From 9846e88c9658cbcafc4cb203569fded23b9a76c1 Mon Sep 17 00:00:00 2001
From: Chris Kelly <ckdake@ckdake.com>
Date: Thu, 3 Aug 2023 19:15:59 +0000
Subject: [PATCH] Adds more bits

---
 tenants/management/iam.tf               | 16 +++++++++++++++-
 tenants/management/security-controls.tf |  6 ++++++
 tenants/management/security-hub.tf      |  9 +++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 tenants/management/security-controls.tf
 create mode 100644 tenants/management/security-hub.tf

diff --git a/tenants/management/iam.tf b/tenants/management/iam.tf
index d4c6705..39ee181 100644
--- a/tenants/management/iam.tf
+++ b/tenants/management/iam.tf
@@ -1,3 +1,15 @@
+resource "aws_iam_account_password_policy" "strict" {
+  minimum_password_length        = 32
+  require_lowercase_characters   = true
+  require_numbers                = true
+  require_uppercase_characters   = true
+  require_symbols                = true
+  allow_users_to_change_password = true
+
+  password_reuse_prevention = 24
+  max_password_age          = 90
+}
+
 # Role to be used for any administrative tasks
 data "aws_iam_policy_document" "administrator_assume_role_policy" {
   statement {
@@ -21,6 +33,8 @@ resource "aws_iam_role_policy_attachment" "administrator_gets_administrator" {
 }
 
 # Group of users allowed to assume the administrator role
+# TODO(ckdake): figure out the right way to enforce MFA with auth pattern
+# tfsec:ignore:aws-iam-enforce-group-mfa
 resource "aws_iam_group" "administrators" {
   name = "administrators"
 }
@@ -43,7 +57,7 @@ resource "aws_iam_policy" "admin_assumption" {
       {
         Effect   = "Allow",
         Action   = "sts:AssumeRole",
-        Resource = "${aws_iam_role.administrator.arn}"
+        Resource = aws_iam_role.administrator.arn
     }]
   })
 }
diff --git a/tenants/management/security-controls.tf b/tenants/management/security-controls.tf
new file mode 100644
index 0000000..dca9e67
--- /dev/null
+++ b/tenants/management/security-controls.tf
@@ -0,0 +1,6 @@
+resource "aws_s3_account_public_access_block" "block" {
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
diff --git a/tenants/management/security-hub.tf b/tenants/management/security-hub.tf
new file mode 100644
index 0000000..4c31f02
--- /dev/null
+++ b/tenants/management/security-hub.tf
@@ -0,0 +1,9 @@
+resource "aws_securityhub_account" "aws_securityhub" {
+  control_finding_generator = "SECURITY_CONTROL"
+}
+
+resource "aws_securityhub_organization_admin_account" "aws_securityhub_admin_account" {
+  depends_on = [aws_organizations_organization.root]
+
+  admin_account_id = aws_organizations_account.management.id
+}