Adds more bits

ckdake · Aug 3, 2023 · 9846e88 · 9846e88
1 parent ddf74e6
commit 9846e88
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 1 deletion.
diff --git a/tenants/management/iam.tf b/tenants/management/iam.tf
@@ -1,3 +1,15 @@
+resource "aws_iam_account_password_policy" "strict" {
+  minimum_password_length        = 32
+  require_lowercase_characters   = true
+  require_numbers                = true
+  require_uppercase_characters   = true
+  require_symbols                = true
+  allow_users_to_change_password = true
+
+  password_reuse_prevention = 24
+  max_password_age          = 90
+}
+
 # Role to be used for any administrative tasks
 data "aws_iam_policy_document" "administrator_assume_role_policy" {
   statement {
@@ -21,6 +33,8 @@ resource "aws_iam_role_policy_attachment" "administrator_gets_administrator" {
 }
 
 # Group of users allowed to assume the administrator role
+# TODO(ckdake): figure out the right way to enforce MFA with auth pattern
+# tfsec:ignore:aws-iam-enforce-group-mfa
 resource "aws_iam_group" "administrators" {
   name = "administrators"
 }
@@ -43,7 +57,7 @@ resource "aws_iam_policy" "admin_assumption" {
       {
         Effect   = "Allow",
         Action   = "sts:AssumeRole",
-        Resource = "${aws_iam_role.administrator.arn}"
+        Resource = aws_iam_role.administrator.arn
     }]
   })
 }

diff --git a/tenants/management/security-controls.tf b/tenants/management/security-controls.tf
@@ -0,0 +1,6 @@
+resource "aws_s3_account_public_access_block" "block" {
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
diff --git a/tenants/management/security-hub.tf b/tenants/management/security-hub.tf
@@ -0,0 +1,9 @@
+resource "aws_securityhub_account" "aws_securityhub" {
+  control_finding_generator = "SECURITY_CONTROL"
+}
+
+resource "aws_securityhub_organization_admin_account" "aws_securityhub_admin_account" {
+  depends_on = [aws_organizations_organization.root]
+
+  admin_account_id = aws_organizations_account.management.id
+}