = "myapp-config-bucket"
  cloudtrail_s3_bucket_name = "myapp-cloudtrail-bucket"

  tags = {
    Project   = "security-baseline"
    ManagedBy = "terraform"
  }
}

Links

CIS AWS Foundations Benchmark