ghndrx/terraform-foundation
1
0
Fork 0
mirror of https://github.com/ghndrx/terraform-foundation.git synced 2026-02-10 14:54:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6136cde9bbc81aa494013e7bee651dceff16686a
terraform-foundation/terraform/modules/scps/README.md
Greg Hendrickson 6136cde9bb feat: Terraform Foundation - AWS Landing Zone 
Enterprise-grade multi-tenant AWS cloud foundation.

Modules:
- GitHub OIDC for keyless CI/CD authentication
- IAM account settings and security baseline
- AWS Config Rules for compliance
- ABAC (Attribute-Based Access Control)
- SCPs (Service Control Policies)

Features:
- Multi-account architecture
- Cost optimization patterns
- Security best practices
- Comprehensive documentation

Tech: Terraform, AWS Organizations, IAM Identity Center
2026-02-02 02:57:23 +00:00

98 lines
2.9 KiB
Markdown
Raw Blame History

# scps
AWS Organizations Service Control Policies for security guardrails.
## Features
- **Deny leaving organization** - Prevent accounts from leaving
- **Require IMDSv2** - Block EC2 instances without IMDSv2
- **Deny root actions** - Block most root user operations
- **Region restrictions** - Limit operations to allowed regions
- **Protect security services** - Prevent disabling GuardDuty, Security Hub, Config
- **Protect CloudTrail** - Prevent trail modification
- **Require S3 encryption** - Block unencrypted S3 objects
- **Require EBS encryption** - Block unencrypted volumes
## Usage
```hcl
module "scps" {
source = "../modules/scps"
name_prefix = "org"
# Enable all security guardrails
enable_deny_leave_org = true
enable_require_imdsv2 = true
enable_deny_root_actions = true
protect_security_services = true
protect_cloudtrail = true
require_s3_encryption = true
require_ebs_encryption = true
# Optional: Region restriction
allowed_regions = ["us-east-1", "us-west-2", "eu-west-1"]
# Attach to OUs
target_ous = [
"ou-xxxx-workloads",
"ou-xxxx-sandbox"
]
tags = {
Environment = "org"
ManagedBy = "terraform"
}
}
```
## Requirements
| Name | Version |
|------|---------|
| terraform | >= 1.5.0 |
| aws | >= 5.0 |
## Providers
Must be run from the **AWS Organizations management account**.
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|----------|
| name_prefix | Prefix for SCP names | `string` | `"scp"` | no |
| enable_deny_leave_org | Prevent accounts from leaving | `bool` | `true` | no |
| enable_require_imdsv2 | Require IMDSv2 for EC2 | `bool` | `true` | no |
| enable_deny_root_actions | Deny root user actions | `bool` | `true` | no |
| allowed_regions | Allowed AWS regions | `list(string)` | `[]` | no |
| protect_security_services | Protect security services | `bool` | `true` | no |
| protect_cloudtrail | Protect CloudTrail | `bool` | `true` | no |
| require_s3_encryption | Require S3 encryption | `bool` | `true` | no |
| require_ebs_encryption | Require EBS encryption | `bool` | `true` | no |
| target_ous | OU IDs to attach SCPs | `list(string)` | `[]` | no |
| target_accounts | Account IDs to attach SCPs | `list(string)` | `[]` | no |
| tags | Resource tags | `map(string)` | `{}` | no |
## Outputs
| Name | Description |
|------|-------------|
| policy_ids | Map of SCP names to policy IDs |
| policy_arns | Map of SCP names to policy ARNs |
| enabled_policies | List of enabled SCP names |
| attachment_count | Count of attachments |
## Security Best Practices
These SCPs implement:
- CIS AWS Foundations Benchmark
- AWS Security Reference Architecture
- Well-Architected Framework Security Pillar
## Notes
- SCPs only affect member accounts, not the management account
- Test SCPs in sandbox OU before applying to production
- Global services (IAM, Route53, etc.) are exempt from region restrictions
Reference in New Issue View Git Blame Copy Permalink