A terraform repository based on the securityautomation-demo-project example repository maintained by Rhythmic. This project maps to the included PowerPoint presentation demonstrating how to use Terraform to drive and manage AWS native security functions.
The demo integrates with PagerDuty, Jira and Slack. Webhooks for PagerDuty and Slack are required. Jira requires a Secret Manager secret to be created with an API token, along with a series of environment variables. This demo will still work if the integrations are not in place, though obviously its usefulness as a demo will be reduced.
There is a handy setup script at bin/setup.sh
which will create a
terraform s3 backend
with locking via DynamoDB and add it's resources to your remote state.
- Have an AWS account that is relatively unconfigured.
- Install the prerequisites
git
terraform
(We use tfenv to manageterraform
versions)pre-commit
GNUMake
- Provide authentication for the AWS provider
- Set environment variables (or update
account/default.tfvars
):export TF_VAR_alert_webhook="[PAGERDUTY WEBHOOK]" export TF_VAR_notify_webhook="[SLACK WEBHOOK]" export TF_VAR_monitoring_jira_api_token_secret_name="[SECRET_NAME]" # use the name of the secret, not the ARN export TF_VAR_monitoring_jira_issue_type="[JIRA_ISSUE_TYPE]" export TF_VAR_monitoring_jira_project="[JIRA_PROJECT]" export TF_VAR_monitoring_jira_url="[JIRA_URL]" export TF_VAR_monitoring_jira_username="[JIRA_USERNAME]" export TF_VAR_slack_channel="[SLACK_CHANNEL]" # include the hash in the channel name
- Clone the repo:
git clone https://github.com/cdaniluk/securityautomation-demo-project.git
- Update the values for the backend in
account/backend.auto.tfvars
- Run the setup with
make setup
- Run
make apply
in theaccount
,demo
andsecurity
projects.
Once fully applied, the following will be in place:
- CloudTrail logging to an S3 bucket and CloudWatch Log Group
- An IAM password policy
- An S3 bucket for bucket access logging
- An EC2 keypair that can be used if running GuardDuty Tester
- A simple Lambda that logs random strings, along with a CloudWatch Event that triggers it every minute
- GuardDuty with notifications routing to PagerDuty
- CloudWatch Metric Filters/Alerts for all CIS required search strings routing to Slack
- AWS Config with notifications routing to Jira (note that no rules are created, so no notifications will actually occur)
- CloudWatch Metric Filter/Alert looking for the string
INVALID AUTHENTICATION ATTEMPT
is found - SecurityHub with notifications routing to Slack (this is quite noisy)