Comply with more things (#6)

* Adds Prowler
* Enables Access Analyzer
* Fixes some checks

Author: ckdake

.gitignore

@@ -1 +1,2 @@
-.terraform
+.terraform
+tools/prowler/output

README.md

@@ -2,22 +2,36 @@
 
 ## Terraform for AWS plaground
 
+The goal of this AWS setup is to have an automated AWS Organization set up that:
+
+1. Is fully compliant with SOC2
+1. Is fully compliant with AWS, CIS, and NIST security standards.
+1. Has minimal AWS cost overhead
+1. Facilitates easily testing out things in AWS test accounts
+
+### Running locally
+
 This requires env vars with user credentials that can assume to adminstrator.
+If `aws sts get-caller-identity` works, you are good, otherwise:
 
-```
+```bash
 export AWS_ACCESS_KEY_ID=
 export AWS_SECRET_ACCESS_KEY=
 ```
 
-Currently only works in tenants/management with `terraform apply`.
+Currently only works in `tenants/management` with `terraform apply`.
+
+Run `prowler` to populate Security Hub with any breaking things it fines by:
+`cd tools/prowler/ && ./install-prowler.sh && ./run-prowler.sh`
 
 ### TODO
 
-- [] linters and formatters etc
-- [] saml2aws for logging in, what to use for IdP?
-- [] import everything in root account, test1 account, test2 account
-- [] get some securityhub things passing
-- [] setup github actions for terraform plan, terraform apply
-- [] terraform plugin caching
-- [] Setup AWS Config
-- [] lots more
+- [ ] linters and formatters etc
+- [ ] saml2aws for logging in, what to use for IdP?
+- [ ] get test1 and test2 accounts working with `terraform apply`
+- [ ] import everything in root account, test1 account, test2 account
+- [ ] get prowler checks to 100% green
+- [ ] setup github actions for terraform plan, terraform apply, prowler
+- [ ] terraform plugin caching
+- [ ] Setup AWS Config
+- [ ] lots more

modules/compliant-account/aws-support.tf

@@ -0,0 +1,24 @@
+resource "aws_iam_role" "aws_support_access" {
+  name               = "aws-support-access"
+  assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+               "AWS": "${var.administrator_role_arn}"
+            },
+            "Effect": "Allow",
+            "Sid": ""
+        }
+    ]
+}
+EOF
+}
+
+# See https://github.com/z0ph/MAMIP/blob/master/policies/AWSSupportAccess
+resource "aws_iam_role_policy_attachment" "aws_support_access" {
+  role       = aws_iam_role.aws_support_access.id
+  policy_arn = "arn:aws:iam::aws:policy/AWSSupportAccess"
+}

modules/compliant-account/iam.tf

@@ -0,0 +1,11 @@
+resource "aws_iam_account_password_policy" "strict" {
+  minimum_password_length        = 32
+  require_lowercase_characters   = true
+  require_numbers                = true
+  require_uppercase_characters   = true
+  require_symbols                = true
+  allow_users_to_change_password = true
+
+  password_reuse_prevention = 24
+  max_password_age          = 90
+}

modules/compliant-account/main.tf

@@ -0,0 +1,24 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.10"
+    }
+  }
+
+  required_version = ">= 1.2.0"
+}
+
+provider "aws" {
+  region = "us-east-1"
+
+  assume_role {
+    role_arn = "arn:aws:iam::053562908965:role/administrator"
+  }
+
+  default_tags {
+    tags = {
+      ManagedBy = "terraform"
+    }
+  }
+}

modules/compliant-account/output.tf

@@ -0,0 +1,7 @@
+# For now, prowler is run by hand as a user via the administrator role. In the future,
+# this should be run on a schedule, by a prowler role with dedicated read-only
+# permissions and write permissions to Security. See the SecurityAudit policy.
+
+resource "aws_securityhub_product_subscription" "prowler" {
+  product_arn = "arn:aws:securityhub:us-east-1::product/prowler/prowler"
+}

modules/compliant-account/prowler.tf

@@ -0,0 +1,7 @@
+variable "administrator_role_arn" {
+  type = string
+}
+
+variable "kms_key_arn" {
+  type = string
+}

tenants/management/security-controls.tf renamed to modules/compliant-account/s3.tf

@@ -0,0 +1,64 @@
+# Manage the default resources, and ensure they are appropriately locked down
+
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+# tfsec:ignore:aws-vpc-no-default-vpc
+# tfsec:ignore:aws-ec2-require-vpc-flow-logs-for-all-vpcs
+resource "aws_default_vpc" "default" {
+  tags = {
+    Name = "default-vpc"
+  }
+}
+
+# TODO(ckdake): set up vpc flow logging
+# resource "aws_flow_log" "default" {
+#   log_destination      = module.vpcflowlogs_s3_bucket.bucket_arn
+#   log_destination_type = "s3"
+#   traffic_type         = "ALL"
+#   vpc_id               = aws_default_vpc.default.id
+# }
+
+# Empty security group disables all ingress and egress traffic
+resource "aws_default_security_group" "default" {
+  vpc_id = aws_default_vpc.default.id
+}
+
+# Empty route table disables default routes 
+resource "aws_default_route_table" "default" {
+  default_route_table_id = aws_default_vpc.default.default_route_table_id
+}
+
+# Empty ACL blocks all traffic on default vpc acl
+resource "aws_default_network_acl" "default" {
+  default_network_acl_id = aws_default_vpc.default.default_network_acl_id
+  tags = {
+    Name = "default-vpc-default-acl"
+  }
+
+  subnet_ids = [
+    for default_subnet in aws_default_subnet.default_subnet : default_subnet.id
+  ]
+}
+
+# Disable default addressing in default subnets, and name them
+# there are 6 azs in us-east-1. other zones have less!
+resource "aws_default_subnet" "default_subnet" {
+  count = 6
+
+  availability_zone       = element(data.aws_availability_zones.available.names[*], count.index)
+  map_public_ip_on_launch = false
+
+  tags = {
+    Name = "default-subnet"
+  }
+}
+
+resource "aws_ebs_default_kms_key" "aws_ebs_default_kms_key" {
+  key_arn = var.kms_key_arn
+}
+
+resource "aws_ebs_encryption_by_default" "aws_ebs_encryption_by_default" {
+  enabled = true
+}