The goal of this AWS setup is to have an automated AWS Organization set up that:
- Is fully compliant with SOC2
- Is fully compliant with AWS, CIS, and NIST security standards.
- Has minimal AWS cost overhead
- Facilitates easily testing out things in AWS test accounts
Things to have readily available to be able to test other things:
- a docker container in ECR running as an ECS service
- lambdas triggered by EventBridge
This requires env vars with user credentials that can assume to adminstrator.
If aws sts get-caller-identity
works, you are good, otherwise:
export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
Currently only works in tenants/management
with terraform apply
.
Run prowler
to populate Security Hub with any breaking things it fines by:
cd tools/prowler/ && ./install-prowler.sh && ./run-prowler.sh
Run trivy
to scan for vulns:
cd tenants/management/ && trivy config . --ignorefile ./.trivyignore.yaml
- Add the account in tenants/management/organization.tf and
terraform apply
- Log into the account's root user with "forgot password" and get some keys, set up profile
- Create a
tenants/${TENANTNAME}
folder, copy amain.tf
from another tenant, and update the account id in theprovider
block and the backendkey
block. (TODO(ckdake): move this to a terragrunt template) - cd into
tenants/${TENANTNAME}
and run../../scripts/bootstrap-tenant.sh
- Sample-app
- automatic deploy on container push to ECR
- talk to an AWS Serverless V2
- talk to an ElasticCache
- Use a Secret
- saml2aws for logging in, what to use for IdP?
- import everything in root account, test1 account, test2 account
- dhcp options, internet gateway, org delegation config
- get prowler checks to 100% green
- setup github actions for terraform plan, terraform apply, prowler
- terraform plugin caching
- lots more