feat: adding organization configuration for inspector

gambol99 · gambol99 · commit 621840d4a958 · 2025-02-05T13:24:39.000Z
diff --git a/README.md b/README.md
@@ -38,6 +38,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to the resources | `map(string)` | n/a | yes |
 | <a name="input_access_analyzer"></a> [access\_analyzer](#input\_access\_analyzer) | Configuration for the AWS Access Analyzer service | <pre>object({<br/>    enable_unused_analyzer = optional(bool, true)<br/>    # Indicates whether to enable the unused AWS Access Analyzer service<br/>    unused_analyzer_name = optional(string, "lza-unused-access-analyzer")<br/>    # The name of the unused AWS Access Analyzer service<br/>    unused_access_age = optional(number, 90)<br/>  })</pre> | `null` | no |
 | <a name="input_config"></a> [config](#input\_config) | Configuration for the securityhub organization managed rules | <pre>object({<br/>    stackset_name_prefix = optional(string, "lza-config-")<br/>    # The prefix added to the stacksets<br/>    rule_groups = optional(map(object({<br/>      associations = list(string)<br/>      # List of organizational units to deploy the managed rules<br/>      description = string<br/>      # Description for the rule group<br/>      enabled_regions = optional(list(string), null)<br/>      # List of regions to enable these rules<br/>      exclude_accounts = optional(list(string), null)<br/>      # The list of accounts to exclude from the organization managed rule<br/>      rules = map(object({<br/>        description = string<br/>        # The description of the organization managed rules<br/>        identifier = string<br/>        # The identifier of the organization managed rule<br/>        inputs = optional(map(string), {})<br/>        # The identifier of the organization managed rule scope<br/>        resource_types = list(string)<br/>        # The list of resource types to scope the organization managed rule<br/>        max_execution_frequency = optional(string, null)<br/>        # The max_execution_frequency of the rule<br/>      }))<br/>    })), {})<br/>    # The configuration for the securityhub organization managed rules<br/>  })</pre> | <pre>{<br/>  "rule_groups": {}<br/>}</pre> | no |
+| <a name="input_inspector"></a> [inspector](#input\_inspector) | Organizational configuration for the AWS Inspector service | <pre>object({<br/>    account_id = optional(string, null)<br/>    # The delegated administrator account ID for the AWS Inspector service<br/>    enable = optional(bool, false)<br/>    # Indicates whether to enable the AWS Inspector service<br/>    enable_ec2_scan = optional(bool, false)<br/>    # Indicates whether to enable the AWS Inspector service for EC2 instances<br/>    enable_ecr_scan = optional(bool, false)<br/>    # Indicates whether to enable the AWS Inspector service for ECR repositories<br/>    enable_lambda_scan = optional(bool, false)<br/>    # Indicates whether to enable the AWS Inspector service for Lambda functions<br/>    enable_lambda_code_scan = optional(bool, false)<br/>    # Indicates whether to enable the AWS Inspector service for Lambda code<br/>  })</pre> | <pre>{<br/>  "enable": false<br/>}</pre> | no |
 | <a name="input_macie"></a> [macie](#input\_macie) | Configuration for the AWS Macie service | <pre>object({<br/>    enable = optional(bool, false)<br/>    # Indicates whether to enable the AWS Macie service should be enabled in all accounts<br/>    excluded_accounts = optional(list(string), null)<br/>    # The list of accounts to exclude from the AWS Macie service<br/>    frequency = optional(string, "FIFTEEN_MINUTES")<br/>    # The frequency at which the AWS Macie service should be enabled<br/>    organizational_units = optional(list(string), null)<br/>    # The list of member accounts to associate with the AWS Macie service<br/>    stackset_name = optional(string, "lza-macie-configuration")<br/>  })</pre> | `null` | no |
 | <a name="input_notifications"></a> [notifications](#input\_notifications) | Configuration for the notifications | <pre>object({<br/>    email = optional(object({<br/>      addresses = optional(list(string), [])<br/>    }), null)<br/>    slack = optional(object({<br/>      lamdba_name = optional(string, "lz-securityhub-all-notifications-slack")<br/>      webhook_url = string<br/>    }), null)<br/>    teams = optional(object({<br/>      lamdba_name = optional(string, "lz-securityhub-all-notifications-teams")<br/>      webhook_url = string<br/>    }), null)<br/>  })</pre> | <pre>{<br/>  "email": {<br/>    "addresses": []<br/>  },<br/>  "slack": null,<br/>  "teams": null<br/>}</pre> | no |
 | <a name="input_securityhub"></a> [securityhub](#input\_securityhub) | Configuration for the securityhub | <pre>object({<br/>    aggregator = optional(object({<br/>      create = optional(bool, false)<br/>      # Indicates whether to create the securityhub<br/>      # Indicates whether to create the aggregator<br/>      linking_mode = optional(string, "ALL_REGIONS")<br/>      # Indicates whether to aggregate findings from all of the available regions<br/>      specified_regions = optional(list(string), null)<br/>      # A list of regions to aggregate findings from when using SPECIFIED_REGIONS linking mode<br/>      }), {<br/>      create            = false<br/>      linking_mode      = "ALL_REGIONS"<br/>      specified_regions = null<br/>      }<br/>    )<br/>    # The configuration for the aggregator<br/>    configuration = optional(object({<br/>      auto_enable = optional(bool, true)<br/>      # Indicates whether to automatically enable Security Hub<br/>      auto_enable_standards = optional(string, "DEFAULT")<br/>      # Indicates whether to automatically enable new controls and standards<br/>      organization_configuration = object({<br/>        configuration_type = optional(string, "CENTRAL")<br/>        # Indicates whether to enable Security Hub as a standalone service or as an organization master<br/>      })<br/>      # The configuration for the organization<br/>      }), {<br/>      auto_enable           = false<br/>      auto_enable_standards = "DEFAULT"<br/>      organization_configuration = {<br/>        configuration_type = "CENTRAL"<br/>      }<br/>    })<br/>    # The configuration for the securityhub<br/>    notifications = optional(object({<br/>      enable = optional(bool, false)<br/>      # Indicates whether to enable the securityhub notifications<br/>      eventbridge_rule_name = optional(string, "lza-securityhub-all-notifications")<br/>      # The name of the event bridge rule<br/>      severities = optional(list(string), ["CRITICAL", "HIGH"])<br/>      # The list of severities to enable the notifications<br/>      sns_topic_queue_name = optional(string, "lza-securityhub-all-notifications")<br/>      # Name of the SNS topic to send the notifications<br/>      }), {<br/>      enable                = false<br/>      eventbridge_rule_name = "lza-securityhub-all-notifications"<br/>      severities            = []<br/>      sns_topic_queue_name  = "lza-securityhub-all-notifications"<br/>    })<br/>    # The configuration for the notifications<br/>    policies = optional(map(object({<br/>      enable = optional(bool, true)<br/>      # Indicates whether the configuration policy is enabled<br/>      description = string<br/>      # The description of the configuration policy<br/>      associations = optional(list(object({<br/>        account_id = optional(string, null)<br/>        # The account ID to associate with the policy<br/>        organization_unit = optional(string, null)<br/>        # The organization unit to associate with the policy<br/>      })), [])<br/>      # The list of associations for the configuration policy<br/>      policy = object({<br/>        enable = optional(bool, true)<br/>        # Indicates whether the configuration policy is enabled<br/>        standard_arns = list(string)<br/>        # The ARNs of the standards to enable<br/>        controls = object({<br/>          disabled = optional(list(string), null)<br/>          # The list of control identifiers to disable<br/>          custom_parameter = optional(list(object({<br/>            security_control_id = string<br/>            # The ID of the security control<br/>            parameter = object({<br/>              name = string<br/>              # The name of the parameter<br/>              value_type = string<br/>              # The type of the parameter<br/>              enum = optional(object({<br/>                value = string<br/>                # The value of the parameter (if the type is ENUM)<br/>              }), null)<br/>            })<br/>            # The parameter for the security control<br/>          })), null)<br/>        })<br/>        # The parameter for the security control<br/>      })<br/>      # The configuration policy<br/>    })), {})<br/>  })</pre> | <pre>{<br/>  "aggregator": {<br/>    "create": false,<br/>    "linking_mode": "ALL_REGIONS",<br/>    "specified_regions": null<br/>  },<br/>  "configuration": {<br/>    "auto_enable": false,<br/>    "auto_enable_standards": "NONE",<br/>    "organization_configuration": {<br/>      "configuration_type": "CENTRAL"<br/>    }<br/>  },<br/>  "policies": {}<br/>}</pre> | no |
diff --git a/locals.tf b/locals.tf
@@ -19,6 +19,14 @@ locals {
     pci_dss                         = "arn:aws:securityhub:${local.region}::standards/pci-dss/v/3.2.1"
   }
 
+  ## A list of resources type to enable for inspector
+  inspector_resources_types = [
+    var.inspector.enable_ec2_scan ? "EC2" : null,
+    var.inspector.enable_ecr_scan ? "ECR" : null,
+    var.inspector.enable_lambda_code_scan ? "LAMBDA_CODE" : null,
+    var.inspector.enable_lambda_scan ? "LAMBDA" : null,
+  ]
+
   ## A lost of policy associations
   policy_associations_all = flatten([
     for policy_name, policy in var.securityhub.policies : [
diff --git a/main.tf b/main.tf
@@ -22,6 +22,27 @@ module "config_rule_groups" {
   })
 }
 
+## AWS Inspector
+
+
+resource "aws_inspector2_enabler" "inspector" {
+  count = var.inspector.enable ? 1 : 0
+
+  account_ids    = [var.inspector.account_id]
+  resource_types = local.inspector_resources_types
+}
+
+## All new accounts will have inspector enabled for the following resource types, any
+## existing accounts will need to be enabled manually via the aws_inspector2_member_association
+resource "aws_inspector2_organization_configuration" "auto_enable_inspector_new_accounts" {
+  auto_enable {
+    ec2         = var.inspector.enable_ec2_scan
+    ecr         = var.inspector.enable_ecr_scan
+    lambda      = var.inspector.enable_lambda_scan
+    lambda_code = var.inspector.enable_lambda_code_scan
+  }
+}
+
 ## AWS Macie
 
 ## Provision the stackset to enable the macie service across all the accounts
diff --git a/modules/guardduty/README.md b/modules/guardduty/README.md
@@ -12,7 +12,7 @@
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to the resources | `map(string)` | n/a | yes |
 | <a name="input_auto_enable_mode"></a> [auto\_enable\_mode](#input\_auto\_enable\_mode) | Indicates whether to auto-enable the AWS GuardDuty service in all accounts | `string` | `"ALL"` | no |
 | <a name="input_create"></a> [create](#input\_create) | Indicates we should create a detector within the region | `bool` | `false` | no |
-| <a name="input_detectors"></a> [detectors](#input\_detectors) | The configuration for the GuardDuty detectors | <pre>map(object({<br/>    name = string<br/>    # The name of the detector<br/>    auto_enable = optional(string, "NONE")<br/>    # The frequency of finding publishing<br/>    additional_configuration = optional(map(object({<br/>      auto_enable = optional(string, "NONE")<br/>      # The status of the additional configuration<br/>    })), {})<br/>  }))</pre> | <pre>{<br/>  "eks": {<br/>    "auto_enable": "ALL",<br/>    "name": "EKS_AUDIT_LOGS"<br/>  },<br/>  "eks_runtime_monitoring": {<br/>    "additional_configuration": {<br/>      "EKS_ADDON_MANAGEMENT": {<br/>        "auto_enable": "NONE"<br/>      }<br/>    },<br/>    "auto_enable": "NONE",<br/>    "name": "EKS_RUNTIME_MONITORING"<br/>  },<br/>  "lambda": {<br/>    "auto_enable": "NONE",<br/>    "name": "LAMBDA_NETWORK_LOGS"<br/>  },<br/>  "malware": {<br/>    "auto_enable": "NONE",<br/>    "name": "EBS_MALWARE_PROTECTION"<br/>  },<br/>  "rds": {<br/>    "auto_enable": "NONE",<br/>    "name": "RDS_LOGIN_EVENTS"<br/>  },<br/>  "runtime_monitoring": {<br/>    "additional_configuration": {<br/>      "EC2_AGENT_MANAGEMENT": {<br/>        "auto_enable": "NONE"<br/>      },<br/>      "ECS_FARGATE_AGENT_MANAGEMENT": {<br/>        "auto_enable": "NONE"<br/>      },<br/>      "EKS_ADDON_MANAGEMENT": {<br/>        "auto_enable": "NONE"<br/>      }<br/>    },<br/>    "auto_enable": "NONE",<br/>    "name": "RUNTIME_MONITORING"<br/>  },<br/>  "s3": {<br/>    "auto_enable": "NONE",<br/>    "name": "S3_DATA_EVENTS"<br/>  }<br/>}</pre> | no |
+| <a name="input_detectors"></a> [detectors](#input\_detectors) | The configuration for the GuardDuty detectors | <pre>map(object({<br/>    name = string<br/>    # The name of the detector<br/>    auto_enable = optional(string, "NONE")<br/>    # The frequency of finding publishing<br/>    eks_additional_configuration = optional(map(object({<br/>      auto_enable = optional(string, "NONE")<br/>      # The status of the additional configuration<br/>    })), {})<br/>    ecs_additional_configuration = optional(map(object({<br/>      auto_enable = optional(string, "NONE")<br/>      # The status of the additional configuration<br/>    })), {})<br/>    ec2_additional_configuration = optional(map(object({<br/>      auto_enable = optional(string, "NONE")<br/>      # The status of the additional configuration<br/>    })), {})<br/>  }))</pre> | <pre>{<br/>  "eks": {<br/>    "auto_enable": "ALL",<br/>    "name": "EKS_AUDIT_LOGS"<br/>  },<br/>  "eks_runtime_monitoring": {<br/>    "auto_enable": "NONE",<br/>    "eks_additional_configuration": {<br/>      "EKS_ADDON_MANAGEMENT": {<br/>        "auto_enable": "NONE"<br/>      }<br/>    },<br/>    "name": "EKS_RUNTIME_MONITORING"<br/>  },<br/>  "lambda": {<br/>    "auto_enable": "NONE",<br/>    "name": "LAMBDA_NETWORK_LOGS"<br/>  },<br/>  "malware": {<br/>    "auto_enable": "NONE",<br/>    "name": "EBS_MALWARE_PROTECTION"<br/>  },<br/>  "rds": {<br/>    "auto_enable": "NONE",<br/>    "name": "RDS_LOGIN_EVENTS"<br/>  },<br/>  "runtime_monitoring": {<br/>    "auto_enable": "NONE",<br/>    "ec2_additional_configuration": {<br/>      "EC2_AGENT_MANAGEMENT": {<br/>        "auto_enable": "NONE"<br/>      }<br/>    },<br/>    "ecs_additional_configuration": {<br/>      "ECS_FARGATE_AGENT_MANAGEMENT": {<br/>        "auto_enable": "NONE"<br/>      }<br/>    },<br/>    "eks_additional_configuration": {<br/>      "EKS_ADDON_MANAGEMENT": {<br/>        "auto_enable": "NONE"<br/>      }<br/>    },<br/>    "name": "RUNTIME_MONITORING"<br/>  },<br/>  "s3": {<br/>    "auto_enable": "NONE",<br/>    "name": "S3_DATA_EVENTS"<br/>  }<br/>}</pre> | no |
 | <a name="input_finding_publishing_frequency"></a> [finding\_publishing\_frequency](#input\_finding\_publishing\_frequency) | The frequency of finding publishing | `string` | `"FIFTEEN_MINUTES"` | no |
 | <a name="input_guardduty_detector_id"></a> [guardduty\_detector\_id](#input\_guardduty\_detector\_id) | Used when not creating a new detector | `string` | `null` | no |
 
diff --git a/notifications.tf b/notifications.tf
@@ -46,9 +46,13 @@ resource "aws_cloudwatch_event_rule" "securityhub_findings" {
   count = var.securityhub.notifications.enable ? 1 : 0
 
   name          = var.securityhub.notifications.eventbridge_rule_name
-  description   = format("Capture Security Hub findings and publish to the SNS topic: %s", try(module.securityhub_notifications[0].sns_topic_name, null))
+  description   = format("Capture Security Hub findings and publish to the SNS topic: %s", var.securityhub.notifications.sns_topic_queue_name)
   event_pattern = local.securityhub_event_pattern
   tags          = local.tags
+
+  depends_on = [
+    module.securityhub_notifications
+  ]
 }
 
 ## Add the SNS Topic as a Target for the EventBridge Rule
diff --git a/variables.tf b/variables.tf
@@ -33,6 +33,27 @@ variable "config" {
   }
 }
 
+variable "inspector" {
+  description = "Organizational configuration for the AWS Inspector service"
+  type = object({
+    account_id = optional(string, null)
+    # The delegated administrator account ID for the AWS Inspector service
+    enable = optional(bool, false)
+    # Indicates whether to enable the AWS Inspector service
+    enable_ec2_scan = optional(bool, false)
+    # Indicates whether to enable the AWS Inspector service for EC2 instances
+    enable_ecr_scan = optional(bool, false)
+    # Indicates whether to enable the AWS Inspector service for ECR repositories
+    enable_lambda_scan = optional(bool, false)
+    # Indicates whether to enable the AWS Inspector service for Lambda functions
+    enable_lambda_code_scan = optional(bool, false)
+    # Indicates whether to enable the AWS Inspector service for Lambda code
+  })
+  default = {
+    enable = false
+  }
+}
+
 variable "notifications" {
   description = "Configuration for the notifications"
   type = object({
