ghndrx/terraform-foundation
1
0
Fork 0
mirror of https://github.com/ghndrx/terraform-foundation.git synced 2026-02-10 06:45:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7e8ef8339024379552c98a7b49b8ac249be17c80
terraform-foundation/terraform/modules/scps
History
Greg Hendrickson 6136cde9bb feat: Terraform Foundation - AWS Landing Zone 
Enterprise-grade multi-tenant AWS cloud foundation.

Modules:
- GitHub OIDC for keyless CI/CD authentication
- IAM account settings and security baseline
- AWS Config Rules for compliance
- ABAC (Attribute-Based Access Control)
- SCPs (Service Control Policies)

Features:
- Multi-account architecture
- Cost optimization patterns
- Security best practices
- Comprehensive documentation

Tech: Terraform, AWS Organizations, IAM Identity Center
2026-02-02 02:57:23 +00:00
..
main.tf
feat: Terraform Foundation - AWS Landing Zone
2026-02-02 02:57:23 +00:00
outputs.tf
feat: Terraform Foundation - AWS Landing Zone
2026-02-02 02:57:23 +00:00
README.md
feat: Terraform Foundation - AWS Landing Zone
2026-02-02 02:57:23 +00:00
variables.tf
feat: Terraform Foundation - AWS Landing Zone
2026-02-02 02:57:23 +00:00

README.md

scps

AWS Organizations Service Control Policies for security guardrails.

Features

  • Deny leaving organization - Prevent accounts from leaving
  • Require IMDSv2 - Block EC2 instances without IMDSv2
  • Deny root actions - Block most root user operations
  • Region restrictions - Limit operations to allowed regions
  • Protect security services - Prevent disabling GuardDuty, Security Hub, Config
  • Protect CloudTrail - Prevent trail modification
  • Require S3 encryption - Block unencrypted S3 objects
  • Require EBS encryption - Block unencrypted volumes

Usage

module "scps" {
  source = "../modules/scps"
  
  name_prefix = "org"
  
  # Enable all security guardrails
  enable_deny_leave_org     = true
  enable_require_imdsv2     = true
  enable_deny_root_actions  = true
  protect_security_services = true
  protect_cloudtrail        = true
  require_s3_encryption     = true
  require_ebs_encryption    = true
  
  # Optional: Region restriction
  allowed_regions = ["us-east-1", "us-west-2", "eu-west-1"]
  
  # Attach to OUs
  target_ous = [
    "ou-xxxx-workloads",
    "ou-xxxx-sandbox"
  ]
  
  tags = {
    Environment = "org"
    ManagedBy   = "terraform"
  }
}

Requirements

Name Version
terraform >= 1.5.0
aws >= 5.0

Providers

Must be run from the AWS Organizations management account.

Inputs

Name Description Type Default Required
name_prefix Prefix for SCP names string "scp" no
enable_deny_leave_org Prevent accounts from leaving bool true no
enable_require_imdsv2 Require IMDSv2 for EC2 bool true no
enable_deny_root_actions Deny root user actions bool true no
allowed_regions Allowed AWS regions list(string) [] no
protect_security_services Protect security services bool true no
protect_cloudtrail Protect CloudTrail bool true no
require_s3_encryption Require S3 encryption bool true no
require_ebs_encryption Require EBS encryption bool true no
target_ous OU IDs to attach SCPs list(string) [] no
target_accounts Account IDs to attach SCPs list(string) [] no
tags Resource tags map(string) {} no

Outputs

Name Description
policy_ids Map of SCP names to policy IDs
policy_arns Map of SCP names to policy ARNs
enabled_policies List of enabled SCP names
attachment_count Count of attachments

Security Best Practices

These SCPs implement:

  • CIS AWS Foundations Benchmark
  • AWS Security Reference Architecture
  • Well-Architected Framework Security Pillar

Notes

  • SCPs only affect member accounts, not the management account
  • Test SCPs in sandbox OU before applying to production
  • Global services (IAM, Route53, etc.) are exempt from region restrictions
Reference in New Issue View Git Blame Copy Permalink