ghndrx/terraform-foundation
1
0
Fork 0
mirror of https://github.com/ghndrx/terraform-foundation.git synced 2026-02-09 22:35:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
terraform-foundation/docs/SECURITY.md
Greg Hendrickson 6136cde9bb feat: Terraform Foundation - AWS Landing Zone 
Enterprise-grade multi-tenant AWS cloud foundation.

Modules:
- GitHub OIDC for keyless CI/CD authentication
- IAM account settings and security baseline
- AWS Config Rules for compliance
- ABAC (Attribute-Based Access Control)
- SCPs (Service Control Policies)

Features:
- Multi-account architecture
- Cost optimization patterns
- Security best practices
- Comprehensive documentation

Tech: Terraform, AWS Organizations, IAM Identity Center
2026-02-02 02:57:23 +00:00

6.4 KiB
Raw Permalink Blame History

Security Architecture

This document outlines the security controls implemented in this Terraform foundation. These controls align with common compliance frameworks (HIPAA, SOC 2, ISO 27001, HITRUST) without being prescriptive to any specific framework.

Encryption

At Rest

Resource Encryption Key Management
S3 Buckets SSE-KMS Customer-managed KMS keys
RDS/Aurora AES-256 Customer-managed KMS keys
EBS Volumes AES-256 Customer-managed KMS keys
DynamoDB AES-256 Customer-managed KMS keys
EKS Secrets Envelope encryption Customer-managed KMS keys
Secrets Manager AES-256 AWS-managed or customer KMS

In Transit

Resource Protocol Enforcement
S3 TLS 1.2+ Bucket policy denies non-HTTPS
RDS TLS 1.2+ ca_cert_identifier configured
ALB TLS 1.2+ HTTPS listeners with modern policy
EKS API TLS 1.2+ AWS-managed certificates

Access Control

Network Isolation

┌─────────────────────────────────────────────────────────────┐
│                    Shared VPC                                │
│  ┌─────────────────┐  ┌─────────────────┐                   │
│  │  Public Subnet  │  │  Public Subnet  │  ← ALB only       │
│  │    (AZ-a)       │  │    (AZ-b)       │                   │
│  └────────┬────────┘  └────────┬────────┘                   │
│           │                    │                             │
│  ┌────────▼────────┐  ┌────────▼────────┐                   │
│  │ Private Subnet  │  │ Private Subnet  │  ← Workloads      │
│  │    (AZ-a)       │  │    (AZ-b)       │    (no public IP) │
│  └─────────────────┘  └─────────────────┘                   │
│                                                              │
│  Default SG: DENY ALL (no rules)                            │
└─────────────────────────────────────────────────────────────┘

Tenant Isolation

  1. Security Groups: Each tenant has isolated SGs; cross-tenant traffic is denied by default
  2. ABAC (Attribute-Based Access Control): IAM policies require Tenant tag match
  3. Resource Tagging: All resources tagged with Tenant, App, Environment

Identity & Authentication

Component Authentication Method
AWS Console IAM + MFA (configure separately)
EKS Cluster OIDC + IAM Roles for Service Accounts
RDS Password + IAM Database Authentication
Secrets Secrets Manager with rotation support

Audit & Logging

Log Sources

Source Destination Retention
VPC Flow Logs CloudWatch Logs 90 days
ALB Access Logs S3 (logs bucket) 7 years
RDS Audit Logs CloudWatch Logs 30 days
EKS Control Plane CloudWatch Logs 30 days
CloudTrail S3 (configure separately) 7 years recommended

Log Protection

  • S3 logs bucket: Versioning enabled, lifecycle to Glacier at 90 days
  • CloudWatch Logs: Configurable KMS encryption
  • Immutable: S3 Object Lock available (enable for compliance)

Compute Security

EKS Nodes

  • IMDSv2 Enforced: Prevents SSRF-based credential theft
  • Hop Limit = 1: Containers cannot access node metadata
  • Encrypted EBS: All node volumes encrypted
  • Private Subnets: No public IPs on worker nodes

ECS/Fargate

  • No EC2 Management: Fargate abstracts host security
  • Task IAM Roles: Least-privilege per service
  • awsvpc Network Mode: Each task gets own ENI

Lambda

  • VPC Optional: Deploy in VPC for database access
  • X-Ray Tracing: Request tracking enabled
  • Reserved Concurrency: Prevent noisy-neighbor DoS

Data Protection

Secrets Management

# Secrets Manager with automatic rotation
resource "aws_secretsmanager_secret" "db" {
  recovery_window_in_days = 30  # Prod: prevent accidental deletion
}

Database Security

  • No Public Access: publicly_accessible = false
  • Security Group: Only allows traffic from tenant base SG
  • TLS Required: Certificate validation enforced
  • IAM Auth: Token-based authentication available

Vulnerability Management

Recommendations

  1. ECR Image Scanning: Enabled by default (scan_on_push = true)
  2. Dependency Scanning: Use Dependabot or Snyk in CI/CD
  3. tfsec: Security scanning in GitHub Actions workflow
  4. AWS Inspector: Enable for EC2/EKS vulnerability assessment

Incident Response

Recommendations

  1. GuardDuty: Enable for threat detection
  2. Security Hub: Aggregate findings across services
  3. CloudWatch Alarms: CPU, connections, storage alerts configured
  4. SNS Topics: Wire alarms to PagerDuty/Slack

Compliance Mapping

Control HIPAA SOC 2 ISO 27001 HITRUST
Encryption at rest
Encryption in transit
Access logging
Network isolation
Least privilege IAM
Key management

What's NOT Included (Configure Separately)

  • CloudTrail (account-level, usually in audit account)
  • AWS Config Rules
  • GuardDuty
  • Security Hub
  • AWS WAF (per-application decision)
  • MFA enforcement (IAM policy)
  • Password policies (IAM)
  • Backup policies (AWS Backup)

Cost Considerations

Security features with cost impact:

Feature Cost Impact Recommendation
KMS keys ~$1/mo per key Use for production
VPC Flow Logs ~$0.50/GB Enable for compliance
Enhanced Monitoring ~$0.10/instance/mo Production only
Performance Insights Free (7 days) Always enable
S3 Glacier ~$0.004/GB/mo Use for log archival
Reference in New Issue View Git Blame Copy Permalink