ScaleSec/terraform_aws_scpPublic

NotificationsYou must be signed in to change notification settings
Fork46
Star242

Commit02704dc

authored

Merge branch 'main' into encrypted_efs

2 parents0d4dc07 +a818726 commit02704dcCopy full SHA for 02704dc

File tree

68 files changed

+1032

-351

lines changed

.github/workflows
- linter.yml
- terraform.yml
.gitignore
README.md
compliance_scp
- dodCcSrgIl2Ew
- dodCcSrgIl2Gc
- dodCcSrgIl4Gc
- dodCcSrgIl5Gc
- fedrampHigh
- fedrampMed
- hipaa
- iso
- pci
- soc
- templates
hipaa_scp
- README.md
- main.tf
pci_scp
- main.tf
security_controls_scp
- README.md
- main.tf
- modules
  - ai
    - ai_services_opt_out.tf
  - comprehend
  - ec2
    - deny_public_ec2_ip.tf
    - variables.tf
  - region
    - region_restriction.tf
    - variables.tf
  - s3
    - deny_public_access_points.tf
    - s3_region_lockdown.tf
  - sagemaker

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

68 files changed

+1032

-351

lines changed

`‎.github/workflows/linter.yml`

Lines changed: 6 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -37,13 +37,18 @@ jobs:`
`37`	`37`	`##########################`
`38`	`38`	`-name:Checkout Code`
`39`	`39`	`uses:actions/checkout@v2`
	`40`	`+with:`
	`41`	+# Full git history is needed to get a proper list of changed files within `super-linter`
	`42`	`+fetch-depth:0`
`40`	`43`
`41`	`44`	`################################`
`42`	`45`	`# Run Linter against code base #`
`43`	`46`	`################################`
`44`	`47`	`-name:Lint Code Base`
`45`		`-uses:docker://github/super-linter:latest`
	`48`	`+uses:github/super-linter@v3`
`46`	`49`	`env:`
	`50`	`+GITHUB_TOKEN:${{ secrets.GITHUB_TOKEN }}`
`47`	`51`	`DEFAULT_BRANCH:'main'`
`48`	`52`	`VALIDATE_ALL_CODEBASE:false`
`49`	`53`	`VALIDATE_TERRAFORM:true`
	`54`	`+VALIDATE_JSON:true`

`‎.github/workflows/terraform.yml`

Lines changed: 176 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -25,42 +25,210 @@ jobs:`
`25`	`25`	`# HIPAA Validation`
`26`	`26`	`-name:Terraform fmt HIPAA`
`27`	`27`	`run:terraform fmt`
`28`		`-working-directory:./hipaa_scp`
	`28`	`+working-directory:./compliance_scp/hipaa`
`29`	`29`	`continue-on-error:true`
`30`	`30`
`31`	`31`	`-name:Terraform Init HIPAA`
`32`	`32`	`run:terraform init`
`33`		`-working-directory:./hipaa_scp`
	`33`	`+working-directory:./compliance_scp/hipaa`
`34`	`34`
`35`	`35`	`-name:Terraform Validate HIPAA`
`36`	`36`	`run:terraform validate -no-color`
`37`		`-working-directory:./hipaa_scp`
	`37`	`+working-directory:./compliance_scp/hipaa`
`38`	`38`
`39`	`39`	`-name:Terraform Plan HIPAA`
`40`	`40`	`run:terraform plan -no-color`
`41`	`41`	`continue-on-error:false`
`42`		`-working-directory:./hipaa_scp`
	`42`	`+working-directory:./compliance_scp/hipaa`
`43`	`43`	`env:`
`44`	`44`	`TF_VAR_target_id:${{ secrets.TARGET_ID }}"'`
`45`	`45`
`46`	`46`	`# PCI Validation`
`47`	`47`	`-name:Terraform fmt PCI`
`48`	`48`	`run:terraform fmt`
`49`		`-working-directory:./pci_scp`
	`49`	`+working-directory:./compliance_scp/pci`
`50`	`50`	`continue-on-error:true`
`51`	`51`
`52`	`52`	`-name:Terraform Init PCI`
`53`	`53`	`run:terraform init`
`54`		`-working-directory:./pci_scp`
	`54`	`+working-directory:./compliance_scp/pci`
`55`	`55`
`56`	`56`	`-name:Terraform Validate PCI`
`57`	`57`	`run:terraform validate -no-color`
`58`		`-working-directory:./pci_scp`
	`58`	`+working-directory:./compliance_scp/pci`
`59`	`59`
`60`	`60`	`-name:Terraform Plan PCI`
`61`	`61`	`run:terraform plan -no-color`
`62`	`62`	`continue-on-error:false`
`63`		`-working-directory:./pci_scp`
	`63`	`+working-directory:./compliance_scp/pci`
	`64`	`+env:`
	`65`	`+TF_VAR_target_id:${{ secrets.TARGET_ID }}"'`
	`66`	`+`
	`67`	`+# SOC Validation`
	`68`	`+ -name:Terraform fmt SOC`
	`69`	`+run:terraform fmt`
	`70`	`+working-directory:./compliance_scp/soc`
	`71`	`+continue-on-error:true`
	`72`	`+`
	`73`	`+ -name:Terraform Init SOC`
	`74`	`+run:terraform init`
	`75`	`+working-directory:./compliance_scp/soc`
	`76`	`+`
	`77`	`+ -name:Terraform Validate SOC`
	`78`	`+run:terraform validate -no-color`
	`79`	`+working-directory:./compliance_scp/soc`
	`80`	`+`
	`81`	`+ -name:Terraform Plan SOC`
	`82`	`+run:terraform plan -no-color`
	`83`	`+continue-on-error:false`
	`84`	`+working-directory:./compliance_scp/soc`
	`85`	`+env:`
	`86`	`+TF_VAR_target_id:${{ secrets.TARGET_ID }}"'`
	`87`	`+`
	`88`	`+# ISO Validation`
	`89`	`+ -name:Terraform fmt ISO`
	`90`	`+run:terraform fmt`
	`91`	`+working-directory:./compliance_scp/iso`
	`92`	`+continue-on-error:true`
	`93`	`+`
	`94`	`+ -name:Terraform Init ISO`
	`95`	`+run:terraform init`
	`96`	`+working-directory:./compliance_scp/iso`
	`97`	`+`
	`98`	`+ -name:Terraform Validate ISO`
	`99`	`+run:terraform validate -no-color`
	`100`	`+working-directory:./compliance_scp/iso`
	`101`	`+`
	`102`	`+ -name:Terraform Plan ISO`
	`103`	`+run:terraform plan -no-color`
	`104`	`+continue-on-error:false`
	`105`	`+working-directory:./compliance_scp/iso`
	`106`	`+env:`
	`107`	`+TF_VAR_target_id:${{ secrets.TARGET_ID }}"'`
	`108`	`+`
	`109`	`+# FedRAMP Medium Validation`
	`110`	`+ -name:Terraform fmt FedRAMP Med`
	`111`	`+run:terraform fmt`
	`112`	`+working-directory:./compliance_scp/fedrampMed`
	`113`	`+continue-on-error:true`
	`114`	`+`
	`115`	`+ -name:Terraform Init FedRAMP Med`
	`116`	`+run:terraform init`
	`117`	`+working-directory:./compliance_scp/fedrampMed`
	`118`	`+`
	`119`	`+ -name:Terraform Validate FedRAMP Med`
	`120`	`+run:terraform validate -no-color`
	`121`	`+working-directory:./compliance_scp/fedrampMed`
	`122`	`+`
	`123`	`+ -name:Terraform Plan FedRAMP Med`
	`124`	`+run:terraform plan -no-color`
	`125`	`+continue-on-error:false`
	`126`	`+working-directory:./compliance_scp/fedrampMed`
	`127`	`+env:`
	`128`	`+TF_VAR_target_id:${{ secrets.TARGET_ID }}"'`
	`129`	`+`
	`130`	`+# FedRAMP High Validation`
	`131`	`+ -name:Terraform fmt FedRAMP High`
	`132`	`+run:terraform fmt`
	`133`	`+working-directory:./compliance_scp/fedrampHigh`
	`134`	`+continue-on-error:true`
	`135`	`+`
	`136`	`+ -name:Terraform Init FedRAMP High`
	`137`	`+run:terraform init`
	`138`	`+working-directory:./compliance_scp/fedrampHigh`
	`139`	`+`
	`140`	`+ -name:Terraform Validate FedRAMP High`
	`141`	`+run:terraform validate -no-color`
	`142`	`+working-directory:./compliance_scp/fedrampHigh`
	`143`	`+`
	`144`	`+ -name:Terraform Plan FedRAMP High`
	`145`	`+run:terraform plan -no-color`
	`146`	`+continue-on-error:false`
	`147`	`+working-directory:./compliance_scp/fedrampHigh`
	`148`	`+env:`
	`149`	`+TF_VAR_target_id:${{ secrets.TARGET_ID }}"'`
	`150`	`+`
	`151`	`+# DoD CC SRG IL2 (East/West) Validation`
	`152`	`+ -name:Terraform fmt DoD CC SRG IL2 (East/West)`
	`153`	`+run:terraform fmt`
	`154`	`+working-directory:./compliance_scp/dodCcSrgIl2Ew`
	`155`	`+continue-on-error:true`
	`156`	`+`
	`157`	`+ -name:Terraform Init DoD CC SRG IL2 (East/West)`
	`158`	`+run:terraform init`
	`159`	`+working-directory:./compliance_scp/dodCcSrgIl2Ew`
	`160`	`+`
	`161`	`+ -name:Terraform Validate DoD CC SRG IL2 (East/West)`
	`162`	`+run:terraform validate -no-color`
	`163`	`+working-directory:./compliance_scp/dodCcSrgIl2Ew`
	`164`	`+`
	`165`	`+ -name:Terraform Plan DoD CC SRG IL2 (East/West)h`
	`166`	`+run:terraform plan -no-color`
	`167`	`+continue-on-error:false`
	`168`	`+working-directory:./compliance_scp/dodCcSrgIl2Ew`
	`169`	`+env:`
	`170`	`+TF_VAR_target_id:${{ secrets.TARGET_ID }}"'`
	`171`	`+`
	`172`	`+# DoD CC SRG IL2 (GovCloud) Validation`
	`173`	`+ -name:Terraform fmt DoD CC SRG IL2 (GovCloud)`
	`174`	`+run:terraform fmt`
	`175`	`+working-directory:./compliance_scp/dodCcSrgIl2Gc`
	`176`	`+continue-on-error:true`
	`177`	`+`
	`178`	`+ -name:Terraform Init DoD CC SRG IL2 (GovCloud)`
	`179`	`+run:terraform init`
	`180`	`+working-directory:./compliance_scp/dodCcSrgIl2Gc`
	`181`	`+`
	`182`	`+ -name:Terraform Validate DoD CC SRG IL2 (GovCloud)`
	`183`	`+run:terraform validate -no-color`
	`184`	`+working-directory:./compliance_scp/dodCcSrgIl2Gc`
	`185`	`+`
	`186`	`+ -name:Terraform Plan DoD CC SRG IL2 (GovCloud)`
	`187`	`+run:terraform plan -no-color`
	`188`	`+continue-on-error:false`
	`189`	`+working-directory:./compliance_scp/dodCcSrgIl2Gc`
	`190`	`+env:`
	`191`	`+TF_VAR_target_id:${{ secrets.TARGET_ID }}"'`
	`192`	`+`
	`193`	`+# DoD CC SRG IL4 (GovCloud) Validation`
	`194`	`+ -name:Terraform fmt DoD CC SRG IL4 (GovCloud)`
	`195`	`+run:terraform fmt`
	`196`	`+working-directory:./compliance_scp/dodCcSrgIl4Gc`
	`197`	`+continue-on-error:true`
	`198`	`+`
	`199`	`+ -name:Terraform Init DoD CC SRG IL4 (GovCloud)`
	`200`	`+run:terraform init`
	`201`	`+working-directory:./compliance_scp/dodCcSrgIl4Gc`
	`202`	`+`
	`203`	`+ -name:Terraform Validate DoD CC SRG IL4 (GovCloud)`
	`204`	`+run:terraform validate -no-color`
	`205`	`+working-directory:./compliance_scp/dodCcSrgIl4Gc`
	`206`	`+`
	`207`	`+ -name:Terraform Plan DoD CC SRG IL4 (GovCloud)`
	`208`	`+run:terraform plan -no-color`
	`209`	`+continue-on-error:false`
	`210`	`+working-directory:./compliance_scp/dodCcSrgIl4Gc`
	`211`	`+env:`
	`212`	`+TF_VAR_target_id:${{ secrets.TARGET_ID }}"'`
	`213`	`+`
	`214`	`+# DoD CC SRG IL5 (GovCloud) Validation`
	`215`	`+ -name:Terraform fmt DoD CC SRG IL5 (GovCloud)`
	`216`	`+run:terraform fmt`
	`217`	`+working-directory:./compliance_scp/dodCcSrgIl5Gc`
	`218`	`+continue-on-error:true`
	`219`	`+`
	`220`	`+ -name:Terraform Init DoD CC SRG IL5 (GovCloud)`
	`221`	`+run:terraform init`
	`222`	`+working-directory:./compliance_scp/dodCcSrgIl5Gc`
	`223`	`+`
	`224`	`+ -name:Terraform Validate DoD CC SRG IL5 (GovCloud)`
	`225`	`+run:terraform validate -no-color`
	`226`	`+working-directory:./compliance_scp/dodCcSrgIl5Gc`
	`227`	`+`
	`228`	`+ -name:Terraform Plan DoD CC SRG IL5 (GovCloud)`
	`229`	`+run:terraform plan -no-color`
	`230`	`+continue-on-error:false`
	`231`	`+working-directory:./compliance_scp/dodCcSrgIl5Gc`
`64`	`232`	`env:`
`65`	`233`	`TF_VAR_target_id:${{ secrets.TARGET_ID }}"'`
`66`	`234`

`‎.gitignore`

Lines changed: 5 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -29,9 +29,9 @@`
`29`	`29`	`/nbdist/`
`30`	`30`	`/.nb-gradle/`
`31`	`31`	`/build/`
`32`		`-.terraform/*`
`33`		`-/.terraform/`
`34`		`-//.terraform/*`
	`32`	`+.terraform*`
	`33`	`+/.terraform`
	`34`	`+//.terraform*`
`35`	`35`	`terraform.tfstate`
`36`	`36`	`terraform.tfstate.lock`
`37`	`37`
`@@ -386,3 +386,5 @@ MigrationBackup/`
`386`	`386`	`.DS_Store`
`387`	`387`	`*/.DS_Store`
`388`	`388`	`//.DS_Store`
	`389`	`+selections.json`
	`390`	`+terraform-provider-*`

`‎README.md`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -34,8 +34,8 @@ This repo is a collection of AWS Service Control Policies (SCPs) written in Hash`
`34`	`34`	- Select the`aws_iam_policy_document` you want and combine into one large data document.
`35`	`35`	`- Pick and choose 5 modules to deploy and remove the others.`
`36`	`36`	- Remove`aws_organizations_policy_attachment` from the modules'`main.tf` file and apply. You would then need to manually attach the SCPs.
`37`		`-- The[hipaa_scp](hipaa_scp/) folder is a service control policy that whitelists HIPAA compliant AWS services based off ofhttps://aws.amazon.com/compliance/hipaa-eligible-services-reference/.`
`38`		`-- The[pci_scp](pci_scp/) folder is a service control policy that whitelists PCI compliant AWS services based off ofhttps://aws.amazon.com/compliance/services-in-scope/.`
	`37`	`+- The[hipaa_scp](compliance_scp/hipaa_scp/) folder is a service control policy that whitelists HIPAA compliant AWS services based off ofhttps://aws.amazon.com/compliance/hipaa-eligible-services-reference/.`
	`38`	`+- The[pci_scp](compliance_scp/pci_scp/) folder is a service control policy that whitelists PCI compliant AWS services based off ofhttps://aws.amazon.com/compliance/services-in-scope/.`
`39`	`39`
`40`	`40`	`##Usage`
`41`	`41`

`‎compliance_scp/dodCcSrgIl2Ew/main.tf`

Lines changed: 17 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,17 @@`
	`1`	`+# The below approved services are based off the list located here: https://aws.amazon.com/compliance/services-in-scope/`
	`2`	`+`
	`3`	`+data"template_file""dodccsrgil2ew_policy" {`
	`4`	`+template=file("../templates/dodccsrgIl2Ew.json")`
	`5`	`+}`
	`6`	`+`
	`7`	`+resource"aws_organizations_policy""allow_dodccsrgil2ew_services_policy" {`
	`8`	`+name="Allow DoD CC SRG IL2 (East/West) Services"`
	`9`	`+description="Only allow DoD CC SRG IL2 (East/West) services as of 03/2021"`
	`10`	`+`
	`11`	`+content=data.template_file.dodccsrgil2ew_policy.rendered`
	`12`	`+}`
	`13`	`+`
	`14`	`+resource"aws_organizations_policy_attachment""allow_dodccsrgil2ew_services_attachment" {`
	`15`	`+policy_id=aws_organizations_policy.allow_dodccsrgil2ew_services_policy.id`
	`16`	`+target_id=var.target_id`
	`17`	`+}`

`‎compliance_scp/dodCcSrgIl2Ew/variables.tf`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,4 @@`
	`1`	`+variable"target_id" {`
	`2`	`+description="The Root ID, Organizational Unit ID, or AWS Account ID to apply SCPs."`
	`3`	`+type=string`
	`4`	`+}`

`‎pci_scp/versions.tfrenamed to ‎compliance_scp/dodCcSrgIl2Ew/versions.tf`

Lines changed: 0 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`		`-`
`2`	`1`	`terraform {`
`3`	`2`	`required_version=">= 0.12"`
`4`	`3`	`}`

`‎compliance_scp/dodCcSrgIl2Gc/main.tf`

Lines changed: 17 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,17 @@`
	`1`	`+# The below approved services are based off the list located here: https://aws.amazon.com/compliance/services-in-scope/`
	`2`	`+`
	`3`	`+data"template_file""dodccsrgil2gc_policy" {`
	`4`	`+template=file("../templates/dodccsrgIl2Gc.json")`
	`5`	`+}`
	`6`	`+`
	`7`	`+resource"aws_organizations_policy""allow_dodccsrgil2gc_services_policy" {`
	`8`	`+name="Allow DoD CC SRG IL2 (GovCloud) Services"`
	`9`	`+description="Only allow DoD CC SRG IL2 (GovCloud) services as of 03/2021"`
	`10`	`+`
	`11`	`+content=data.template_file.dodccsrgil2gc_policy.rendered`
	`12`	`+}`
	`13`	`+`
	`14`	`+resource"aws_organizations_policy_attachment""allow_dodccsrgil2gc_services_attachment" {`
	`15`	`+policy_id=aws_organizations_policy.allow_dodccsrgil2gc_services_policy.id`
	`16`	`+target_id=var.target_id`
	`17`	`+}`

`‎compliance_scp/dodCcSrgIl2Gc/variables.tf`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,4 @@`
	`1`	`+variable"target_id" {`
	`2`	`+description="The Root ID, Organizational Unit ID, or AWS Account ID to apply SCPs."`
	`3`	`+type=string`
	`4`	`+}`

`‎hipaa_scp/versions.tfrenamed to ‎compliance_scp/dodCcSrgIl2Gc/versions.tf`

Lines changed: 0 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`		`-`
`2`	`1`	`terraform {`
`3`	`2`	`required_version=">= 0.12"`
`4`	`3`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit02704dc

File tree

68 files changed

Some content is hidden

68 files changed

`‎.github/workflows/linter.yml`

`‎.github/workflows/terraform.yml`

`‎.gitignore`

`‎README.md`

`‎compliance_scp/dodCcSrgIl2Ew/main.tf`

`‎compliance_scp/dodCcSrgIl2Ew/variables.tf`

`‎pci_scp/versions.tfrenamed to ‎compliance_scp/dodCcSrgIl2Ew/versions.tf`

`‎compliance_scp/dodCcSrgIl2Gc/main.tf`

`‎compliance_scp/dodCcSrgIl2Gc/variables.tf`

`‎hipaa_scp/versions.tfrenamed to ‎compliance_scp/dodCcSrgIl2Gc/versions.tf`

0 commit comments