Add SCP policies

snemetz · snemetz · commit c6c05a6b43c5 · 2022-03-11T16:15:09.000-08:00
diff --git a/modules/scp/README.md b/modules/scp/README.md
@@ -26,13 +26,16 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_organizations_policy.deny_access_analyzer_disable](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 | [aws_organizations_policy.deny_cloudtrail_disable](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 | [aws_organizations_policy.deny_cloudtrail_tamper](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 | [aws_organizations_policy.deny_config_modify](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
+| [aws_organizations_policy.deny_ebs_default_encryption_disable](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 | [aws_organizations_policy.deny_ecr_create_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 | [aws_organizations_policy.deny_guardduty_modify](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 | [aws_organizations_policy.deny_member_leaving](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 | [aws_organizations_policy.deny_s3_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
+| [aws_organizations_policy.deny_securityhub_disable](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 | [aws_organizations_policy.require_s3_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
 
 ## Inputs
@@ -41,13 +44,15 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_type"></a> [account\_type](#input\_account\_type) | AWS account type (master, administrator, log, member) | `string` | n/a | yes |
 | <a name="input_enable"></a> [enable](#input\_enable) | Enable managing SCP policies | `bool` | `true` | no |
+| <a name="input_enable_access_analyzer"></a> [enable\_access\_analyzer](#input\_enable\_access\_analyzer) | Manage AWS IAM Access Analyzer SCP policies | `bool` | `true` | no |
 | <a name="input_enable_cloudtrail"></a> [enable\_cloudtrail](#input\_enable\_cloudtrail) | Manage AWS CloudTrail SCP policies | `bool` | `true` | no |
-| <a name="input_enable_config"></a> [enable\_config](#input\_enable\_config) | Manage AWS Config  SCP policies | `bool` | `true` | no |
+| <a name="input_enable_config"></a> [enable\_config](#input\_enable\_config) | Manage AWS Config SCP policies | `bool` | `true` | no |
 | <a name="input_enable_ebs"></a> [enable\_ebs](#input\_enable\_ebs) | Manage EBS SCP policies | `bool` | `true` | no |
 | <a name="input_enable_ecr"></a> [enable\_ecr](#input\_enable\_ecr) | Manage ECR SCP policies | `bool` | `true` | no |
 | <a name="input_enable_guardduty"></a> [enable\_guardduty](#input\_enable\_guardduty) | Manage AWS GuardDuty SCP policies | `bool` | `true` | no |
 | <a name="input_enable_iam"></a> [enable\_iam](#input\_enable\_iam) | Manage IAM SCP policies | `bool` | `true` | no |
 | <a name="input_enable_s3"></a> [enable\_s3](#input\_enable\_s3) | Manage S3 SCP policies | `bool` | `true` | no |
+| <a name="input_enable_securityhub"></a> [enable\_securityhub](#input\_enable\_securityhub) | Manage AWS Security Hub SCP policies | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(any)` | <pre>{<br>  "Environment": "infra",<br>  "Product": "security",<br>  "Team": "devops",<br>  "Terraform": true<br>}</pre> | no |
 
 ## Outputs
diff --git a/modules/scp/files/deny-access-analyzer-disable.json b/modules/scp/files/deny-access-analyzer-disable.json
@@ -0,0 +1,15 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "DenyAccessAnalyzerDisable",
+      "Effect": "Deny",
+      "Action": [
+        "access-analyzer:DeleteAnalyzer"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
+}
diff --git a/modules/scp/files/deny-cloudtrail-tamper.json b/modules/scp/files/deny-cloudtrail-tamper.json
@@ -1,13 +1,18 @@
 {
-    "Sid": "PreventTamperingWithCloudTrail",
-    "Effect": "Deny",
-    "Action": [
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "PreventTamperingWithCloudTrail",
+      "Effect": "Deny",
+      "Action": [
         "cloudtrail:DeleteTrail",
         "cloudtrail:StopLogging",
         "cloudtrail:PutEventSelectors",
         "cloudtrail:UpdateTrail"
-    ],
-    "Resource": [
+      ],
+      "Resource": [
         "arn:aws:cloudtrail:*:*:trail/*"
-    ]
+      ]
+    }
+  ]
 }
diff --git a/modules/scp/files/deny-ebs-default-encryption-disable.json b/modules/scp/files/deny-ebs-default-encryption-disable.json
@@ -0,0 +1,15 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "DenyEbsDefaultEncryptionDisable",
+      "Effect": "Deny",
+      "Action": [
+        "ec2:DisableEbsEncryptionByDefault"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
+}
diff --git a/modules/scp/files/deny-ecr-create-write.json b/modules/scp/files/deny-ecr-create-write.json
@@ -1,24 +1,24 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "DenyECRCreateWrite",
-            "Effect": "Deny",
-            "Action": [
-                "ecr:BatchDeleteImage",
-                "ecr:CompleteLayerUpload",
-                "ecr:CreateRepository",
-                "ecr:DeleteRepository",
-                "ecr:DeleteRepositoryPolicy",
-                "ecr:GetRepositoryPolicy",
-                "ecr:InitiateLayerUpload",
-                "ecr:PutImage",
-                "ecr:SetRepositoryPolicy",
-                "ecr:UploadLayerPart"
-            ],
-            "Resource": [
-                "*"
-            ]
-        }
-    ]
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "DenyECRCreateWrite",
+      "Effect": "Deny",
+      "Action": [
+        "ecr:BatchDeleteImage",
+        "ecr:CompleteLayerUpload",
+        "ecr:CreateRepository",
+        "ecr:DeleteRepository",
+        "ecr:DeleteRepositoryPolicy",
+        "ecr:GetRepositoryPolicy",
+        "ecr:InitiateLayerUpload",
+        "ecr:PutImage",
+        "ecr:SetRepositoryPolicy",
+        "ecr:UploadLayerPart"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
 }
diff --git a/modules/scp/files/deny-guardduty-modify.json b/modules/scp/files/deny-guardduty-modify.json
@@ -1,43 +1,43 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-          "Sid": "DenyGuardDutyModify",
-          "Effect": "Deny",
-            "Action": [
-                "guardduty:AcceptInvitation",
-                "guardduty:ArchiveFindings",
-                "guardduty:CreateDetector",
-                "guardduty:CreateFilter",
-                "guardduty:CreateIPSet",
-                "guardduty:CreateMembers",
-                "guardduty:CreatePublishingDestination",
-                "guardduty:CreateSampleFindings",
-                "guardduty:CreateThreatIntelSet",
-                "guardduty:DeclineInvitations",
-                "guardduty:DeleteDetector",
-                "guardduty:DeleteFilter",
-                "guardduty:DeleteInvitations",
-                "guardduty:DeleteIPSet",
-                "guardduty:DeleteMembers",
-                "guardduty:DeletePublishingDestination",
-                "guardduty:DeleteThreatIntelSet",
-                "guardduty:DisassociateFromMasterAccount",
-                "guardduty:DisassociateMembers",
-                "guardduty:InviteMembers",
-                "guardduty:StartMonitoringMembers",
-                "guardduty:StopMonitoringMembers",
-                "guardduty:TagResource",
-                "guardduty:UnarchiveFindings",
-                "guardduty:UntagResource",
-                "guardduty:UpdateDetector",
-                "guardduty:UpdateFilter",
-                "guardduty:UpdateFindingsFeedback",
-                "guardduty:UpdateIPSet",
-                "guardduty:UpdatePublishingDestination",
-                "guardduty:UpdateThreatIntelSet"
-            ],
-            "Resource": "*"
-        }
-    ]
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "DenyGuardDutyModify",
+      "Effect": "Deny",
+      "Action": [
+        "guardduty:AcceptInvitation",
+        "guardduty:ArchiveFindings",
+        "guardduty:CreateDetector",
+        "guardduty:CreateFilter",
+        "guardduty:CreateIPSet",
+        "guardduty:CreateMembers",
+        "guardduty:CreatePublishingDestination",
+        "guardduty:CreateSampleFindings",
+        "guardduty:CreateThreatIntelSet",
+        "guardduty:DeclineInvitations",
+        "guardduty:DeleteDetector",
+        "guardduty:DeleteFilter",
+        "guardduty:DeleteInvitations",
+        "guardduty:DeleteIPSet",
+        "guardduty:DeleteMembers",
+        "guardduty:DeletePublishingDestination",
+        "guardduty:DeleteThreatIntelSet",
+        "guardduty:DisassociateFromMasterAccount",
+        "guardduty:DisassociateMembers",
+        "guardduty:InviteMembers",
+        "guardduty:StartMonitoringMembers",
+        "guardduty:StopMonitoringMembers",
+        "guardduty:TagResource",
+        "guardduty:UnarchiveFindings",
+        "guardduty:UntagResource",
+        "guardduty:UpdateDetector",
+        "guardduty:UpdateFilter",
+        "guardduty:UpdateFindingsFeedback",
+        "guardduty:UpdateIPSet",
+        "guardduty:UpdatePublishingDestination",
+        "guardduty:UpdateThreatIntelSet"
+      ],
+      "Resource": "*"
+    }
+  ]
 }
diff --git a/modules/scp/files/deny-member-leaving.json b/modules/scp/files/deny-member-leaving.json
@@ -1,15 +1,15 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "DenyOrgMemberLeaving",
-            "Effect": "Deny",
-            "Action": [
-                "organizations:LeaveOrganization"
-            ],
-            "Resource": [
-                "*"
-            ]
-        }
-    ]
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "DenyOrgMemberLeaving",
+      "Effect": "Deny",
+      "Action": [
+        "organizations:LeaveOrganization"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
 }
diff --git a/modules/scp/files/deny-s3-public.json b/modules/scp/files/deny-s3-public.json
@@ -1,8 +1,13 @@
 {
-    "Sid": "PreventS3PublicAccess",
-    "Action": [
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "PreventS3PublicAccess",
+      "Effect": "Deny",
+      "Action": [
         "s3:PutAccountPublicAccessBlock"
-    ],
-    "Resource": "*",
-    "Effect": "Deny"
+      ],
+      "Resource": "*"
+    }
+  ]
 }
diff --git a/modules/scp/files/deny-securityhub-disable.json b/modules/scp/files/deny-securityhub-disable.json
@@ -0,0 +1,17 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "DenySecurityHubDisable",
+      "Effect": "Deny",
+      "Action": [
+        "securityhub:DeleteInvitations",
+        "securityhub:DeleteMembers",
+        "securityhub:DisableSecurityHub",
+        "securityhub:DisassociateFromMasterAccount",
+        "securityhub:DisassociateMembers"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
diff --git a/modules/scp/main.tf b/modules/scp/main.tf
@@ -4,6 +4,18 @@
 locals {
   enable = var.enable && var.account_type == "master"
 }
+### -----------------------
+### Access Analyzer
+### -----------------------
+resource "aws_organizations_policy" "deny_access_analyzer_disable" {
+  count       = local.enable && var.enable_access_analyzer ? 1 : 0
+  name        = "deny_access_analyzer_disable"
+  description = "Prevent IAM Access Analyzer from being disabled"
+  tags        = var.tags
+  type        = "SERVICE_CONTROL_POLICY"
+  content     = file("${path.module}/files/deny-access-analyzer-disable.json")
+}
+
 ### -----------------------
 ### CloudTrail
 ### -----------------------
@@ -38,7 +50,14 @@ resource "aws_organizations_policy" "deny_config_modify" {
 ### -----------------------
 ### EBS
 ### -----------------------
-#   deny change default encryption
+resource "aws_organizations_policy" "deny_ebs_default_encryption_disable" {
+  count       = local.enable && var.enable_config ? 1 : 0
+  name        = "deny_ebs_default_encryption_disable"
+  description = "Prevent EC2 EBS default encyption from being disabled"
+  tags        = var.tags
+  type        = "SERVICE_CONTROL_POLICY"
+  content     = file("${path.module}/files/deny-ebs-default-encryption-disable.json")
+}
 ### -----------------------
 ### ECR
 ### -----------------------
@@ -102,3 +121,14 @@ resource "aws_organizations_policy" "require_s3_encryption" {
   type        = "SERVICE_CONTROL_POLICY"
   content     = file("${path.module}/files/require-s3-encryption.json")
 }
+### -----------------------
+### Security Hub
+### -----------------------
+resource "aws_organizations_policy" "deny_securityhub_disable" {
+  count       = local.enable && var.enable_securityhub ? 1 : 0
+  name        = "deny_securityhub_disable"
+  description = "Prevent Security Hub from being disabled"
+  tags        = var.tags
+  type        = "SERVICE_CONTROL_POLICY"
+  content     = file("${path.module}/files/deny-securityhub-disable.json")
+}
diff --git a/modules/scp/variables.tf b/modules/scp/variables.tf
@@ -14,13 +14,18 @@ variable "enable" {
   type        = bool
   default     = true
 }
+variable "enable_access_analyzer" {
+  description = "Manage AWS IAM Access Analyzer SCP policies"
+  type        = bool
+  default     = true
+}
 variable "enable_cloudtrail" {
   description = "Manage AWS CloudTrail SCP policies"
   type        = bool
   default     = true
 }
 variable "enable_config" {
-  description = "Manage AWS Config  SCP policies"
+  description = "Manage AWS Config SCP policies"
   type        = bool
   default     = true
 }
@@ -49,6 +54,11 @@ variable "enable_s3" {
   type        = bool
   default     = true
 }
+variable "enable_securityhub" {
+  description = "Manage AWS Security Hub SCP policies"
+  type        = bool
+  default     = true
+}
 variable "tags" {
   description = "Specifies object tags key and value. This applies to all resources created by this module."
   type        = map(any)
diff --git a/scp_polices.tf b/scp_polices.tf
