Skip to content

jsredmond/aws-security-baseline

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

197 Commits
.github
.github
Β 
Β 
.kiro/hooks
.kiro/hooks
Β 
Β 
assets
assets
Β 
Β 
audit
audit
Β 
Β 
modules
modules
Β 
Β 
wizard
wizard
Β 
Β 
.checkov.yaml
.checkov.yaml
Β 
Β 
.gitignore
.gitignore
Β 
Β 
.jscpd.json
.jscpd.json
Β 
Β 
.markdownlint.json
.markdownlint.json
Β 
Β 
.tflint.hcl
.tflint.hcl
Β 
Β 
DEPLOYMENT_TEST.md
DEPLOYMENT_TEST.md
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
SECURITY.md
SECURITY.md
Β 
Β 
backend-config.hcl.example
backend-config.hcl.example
Β 
Β 
backend.tf
backend.tf
Β 
Β 
main.tf
main.tf
Β 
Β 
outputs.tf
outputs.tf
Β 
Β 
providers.tf
providers.tf
Β 
Β 
terraform.tfvars.example
terraform.tfvars.example
Β 
Β 
variables.tf
variables.tf
Β 
Β 
versions.tf
versions.tf
Β 
Β 
wizard.py
wizard.py
Β 
Β 

Repository files navigation

AWS Security Baseline is a modular Terraform implementation that bootstraps security best practices in AWS environments. Deploy 8 core security services with a single command using production-ready, reusable modules.

Secure your AWS account in minutes at github.com/jsredmond/aws-security-baseline

Super-Linter License: MIT Terraform AWS Provider

Release Issues Stars

Description

AWS Security Baseline provides a comprehensive, modular Terraform implementation for deploying core AWS security services. Each service is encapsulated in its own reusable module, following Terraform best practices for maintainability, testability, and flexibility.

The baseline includes ready-to-use modules for:

  • CloudTrail: Centralized API logging with KMS encryption, CloudWatch integration, and SNS notifications
  • AWS Config: Configuration change tracking and compliance monitoring
  • GuardDuty: Intelligent threat detection with organization-wide support
  • Detective: Visual investigation and analysis of security findings
  • Security Hub: Centralized security findings dashboard with CIS and AWS Foundational standards
  • IAM Access Analyzer: External access analysis for public/cross-account access
  • Amazon Inspector: Automated vulnerability scanning for EC2, ECR, and Lambda
  • Amazon Macie: Sensitive data discovery and protection

Deployment Wizard

The Deployment Wizard is an interactive CLI tool that simplifies configuration. It guides you through selecting services, configuring regions, and generating terraform.tfvars files.

python wizard.py

Wizard Demo

For detailed instructions, refer to the Wizard Documentation

Quick Start

# Clone and deploy
git clone https://github.com/jsredmond/aws-security-baseline.git
cd aws-security-baseline
terraform init
terraform apply

Security Services at a Glance

Service Description Module Key Features
CloudTrail API logging modules/cloudtrail Multi-region, KMS encryption, CloudWatch
AWS Config Change tracking modules/config Compliance monitoring, S3 delivery
GuardDuty Threat detection modules/guardduty S3/K8s/Malware protection, Org support
Detective Investigation modules/detective Behavior graphs, GuardDuty integration
Security Hub Dashboard modules/securityhub CIS, AWS Foundational, PCI-DSS
Access Analyzer IAM analysis modules/accessanalyzer External access, unused access
Inspector Vulnerability scan modules/inspector EC2, ECR, Lambda scanning
Macie Data discovery modules/macie Sensitive data, S3 analysis

πŸ’» Installation

Using the Wizard (Recommended)

Requirements

  • Python 3.9+
  • Terraform >= 1.14.3
  • AWS CLI configured

Commands

# Install wizard dependencies
python3 -m venv wizard/.venv
source wizard/.venv/bin/activate
pip install -r wizard/requirements.txt

# Run interactive wizard
python wizard.py

# Or use non-interactive mode
python wizard.py --all-modules --region us-east-1 --env production

Manual Configuration

Requirements

  • Terraform >= 1.14.3
  • AWS CLI configured with appropriate permissions

Commands

git clone https://github.com/jsredmond/aws-security-baseline.git
cd aws-security-baseline

# Copy example configuration
cp terraform.tfvars.example terraform.tfvars

# Edit configuration
vim terraform.tfvars

# Deploy
terraform init
terraform plan
terraform apply

Configuration Options

# terraform.tfvars
environment = "prod"
aws_region  = "us-east-1"

# Enable/disable services
enable_cloudtrail   = true
enable_config       = true
enable_guardduty    = true
enable_detective    = true   # Requires 48 hours of GuardDuty data
enable_securityhub  = true
enable_accessanalyzer = true
enable_inspector    = true
enable_macie        = true

# Common tags
common_tags = {
  Project     = "SecurityBaseline"
  ManagedBy   = "Terraform"
  Environment = "prod"
}

✏️ Architecture

.
β”œβ”€β”€ main.tf              # Root module - orchestrates all services
β”œβ”€β”€ backend.tf           # Remote state configuration (S3 + DynamoDB)
β”œβ”€β”€ providers.tf         # AWS provider configuration
β”œβ”€β”€ variables.tf         # Root-level input variables
β”œβ”€β”€ outputs.tf           # Aggregated outputs from modules
β”œβ”€β”€ versions.tf          # Terraform and provider version constraints
β”œβ”€β”€ wizard.py            # Deployment wizard entry point
β”œβ”€β”€ wizard/              # Wizard CLI package
└── modules/             # Reusable service modules
    β”œβ”€β”€ accessanalyzer/
    β”œβ”€β”€ cloudtrail/
    β”œβ”€β”€ config/
    β”œβ”€β”€ detective/
    β”œβ”€β”€ guardduty/
    β”œβ”€β”€ inspector/
    β”œβ”€β”€ macie/
    └── securityhub/

Module Structure

Each module follows Terraform best practices:

modules/<service>/
β”œβ”€β”€ main.tf          # Primary resources
β”œβ”€β”€ variables.tf     # Input variables
β”œβ”€β”€ outputs.tf       # Output values
β”œβ”€β”€ versions.tf      # Provider requirements
└── README.md        # Documentation

πŸ” Security Features

  • Encryption: All data at rest encrypted with KMS (key rotation enabled)
  • Access Control: S3 buckets block public access
  • Logging: Comprehensive audit logging via CloudTrail
  • Compliance: Security Hub integrates CIS and AWS Foundational standards
  • Organization Support: GuardDuty auto-enrollment for organization accounts

πŸ“– Documentation

For detailed instructions, usage examples, and module documentation:

Module Documentation:

πŸ“ƒ License

AWS Security Baseline is licensed under the MIT License.

A copy of the License is available at LICENSE

About

Production-ready Terraform modules for AWS security services (CloudTrail, GuardDuty, Security Hub, Config, Detective, Inspector, Macie, Access Analyzer)

heliobright.io/services/cloud-security

Topics

config aws security automation terraform inspector iac infrastructure-as-code baseline compliance detective cloudtrail cis-benchmark guardduty securityhub macie access-analayzer

Resources

Readme

License

MIT license

Security policy

Security policy
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 - Initial Stable Release Latest
Dec 29, 2025

Contributors

Languages