Merge pull request #311 from binbashar/feature/aws-config-aggregator

Add AWS Config aggregator into the Security account
binbashar · Oct 1, 2021 · b37aded · b37aded
2 parents fba849c + 9b0eac6
commit b37aded
Show file tree

Hide file tree

Showing 8 changed files with 10 additions and 102 deletions.
diff --git a/root/organizations/policies_scp.tf b/root/organizations/policies_scp.tf
@@ -136,7 +136,7 @@ resource "aws_organizations_policy" "delete_protection" {
       ],
       "Condition": {
         "ForAnyValue:StringEquals": {
-          "aws:ResourceTag/ProtectFromDeletion": [
+          "aws:ResourceTag/protectFromDeletion": [
             "true"
           ]
         }
@@ -183,7 +183,7 @@ resource "aws_organizations_policy" "tag_protection" {
         },
         "ForAnyValue:StringEquals": {
           "aws:TagKeys": [
-            "ProtectFromDeletion"
+            "protectFromDeletion"
           ]
         }
       }

diff --git a/root/security-compliance --/awsconfig.tf b/root/security-compliance --/awsconfig.tf
diff --git a/root/security-compliance --/outputs.tf b/root/security-compliance --/outputs.tf
diff --git a/root/security-compliance/awsconfig_delegation.tf b/root/security-compliance/awsconfig_delegation.tf
@@ -0,0 +1,5 @@
+resource "null_resource" "config_delegation" {
+  provisioner "local-exec" {
+    command = "aws organizations register-delegated-administrator --account-id ${var.security_account_id} --service-principal config.amazonaws.com  --profile ${var.profile} --region ${var.region}"
+  }
+}
diff --git a/root/security-compliance --/config.tf → root/security-compliance/config.tf b/root/security-compliance --/config.tf → root/security-compliance/config.tf
diff --git a/root/security-compliance --/variables.tf → root/security-compliance/variables.tf b/root/security-compliance --/variables.tf → root/security-compliance/variables.tf
diff --git a/security/firewall-manager/fms.tf b/security/firewall-manager/fms.tf
@@ -45,7 +45,7 @@ module "fms" {
       remediation_enabled         = true
       resource_type_list          = ["AWS::ElasticLoadBalancingV2::LoadBalancer", "AWS::ApiGateway::Stage"]
       resource_type               = null
-      resource_tags               = { "fms" = "True" }
+      resource_tags               = { "firewallManager" = "true" }
       include_account_ids         = { accounts = [var.network_account_id, var.security_account_id] }
       exclude_account_ids         = {}
       logging_configuration       = null

diff --git a/security/security-compliance/awsconfig.tf b/security/security-compliance/awsconfig.tf
@@ -27,7 +27,8 @@ module "terraform-aws-config" {
   config_delivery_frequency      = "Six_Hours"
 
   # Aggregate data from all organization accounts on this account
-  aggregate_organization = false
+  config_aggregator_name = "${var.project}-${var.environment}-awsconfig-aggregator"
+  aggregate_organization = true
 
   # IAM Config Rules w/ password policy check
   check_root_account_mfa_enabled   = true