+
+
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
+
+---
+
+⚠️**Influence the future of the AWS Security Reference Architecture (AWS SRA) code library by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_9oFz0p67iCw3obk).**
+
+##
+
+## Table of Contents
+
+- [Introduction](#introduction)
+- [Deployed Resource Details](#deployed-resource-details)
+- [Implementation Instructions](#implementation-instructions)
+- [Requirements](#requirements)
+- [Providers](#providers)
+- [Modules](#modules)
+- [Resources](#resources)
+- [Inputs](#inputs)
+- [Outputs](#outputs)
+
+---
+
+## Introduction
+
+This Terraform module deploys the register delegated administrator AWS SRA solution.
+
+The common pre-requisite solution must be installed, in the management account, prior to installing this solution.
+
+Information on the resources deployed as well as terraform requirements, providers, modules, resources, and inputs of this module are documented below.
+
+Please navigate to the [installing the AWS SRA Solutions](./../../README.md#installing-the-aws-sra-solutions) section of the documentation for more information and installation instructions.
+
+*For the CloudFormation version of this AWS SRA solution as well as more information please navigate to the [AWS SRA register delegated admin solution documentation](./../../../solutions/common/common_register_delegated_administrator/README.md) page.*
+
+---
+
+## Deployed Resource Details
+
+
+
+### 1.0 Organization Management Account
+
+#### 1.2 AWS Lambda Function
+
+- See [1.2 AWS Lambda Function](#./../../../solutions/common/common_register_delegated_administrator/README.md12-aws-lambda-function)
+
+#### 1.3 Lambda CloudWatch Log Group
+
+- See [1.3 Lambda CloudWatch Log Group](#./../../../solutions/common/common_register_delegated_administrator/README.md13-lambda-cloudwatch-log-group)
+
+#### 1.4 Lambda Execution IAM Role
+
+- See [1.4 Lambda Execution IAM Role](#./../../../solutions/common/common_register_delegated_administrator/README.md14-lambda-execution-iam-role)
+
+#### 1.5 AWS Organizations
+
+- See [1.5 AWS Organizations](#./../../../solutions/common/common_register_delegated_administrator/README.md15-aws-organizations)
+
+---
+
+### 2.0 Delegated Administrator Account (Audit)
+
+#### 2.1 Services Supported
+
+- See [2.1 Services Supported](#./../../../solutions/common/common_register_delegated_administrator/README.md21-services-supported)
+
+---
+
+## Implementation Instructions
+
+Please navigate to the [installing the AWS SRA Solutions](./../../README.md#installing-the-aws-sra-solutions) section of the documentation for installation instructions.
+
+---
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [aws](#requirement\_aws) | >= 5.1.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 5.1.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [register\_delegated\_admin](#module\_register\_delegated\_admin) | ./register_admin | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [delegated\_admin\_account\_id](#input\_delegated\_admin\_account\_id) | Delegated Admin Account ID | `string` | n/a | yes |
+| [register\_delegated\_admin\_lambda\_function\_name](#input\_register\_delegated\_admin\_lambda\_function\_name) | Register Delegated Admin - Lambda Function Name | `string` | `"sra-common-register-delegated-admin"` | no |
+| [register\_delegated\_admin\_lambda\_role\_name](#input\_register\_delegated\_admin\_lambda\_role\_name) | Register Delegated Admin - Lambda Role Name | `string` | `"sra-common-register-delegated-admin-lambda"` | no |
+| [service\_principal\_list](#input\_service\_principal\_list) | Comma delimited list of AWS service principals to delegate an administrator account | `list(string)` | [
"access-analyzer.amazonaws.com",
"config-multiaccountsetup.amazonaws.com",
"config.amazonaws.com"
]
| no |
+
+## Outputs
+
+No outputs.
+
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/register_delegated_administrator/data.tf b/aws_sra_examples/terraform/solutions/register_delegated_administrator/data.tf
new file mode 100644
index 00000000..90baa06f
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/register_delegated_administrator/data.tf
@@ -0,0 +1,8 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/register_delegated_administrator/main.tf b/aws_sra_examples/terraform/solutions/register_delegated_administrator/main.tf
new file mode 100644
index 00000000..c9c4d37e
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/register_delegated_administrator/main.tf
@@ -0,0 +1,12 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+module "register_delegated_admin" {
+ source = "./register_admin"
+
+ register_delegated_admin_lambda_role_name = var.register_delegated_admin_lambda_role_name
+ register_delegated_admin_lambda_function_name = var.register_delegated_admin_lambda_function_name
+ service_principal_list = var.service_principal_list
+ delegated_admin_account_id = var.delegated_admin_account_id
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/register_delegated_administrator/providers.tf b/aws_sra_examples/terraform/solutions/register_delegated_administrator/providers.tf
new file mode 100644
index 00000000..226f1ca4
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/register_delegated_administrator/providers.tf
@@ -0,0 +1,13 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 5.1.0"
+ }
+ }
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/register_delegated_administrator/register_admin/data.tf b/aws_sra_examples/terraform/solutions/register_delegated_administrator/register_admin/data.tf
new file mode 100644
index 00000000..90baa06f
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/register_delegated_administrator/register_admin/data.tf
@@ -0,0 +1,8 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/register_delegated_administrator/register_admin/invoke.tf b/aws_sra_examples/terraform/solutions/register_delegated_administrator/register_admin/invoke.tf
new file mode 100644
index 00000000..39dfc20e
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/register_delegated_administrator/register_admin/invoke.tf
@@ -0,0 +1,20 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+resource "aws_lambda_invocation" "lambda_invoke" {
+ function_name = aws_lambda_function.register_delegated_admin_lambda_function.function_name
+
+ input = jsonencode({
+ "RequestType" : "Create",
+ "ResourceType" : "Custom::LambdaCustomResource",
+ "ResourceProperties" : {
+ "ServiceToken" : "${aws_lambda_function.register_delegated_admin_lambda_function.arn}",
+ "AWS_SERVICE_PRINCIPAL_LIST" : "${var.service_principal_list}",
+ "DELEGATED_ADMIN_ACCOUNT_ID" : "${var.delegated_admin_account_id}",
+ },
+ "StackId" : "dummystackid/dummystack",
+ "RequestId" : ""
+ })
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/register_delegated_administrator/register_admin/main.tf b/aws_sra_examples/terraform/solutions/register_delegated_administrator/register_admin/main.tf
new file mode 100644
index 00000000..cd9b84d9
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/register_delegated_administrator/register_admin/main.tf
@@ -0,0 +1,165 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+locals {
+ src_path = "${path.root}/../../solutions/common/common_register_delegated_administrator/lambda/src/"
+}
+
+resource "aws_cloudwatch_log_group" "register_delegated_admin_lambda_log_group" {
+ count = var.create_lambda_log_group == "true" ? 1 : 0
+ name = "/aws/lambda/${var.register_delegated_admin_lambda_function_name}"
+ retention_in_days = var.lambda_log_group_retention
+ kms_key_id = var.lambda_log_group_kms_key != "" ? var.lambda_log_group_kms_key : null
+}
+
+resource "aws_iam_role" "register_delegated_admin_lambda_role" {
+ name = var.register_delegated_admin_lambda_role_name
+
+ assume_role_policy = jsonencode({
+ Version = "2012-10-17",
+ Statement = [
+ {
+ Action = "sts:AssumeRole",
+ Effect = "Allow",
+ Principal = {
+ Service = "lambda.amazonaws.com"
+ }
+ }
+ ]
+ })
+
+ tags = {
+ "sra-solution" = var.sra_solution_name
+ }
+}
+
+data "aws_iam_policy_document" "register_delegated_admin_policy_logs" {
+ version = "2012-10-17"
+
+ statement {
+ sid = "CreateLogStreamAndEvents"
+ effect = "Allow"
+
+ actions = [
+ "logs:CreateLogGroup",
+ "logs:CreateLogStream",
+ "logs:PutLogEvents",
+ ]
+
+ resources = [
+ "arn:${data.aws_partition.current.partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${var.register_delegated_admin_lambda_function_name}:log-stream:*"
+ ]
+ }
+}
+
+data "aws_iam_policy_document" "register_delegated_admin_policy_organizations" {
+ #checkov:skip=CKV_AWS_111: Ensure IAM policies does not allow write access without constraints
+ #checkov:skip=CKV_AWS_356: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions
+
+ version = "2012-10-17"
+
+ statement {
+ sid = "OrganizationsAccess"
+ effect = "Allow"
+
+ actions = [
+ "organizations:DeregisterDelegatedAdministrator",
+ "organizations:DescribeOrganization",
+ "organizations:DisableAWSServiceAccess",
+ "organizations:EnableAWSServiceAccess",
+ "organizations:ListAWSServiceAccessForOrganization",
+ "organizations:ListDelegatedAdministrators",
+ "organizations:RegisterDelegatedAdministrator",
+ ]
+
+ resources = ["*"]
+ }
+}
+
+resource "aws_iam_policy" "register_delegated_admin_policy_logs" {
+ name = "sra-register-delegated-admin-policy-logs"
+ policy = data.aws_iam_policy_document.register_delegated_admin_policy_logs.json
+}
+
+resource "aws_iam_policy" "register_delegated_admin_policy_organizations" {
+ name = "sra-register-delegated-admin-policy-organizations"
+ policy = data.aws_iam_policy_document.register_delegated_admin_policy_organizations.json
+}
+
+resource "aws_iam_policy_attachment" "register_delegated_admin_policy_attachment_logs" {
+ name = "sra-register-delegated-admin-policy-logs-attachment"
+ roles = [aws_iam_role.register_delegated_admin_lambda_role.name]
+ policy_arn = aws_iam_policy.register_delegated_admin_policy_logs.arn
+}
+
+resource "aws_iam_policy_attachment" "register_delegated_admin_policy_attachment_organizations" {
+ name = "sra-register-delegated-admin-policy-organizations-attachment"
+ roles = [aws_iam_role.register_delegated_admin_lambda_role.name]
+ policy_arn = aws_iam_policy.register_delegated_admin_policy_organizations.arn
+}
+
+########################################################################
+# Lambda Function
+########################################################################
+
+data "archive_file" "hash_check" {
+ type = "zip"
+ source_dir = local.src_path
+ output_path = "${path.module}/lambda/lambda_function.zip"
+ excludes = ["lambda_function.zip, data.zip"]
+}
+
+resource "null_resource" "package_lambda" {
+ triggers = {
+ src_hash = "${data.archive_file.hash_check.output_sha}"
+ }
+
+ provisioner "local-exec" {
+ command = <
+
+
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
+
+---
+
+⚠️**Influence the future of the AWS Security Reference Architecture (AWS SRA) code library by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_9oFz0p67iCw3obk).**
+
+##
+
+
+## Table of Contents
+
+- [Introduction](#introduction)
+- [Deployed Resource Details](#deployed-resource-details)
+- [Implementation Instructions](#implementation-instructions)
+- [Requirements](#requirements)
+- [Providers](#providers)
+- [Modules](#modules)
+- [Resources](#resources)
+- [Inputs](#inputs)
+- [Outputs](#outputs)
+
+---
+
+## Introduction
+
+This Terraform module deploys Security Hub Organization AWS SRA solution.
+
+The common pre-requisite solution must be installed, in the management account, prior to installing this solution.
+
+Information on the resources deployed as well as terraform requirements, providers, modules, resources, and inputs of this module are documented below.
+
+Please navigate to the [installing the AWS SRA Solutions](./../../README.md#installing-the-aws-sra-solutions) section of the documentation for more information and installation instructions.
+
+*For the CloudFormation version of this AWS SRA solution as well as more information please navigate to the [AWS SRA Security Hub solution documentation](./../../../solutions/securityhub/securityhub_org/README.md) page.*
+
+---
+
+## Deployed Resource Details
+
+
+
+### 1.0 Organization Management Account
+
+#### 1.1 Lambda IAM Role
+
+- See [1.2 Lambda IAM Role](./../../../solutions/securityhub/securityhub_org/README.md#12-lambda-iam-role).
+
+#### 1.2 Regional Event Rule
+
+- See [1.3 Regional Event Rule](./../../../solutions/securityhub/securityhub_org/README.md#13-regional-event-rule)
+
+#### 1.3 Global Event Rules
+
+- See [1.4 Global Event Rules](./../../../solutions/securityhub/securityhub_org/README.md#14-global-event-rules)
+
+#### 1.4 SNS Topic
+
+- See [1.5 SNS Topic](./../../../solutions/securityhub/securityhub_org/README.md#15-sns-topic)
+
+#### 1.5 Dead Letter Queue (DLQ)
+
+- See [1.6 Dead Letter Queue (DLQ)](./../../../solutions/securityhub/securityhub_org/README.md#16-dead-letter-queue-dlq)
+
+#### 1.6 AWS Lambda Function
+
+- See [1.7 AWS Lambda Function](./../../../solutions/securityhub/securityhub_org/README.md#17-aws-lambda-function)
+
+#### 1.7 Lambda CloudWatch Log Group
+
+- See [1.8 Lambda CloudWatch Log Group](./../../../solutions/securityhub/securityhub_org/README.md#18-lambda-cloudwatch-log-group)
+
+#### 1.8 Alarm SNS Topic
+
+- See [1.9 Alarm SNS Topic](./../../../solutions/securityhub/securityhub_org/README.md#19-alarm-sns-topic)
+
+#### 1.9 Security Hub
+
+- See [1.10 Security Hub](./../../../solutions/securityhub/securityhub_org/README.md#110-security-hub)
+
+#### 1.10 Configuration IAM Role
+
+- See [1.11 Configuration IAM Role](./../../../solutions/securityhub/securityhub_org/README.md#111-configuration-iam-role)
+
+#### 1.11 Scheduled Event Rule
+
+- See [1.12 Regional Event Rule](./../../../solutions/securityhub/securityhub_org/README.md#112-regional-event-rule)
+
+#### 1.12 Config Recorder Start Event Rule
+
+- See [1.13 Config Recorder Start Event Rule](./../../../solutions/securityhub/securityhub_org/README.md#113-config-recorder-start-event-rule)
+
+#### 1.13 EventBridge IAM Role
+
+- See [1.14 EventBridge IAM Role](./../../../solutions/securityhub/securityhub_org/README.md#114-eventbridge-iam-role)
+
+---
+
+### 2.0 Audit (Security Tooling) Account
+
+#### 2.1 Configuration IAM Role
+
+- See [2.2 Configuration IAM Role](./../../../solutions/securityhub/securityhub_org/README.md#22-configuration-iam-role)
+
+#### 2.2 Security Hub (Home Region)
+
+- See [2.3 Security Hub (Home Region)](./../../../solutions/securityhub/securityhub_org/README.md#23-security-hub-home-region)
+
+#### 2.3 Security Hub (Regions)
+
+- See [2.4 Security Hub (Regions)](./../../../solutions/securityhub/securityhub_org/README.md#24-security-hub-regions)
+
+#### 2.4 Config Recorder Start Event Rule
+
+- See [2.5 Config Recorder Start Event Rule](./../../../solutions/securityhub/securityhub_org/README.md#25-config-recorder-start-event-rule)
+
+#### 2.5 EventBridge IAM Role
+
+- See [2.6 EventBridge IAM Role](./../../../solutions/securityhub/securityhub_org/README.md#26-eventbridge-iam-role)
+
+---
+
+### 3.0 All Existing and Future Organization Member Accounts
+
+#### 3.1 Configuration IAM Role
+
+- See [3.2 Configuration IAM Role](./../../../solutions/securityhub/securityhub_org/README.md#32-configuration-iam-role)
+
+#### 3.2 Security Hub
+
+- See [3.3 Security Hub](./../../../solutions/securityhub/securityhub_org/README.md#33-security-hub)
+
+#### 3.3 Config Recorder Start Event Rule
+
+- See [3.4 Config Recorder Start Event Rule](./../../../solutions/securityhub/securityhub_org/README.md#34-config-recorder-start-event-rule)
+
+#### 3.4 EventBridge IAM Role
+
+- See [3.5 EventBridge IAM Role](./../../../solutions/securityhub/securityhub_org/README.md#35-eventbridge-iam-role)
+
+---
+
+## Implementation Instructions
+
+Please navigate to the [installing the AWS SRA Solutions](./../../README.md#installing-the-aws-sra-solutions) section of the documentation for installation instructions.
+
+
+---
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [aws](#requirement\_aws) | >= 5.1.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws.main](#provider\_aws.main) | >= 5.1.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [recorder\_start\_event](#module\_recorder\_start\_event) | ./recorder_start_event | n/a |
+| [security\_hub](#module\_security\_hub) | ./configuration | n/a |
+| [securityhub\_configuration\_role](#module\_securityhub\_configuration\_role) | ./configuration_role | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [audit\_account\_id](#input\_audit\_account\_id) | AWS Account ID of the Control Tower Audit account. | `string` | n/a | yes |
+| [cis\_standard\_version](#input\_cis\_standard\_version) | CIS Standard Version | `string` | `"1.4.0"` | no |
+| [compliance\_frequency](#input\_compliance\_frequency) | Frequency to Check for Organizational Compliance (in days between 1 and 30, default is 7) | `number` | `7` | no |
+| [control\_tower\_lifecycle\_rule\_name](#input\_control\_tower\_lifecycle\_rule\_name) | The name of the AWS Control Tower Life Cycle Rule | `string` | `"sra-securityhub-org-trigger"` | no |
+| [create\_lambda\_log\_group](#input\_create\_lambda\_log\_group) | Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function | `bool` | `false` | no |
+| [delegated\_admin\_account\_id](#input\_delegated\_admin\_account\_id) | Delegated administrator account ID | `string` | n/a | yes |
+| [disable\_security\_hub](#input\_disable\_security\_hub) | Update to 'true' to disable Security Hub in all accounts and regions before deleting the stack | `bool` | `false` | no |
+| [enable\_cis\_standard](#input\_enable\_cis\_standard) | Indicates whether to enable the CIS AWS Foundations Benchmark Standard | `bool` | `false` | no |
+| [enable\_nist\_standard](#input\_enable\_nist\_standard) | Indicates whether to enable the National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 | `bool` | `false` | no |
+| [enable\_pci\_standard](#input\_enable\_pci\_standard) | Indicates whether to enable the Payment Card Industry Data Security Standard (PCI DSS) | `bool` | `false` | no |
+| [enable\_security\_best\_practices\_standard](#input\_enable\_security\_best\_practices\_standard) | Indicates whether to enable the AWS Foundational Security Best Practices Standard | `bool` | `true` | no |
+| [enabled\_regions](#input\_enabled\_regions) | (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions. | `string` | n/a | yes |
+| [event\_rule\_role\_name](#input\_event\_rule\_role\_name) | Event rule role name for putting events on the home region event bus | `string` | `"sra-security-hub-global-events"` | no |
+| [home\_region](#input\_home\_region) | Name of the Control Tower home region | `string` | n/a | yes |
+| [lambda\_log\_group\_kms\_key](#input\_lambda\_log\_group\_kms\_key) | (Optional) KMS Key ARN to use for encrypting the Lambda logs data | `string` | `""` | no |
+| [lambda\_log\_group\_retention](#input\_lambda\_log\_group\_retention) | Specifies the number of days you want to retain log events | `number` | `14` | no |
+| [lambda\_log\_level](#input\_lambda\_log\_level) | Lambda Function Logging Level | `string` | `"INFO"` | no |
+| [log\_archive\_account\_id](#input\_log\_archive\_account\_id) | AWS Account ID of the Control Tower Log Archive account. | `string` | n/a | yes |
+| [management\_account\_id](#input\_management\_account\_id) | Organization Management Account ID | `string` | n/a | yes |
+| [nist\_standard\_version](#input\_nist\_standard\_version) | NIST Standard Version | `string` | `"5.0.0"` | no |
+| [organization\_id](#input\_organization\_id) | AWS Organizations ID | `string` | n/a | yes |
+| [pci\_standard\_version](#input\_pci\_standard\_version) | PCI Standard Version | `string` | `"3.2.1"` | no |
+| [region\_linking\_mode](#input\_region\_linking\_mode) | Indicates whether to aggregate findings from all of the available Regions in the current partition | `string` | `"SPECIFIED_REGIONS"` | no |
+| [sechub\_rule\_name](#input\_sechub\_rule\_name) | Eventbridge rule name | `string` | `"sra-config-recorder"` | no |
+| [security\_best\_practices\_standard\_version](#input\_security\_best\_practices\_standard\_version) | SBP Standard Version | `string` | `"1.0.0"` | no |
+| [security\_hub\_configuration\_role\_name](#input\_security\_hub\_configuration\_role\_name) | SecurityHub Configuration role to assume in the delegated administrator account | `string` | `"sra-securityhub-configuration"` | no |
+| [security\_hub\_org\_lambda\_function\_name](#input\_security\_hub\_org\_lambda\_function\_name) | Lambda function name | `string` | `"sra-securityhub-org"` | no |
+| [security\_hub\_org\_lambda\_role\_name](#input\_security\_hub\_org\_lambda\_role\_name) | SecurityHub configuration Lambda role name | `string` | `"sra-securityhub-org-lambda"` | no |
+| [securityhub\_control\_tower\_regions\_only](#input\_securityhub\_control\_tower\_regions\_only) | Only enable in the Control Tower governed regions | `bool` | `true` | no |
+| [sra\_alarm\_email](#input\_sra\_alarm\_email) | (Optional) Email address for receiving DLQ alarms | `string` | `""` | no |
+| [sra\_solution\_name](#input\_sra\_solution\_name) | The SRA solution name. The default value is the folder name of the solution. | `string` | `"sra-securityhub-org"` | no |
+
+## Outputs
+
+No outputs.
+
+---
+
diff --git a/aws_sra_examples/terraform/solutions/security_hub/configuration/data.tf b/aws_sra_examples/terraform/solutions/security_hub/configuration/data.tf
new file mode 100644
index 00000000..90baa06f
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/security_hub/configuration/data.tf
@@ -0,0 +1,8 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/security_hub/configuration/invoke.tf b/aws_sra_examples/terraform/solutions/security_hub/configuration/invoke.tf
new file mode 100644
index 00000000..6b824c69
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/security_hub/configuration/invoke.tf
@@ -0,0 +1,29 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+resource "aws_lambda_invocation" "lambda_invoke" {
+ function_name = aws_lambda_function.security_hub_lambda_function.function_name
+
+ input = jsonencode({
+ "RequestType" : "Update",
+ "ResourceType" : "Custom::LambdaCustomResource",
+ "ResourceProperties" : {
+ "ServiceToken" : "${aws_lambda_function.security_hub_lambda_function.arn}",
+ "LOG_LEVEL" : "${var.lambda_log_level}",
+ "CIS_VERSION" : "${var.cis_standard_version}",
+ "CONFIGURATION_ROLE_NAME" : "${var.security_hub_configuration_role_name}",
+ "DISABLE_SECURITY_HUB" : "${var.disable_security_hub}",
+ "ENABLED_REGIONS" : "${var.enabled_regions}",
+ "ENABLE_CIS_STANDARD" : "${var.enable_cis_standard}",
+ "ENABLE_PCI_STANDARD" : "${var.enable_pci_standard}",
+ "ENABLE_NIST_STANDARD" : "${var.enable_nist_standard}",
+ "ENABLE_SECURITY_BEST_PRACTICES_STANDARD" : "${var.enable_security_best_practices_standard}",
+ "PCI_VERSION" : "${var.pci_standard_version}",
+ "NIST_VERSION" : "${var.nist_standard_version}",
+ "REGION_LINKING_MODE" : "${var.region_linking_mode}",
+ "SECURITY_BEST_PRACTICES_VERSION" : "${var.security_best_practices_standard_version}",
+ }
+ })
+}
diff --git a/aws_sra_examples/terraform/solutions/security_hub/configuration/main.tf b/aws_sra_examples/terraform/solutions/security_hub/configuration/main.tf
new file mode 100644
index 00000000..9204c589
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/security_hub/configuration/main.tf
@@ -0,0 +1,644 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+locals {
+ #TODO: Figure out?
+ graviton_regions = [
+ "ap-northeast-1",
+ "ap-south-1",
+ "ap-southeast-1",
+ "ap-southeast-2",
+ "eu-central-1",
+ "eu-west-1",
+ "eu-west-2",
+ "us-east-1",
+ "us-east-2",
+ "us-west-2",
+ ]
+ create_dlq_alarm = var.sra_alarm_email != "" ? true : false
+ src_path = "${path.root}/../../solutions/securityhub/securityhub_org/lambda/src/"
+}
+
+########################################################################
+# Lambda Policies Documents
+########################################################################
+
+data "aws_iam_policy_document" "security_hub_org_assume_role" {
+ statement {
+ actions = ["sts:AssumeRole"]
+ effect = "Allow"
+ principals {
+ type = "Service"
+ identifiers = ["lambda.amazonaws.com"]
+ }
+ }
+}
+
+resource "aws_iam_role" "security_hub_org_lambda_role" {
+ name = var.security_hub_org_lambda_role_name
+ description = "Role for '${var.security_hub_org_lambda_role_name}' Lambda function"
+
+ assume_role_policy = data.aws_iam_policy_document.security_hub_org_assume_role.json
+
+ tags = {
+ "sra-solution" = var.sra_solution_name
+ }
+}
+
+data "aws_iam_policy_document" "security_hub_org_policy_cloudformation" {
+ statement {
+ sid = "CloudFormation"
+ effect = "Allow"
+ actions = ["cloudformation:ListStackInstances"]
+ resources = ["arn:${data.aws_partition.current.partition}:cloudformation:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stackset/AWSControlTowerBP-*"]
+ }
+}
+
+data "aws_iam_policy_document" "security_hub_org_policy_ssm_access" {
+ statement {
+ sid = "SSMAccess"
+ effect = "Allow"
+ actions = [
+ "ssm:GetParameter",
+ "ssm:GetParameters",
+ ]
+ resources = ["arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/sra*"]
+ }
+}
+
+data "aws_iam_policy_document" "security_hub_org_policy_securityhub" {
+ #checkov:skip=CKV_AWS_111: Ensure IAM policies does not allow write access without constraints
+ #checkov:skip=CKV_AWS_356: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions
+
+ statement {
+ sid = "SecurityHubNoResource"
+ effect = "Allow"
+ actions = [
+ "securityhub:DisableOrganizationAdminAccount",
+ "securityhub:EnableOrganizationAdminAccount",
+ "securityhub:ListOrganizationAdminAccounts",
+ ]
+ resources = ["*"]
+ }
+
+ statement {
+ sid = "SecurityHubWithResource"
+ effect = "Allow"
+ actions = [
+ "securityhub:EnableSecurityHub",
+ ]
+ resources = [
+ "arn:${data.aws_partition.current.partition}:securityhub:*:${data.aws_caller_identity.current.account_id}:hub/default",
+ "arn:${data.aws_partition.current.partition}:securityhub:*:${data.aws_caller_identity.current.account_id}:/accounts",
+ ]
+ }
+}
+
+data "aws_iam_policy_document" "security_hub_org_policy_iam" {
+ statement {
+ sid = "AllowReadIamActions"
+ effect = "Allow"
+ actions = ["iam:GetRole"]
+ resources = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/*"]
+ }
+
+ statement {
+ sid = "AllowCreateServiceLinkedRole"
+ effect = "Allow"
+ actions = ["iam:CreateServiceLinkedRole"]
+ condition {
+ test = "StringLike"
+ variable = "iam:AWSServiceName"
+ values = ["securityhub.amazonaws.com"]
+ }
+ resources = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/securityhub.amazonaws.com/AWSServiceRoleForSecurityHub"]
+ }
+
+ statement {
+ sid = "AllowPolicyActions"
+ effect = "Allow"
+ actions = ["iam:PutRolePolicy"]
+ resources = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/securityhub.amazonaws.com/AWSServiceRoleForSecurityHub"]
+ }
+
+ statement {
+ sid = "AssumeRole"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ condition {
+ test = "StringEquals"
+ variable = "aws:PrincipalOrgId"
+ values = [var.organization_id]
+ }
+ resources = [
+ "arn:${data.aws_partition.current.partition}:iam::*:role/${var.security_hub_configuration_role_name}",
+ ]
+ }
+}
+
+data "aws_iam_policy_document" "security_hub_org_policy_logs" {
+ statement {
+ sid = "CreateLogGroupAndEvents"
+ effect = "Allow"
+ actions = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"]
+ resources = ["arn:${data.aws_partition.current.partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${var.security_hub_org_lambda_function_name}:log-stream:*"]
+ }
+}
+
+data "aws_iam_policy_document" "security_hub_org_policy_organizations" {
+ statement {
+ sid = "OrganizationsReadAccess"
+ effect = "Allow"
+ actions = [
+ "organizations:DescribeOrganization",
+ "organizations:ListAWSServiceAccessForOrganization",
+ "organizations:ListAccounts",
+ "organizations:ListDelegatedAdministrators",
+ ]
+ resources = ["*"]
+ }
+
+ statement {
+ sid = "AWSServiceAccess"
+ effect = "Allow"
+ actions = [
+ "organizations:DisableAWSServiceAccess",
+ "organizations:EnableAWSServiceAccess",
+ ]
+ condition {
+ test = "StringLikeIfExists"
+ variable = "organizations:ServicePrincipal"
+ values = ["securityhub.amazonaws.com"]
+ }
+ resources = ["*"]
+ }
+
+ statement {
+ sid = "RegisterDeregisterDelegatedAdministrator"
+ effect = "Allow"
+ actions = [
+ "organizations:DeregisterDelegatedAdministrator",
+ "organizations:RegisterDelegatedAdministrator",
+ ]
+ condition {
+ test = "StringLikeIfExists"
+ variable = "organizations:ServicePrincipal"
+ values = ["securityhub.amazonaws.com"]
+ }
+ resources = ["arn:${data.aws_partition.current.partition}:organizations::*:account/o-*/*"]
+ }
+}
+
+data "aws_iam_policy_document" "security_hub_org_policy_sns" {
+ statement {
+ sid = "SNSPublish"
+ effect = "Allow"
+ actions = ["sns:Publish", "sns:PublishBatch"]
+ resources = [aws_sns_topic.securityhub_org_topic.arn]
+ }
+}
+
+data "aws_iam_policy_document" "security_hub_org_policy_sqs" {
+ statement {
+ sid = "SQSSendMessage"
+ effect = "Allow"
+ actions = ["sqs:SendMessage"]
+ resources = [aws_sqs_queue.securityhub_org_dlq.arn]
+ }
+}
+
+########################################################################
+# Lambda Policies
+########################################################################
+
+resource "aws_iam_policy" "security_hub_org_policy_logs" {
+ name = "sra-security-hub-org-policy-logs"
+ policy = data.aws_iam_policy_document.security_hub_org_policy_logs.json
+}
+
+resource "aws_iam_policy" "security_hub_org_policy_securityhub" {
+ name = "sra-security-hub-org-policy-securityhub"
+ policy = data.aws_iam_policy_document.security_hub_org_policy_securityhub.json
+}
+
+resource "aws_iam_policy" "security_hub_org_policy_iam" {
+ name = "sra-security-hub-org-policy-iam"
+ policy = data.aws_iam_policy_document.security_hub_org_policy_iam.json
+}
+
+resource "aws_iam_policy" "security_hub_org_policy_cloudformation" {
+ name = "sra-security-hub-org-policy-cloudformation"
+ policy = data.aws_iam_policy_document.security_hub_org_policy_cloudformation.json
+}
+
+resource "aws_iam_policy" "security_hub_org_policy_ssm_access" {
+ name = "sra-security-hub-org-policy-ssm-access"
+ policy = data.aws_iam_policy_document.security_hub_org_policy_ssm_access.json
+}
+
+resource "aws_iam_policy" "security_hub_org_policy_organizations" {
+ name = "sra-security-hub-org-policy-organizations-lambda"
+ policy = data.aws_iam_policy_document.security_hub_org_policy_organizations.json
+}
+
+resource "aws_iam_policy" "security_hub_org_policy_sns" {
+ name = "sra-security-hub-org-policy-sns"
+ policy = data.aws_iam_policy_document.security_hub_org_policy_sns.json
+}
+
+resource "aws_iam_policy" "security_hub_org_policy_sqs" {
+ name = "sra-security-hub-org-policy-sqs"
+ policy = data.aws_iam_policy_document.security_hub_org_policy_sqs.json
+}
+
+########################################################################
+# Lambda Attachment
+########################################################################
+
+resource "aws_iam_policy_attachment" "security_hub_org_policy_attachment_logs" {
+ name = "sra-security-hub-org-policy-attachment-logs"
+ roles = [aws_iam_role.security_hub_org_lambda_role.name]
+ policy_arn = aws_iam_policy.security_hub_org_policy_logs.arn
+}
+
+resource "aws_iam_policy_attachment" "security_hub_org_policy_attachment_securityhub" {
+ name = "sra-security-hub-org-policy-attachment-securityhub"
+ roles = [aws_iam_role.security_hub_org_lambda_role.name]
+ policy_arn = aws_iam_policy.security_hub_org_policy_securityhub.arn
+}
+
+resource "aws_iam_policy_attachment" "security_hub_org_policy_attachment_iam" {
+ name = "sra-security-hub-org-policy-attachment-iam"
+ roles = [aws_iam_role.security_hub_org_lambda_role.name]
+ policy_arn = aws_iam_policy.security_hub_org_policy_iam.arn
+}
+
+resource "aws_iam_policy_attachment" "security_hub_org_policy_attachment_cloudformation" {
+ name = "sra-security-hub-org-policy-attachment-cloudformation"
+ roles = [aws_iam_role.security_hub_org_lambda_role.name]
+ policy_arn = aws_iam_policy.security_hub_org_policy_cloudformation.arn
+}
+
+resource "aws_iam_policy_attachment" "security_hub_org_policy_attachment_ssm_access" {
+ name = "sra-security-hub-org-policy-attachment-ssm-access"
+ roles = [aws_iam_role.security_hub_org_lambda_role.name]
+ policy_arn = aws_iam_policy.security_hub_org_policy_ssm_access.arn
+}
+
+resource "aws_iam_policy_attachment" "security_hub_org_policy_attachment_organizations" {
+ name = "sra-securityhub-org-policy-attachment-organizations"
+ roles = [aws_iam_role.security_hub_org_lambda_role.name]
+ policy_arn = aws_iam_policy.security_hub_org_policy_organizations.arn
+}
+
+resource "aws_iam_policy_attachment" "security_hub_org_policy_attachment_sns" {
+ name = "sra-securityhub-org-policy-attachment-sns"
+ roles = [aws_iam_role.security_hub_org_lambda_role.name]
+ policy_arn = aws_iam_policy.security_hub_org_policy_sns.arn
+}
+
+resource "aws_iam_policy_attachment" "security_hub_org_policy_attachment_sqs" {
+ name = "sra-securityhub-org-policy-attachment-sqs"
+ roles = [aws_iam_role.security_hub_org_lambda_role.name]
+ policy_arn = aws_iam_policy.security_hub_org_policy_sqs.arn
+}
+
+########################################################################
+# Cloud Watch Log Group
+########################################################################
+
+resource "aws_cloudwatch_log_group" "rSecurityHubOrgLambdaLogGroup" {
+ count = var.create_lambda_log_group ? 1 : 0
+ name = "/aws/lambda/${var.security_hub_org_lambda_function_name}"
+ retention_in_days = var.lambda_log_group_retention
+
+ kms_key_id = var.lambda_log_group_kms_key != null ? var.lambda_log_group_kms_key : null
+}
+
+########################################################################
+# Lambda Function
+########################################################################
+
+data "archive_file" "hash_check" {
+ type = "zip"
+ source_dir = local.src_path
+ output_path = "${path.module}/lambda/lambda_function.zip"
+ excludes = ["lambda_function.zip, data.zip"]
+}
+
+resource "null_resource" "package_lambda" {
+ triggers = {
+ src_hash = "${data.archive_file.hash_check.output_sha}"
+ }
+
+ provisioner "local-exec" {
+ command = < None:
+ """Initialize the terraform project."""
+ subprocess.run("terraform init -backend-config=backend.tfvars", check=True, shell=True) # nosec B602 # noqa: S602,S607,DUO116
+
+
+def set_supported_region() -> None:
+ """Set the supported regions from parameter store."""
+ global SUPPORTED_REGIONS
+
+ ssm_client = boto3.client("ssm")
+ customer_regions_parameter_name = "/sra/regions/customer-control-tower-regions"
+ home_region = "/sra/control-tower/home-region"
+
+ response = ssm_client.get_parameter(Name=customer_regions_parameter_name, WithDecryption=True) # Use this if the parameter is encrypted with KMS
+
+ customer_regions = response["Parameter"]["Value"]
+
+ # Split the comma-separated values into a list
+ SUPPORTED_REGIONS = customer_regions.split(",")
+
+ response = ssm_client.get_parameter(Name=home_region, WithDecryption=True) # Use this if the parameter is encrypted with KMS
+
+ home_region = response["Parameter"]["Value"]
+
+ if home_region in SUPPORTED_REGIONS:
+ SUPPORTED_REGIONS.remove(home_region)
+ SUPPORTED_REGIONS.insert(0, home_region)
+
+
+def get_audit_account() -> str:
+ """Get audit account from AWS Organization.
+
+ Returns:
+ str: audit account id
+ """
+ ssm_client = boto3.client("ssm")
+ response = ssm_client.get_parameter(
+ Name="/sra/control-tower/audit-account-id", WithDecryption=True # Use this if the parameter is encrypted with KMS
+ )
+
+ return response["Parameter"]["Value"]
+
+
+def get_accounts() -> list:
+ """Get all accounts from AWS Organization.
+
+ Returns:
+ list: list of accounts in org
+ """
+ organizations = boto3.client("organizations")
+ paginator = organizations.get_paginator("list_accounts")
+
+ accounts = [account["Id"] for page in paginator.paginate() for account in page["Accounts"]]
+ audit_account = get_audit_account()
+
+ # audit account needs to go last
+ if audit_account in accounts:
+ accounts.remove(audit_account)
+ accounts.append(audit_account)
+
+ return accounts
+
+
+def workspace_exists(account: str, region: str) -> bool:
+ """Check to see if workspace already exists for current terraform project.
+
+ Args:
+ account (str): Account ID
+ region (str): Region
+
+ Returns:
+ bool: Returns true if workspace already exists, false otherwise.
+ """
+ completed_process = subprocess.run(f"terraform workspace list | grep {account}-{region}", shell=True) # nosec B602 # noqa: S602,DUO116
+ return completed_process.returncode == 0
+
+
+def create_workspace(account: str, region: str) -> None:
+ """Create new workspace for terraform and saves it into state file.
+
+ Args:
+ account (str): Account ID
+ region (str): Region
+ """
+ subprocess.run(f"terraform workspace new {account}-{region}", check=True, shell=True) # nosec B602 # noqa: S602,DUO116
+
+
+def switch_to_workspace(account: str, region: str) -> None:
+ """Switch to a created workspace in Terraform.
+
+ Args:
+ account (str): Account ID
+ region (str): Region
+ """
+ subprocess.run(f"terraform workspace select {account}-{region}", check=True, shell=True) # nosec B602 # noqa: S602,DUO116
+
+
+def plan(account: str, region: str) -> None:
+ """Perform a terraform plan operation on all stacks.
+
+ Args:
+ account (str): Account ID
+ region (str): Region
+ """
+ subprocess.run( # noqa: DUO116
+ f"terraform plan -var-file=config.tfvars -var account_id={account} -var account_region={region}", check=True, shell=True # noqa: S602,DUO116
+ ) # nosec B602 # noqa: S602,DUO116
+
+
+def apply(account: str, region: str) -> None:
+ """Perform a terraform apply operation on all stacks.
+
+ Args:
+ account (str): Account ID
+ region (str): Region
+ """
+ subprocess.run( # noqa: DUO116
+ f"terraform apply -var-file=config.tfvars -var account_id={account} -var account_region={region} -auto-approve", # noqa: DUO116
+ check=True,
+ shell=True, # noqa: S602
+ ) # nosec B602 # noqa: S602,DUO116
+
+
+def destroy(account: str, region: str) -> None:
+ """Perform a terraform destroy operation on all stacks.
+
+ Args:
+ account (str): Account ID
+ region (str): Region
+ """
+ subprocess.run( # noqa: DUO116
+ f"terraform destroy -var-file=config.tfvars -var account_id={account} -var account_region={region} -auto-approve", # noqa: DUO116
+ check=True,
+ shell=True, # noqa: S602
+ ) # nosec B602 # noqa: S602,DUO116
+
+
+def main() -> None: # noqa: CCR001
+ """Run the script."""
+ # parse arguments
+ parser = argparse.ArgumentParser(description="Terraform Script to Deploy Stacksets")
+ parser.add_argument("cmd", help="terraform command to run")
+ args = parser.parse_args()
+
+ set_supported_region()
+
+ if args.cmd == "init":
+ init()
+ elif args.cmd == "plan":
+ for account in get_accounts():
+ for region in SUPPORTED_REGIONS:
+ if not workspace_exists(account, region):
+ create_workspace(account, region)
+
+ switch_to_workspace(account, region)
+ plan(account, region)
+ elif args.cmd == "apply":
+ for account in get_accounts():
+ for region in SUPPORTED_REGIONS:
+ if not workspace_exists(account, region):
+ create_workspace(account, region)
+
+ switch_to_workspace(account, region)
+ apply(account, region)
+ elif args.cmd == "destroy":
+ for account in get_accounts():
+ for region in SUPPORTED_REGIONS:
+ if not workspace_exists(account, region):
+ create_workspace(account, region)
+
+ switch_to_workspace(account, region)
+ destroy(account, region)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/aws_sra_examples/terraform/solutions/variables.tf b/aws_sra_examples/terraform/solutions/variables.tf
new file mode 100644
index 00000000..c52aa830
--- /dev/null
+++ b/aws_sra_examples/terraform/solutions/variables.tf
@@ -0,0 +1,351 @@
+########################################################################
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+########################################################################
+
+variable "account_region" {
+ description = "Account Region used for assuming role"
+ type = string
+}
+
+variable "account_id" {
+ description = "Account ID used for assuming role"
+ type = string
+}
+########################################################################
+# Main Configuration Parameters
+########################################################################
+
+variable "customer_control_tower_regions" {
+ description = "The name for customer control tower regions."
+ type = string
+}
+
+variable "customer_control_tower_regions_without_home_region" {
+ description = "The name for customer control tower regions without home region."
+ type = string
+}
+
+variable "enabled_regions" {
+ description = "The name for enabled regions."
+ type = string
+}
+
+variable "enabled_regions_without_home_region" {
+ description = "The name for enabled regions without home region."
+ type = string
+}
+
+variable "home_region" {
+ description = "The name for the home region."
+ type = string
+}
+
+variable "audit_account_id" {
+ description = "The name for the audit account ID."
+ type = string
+}
+
+variable "log_archive_account_id" {
+ description = "The name for the log archive account ID."
+ type = string
+}
+
+variable "management_account_id" {
+ description = "The name for the management account ID."
+ type = string
+}
+
+variable "organization_id" {
+ description = "The SSM parameter name for the organization ID."
+ type = string
+}
+
+variable "root_organizational_unit_id" {
+ description = "The name for the root organizational unit ID."
+ type = string
+}
+
+variable "sra_alarm_email" {
+ description = "(Optional) Email address for receiving DLQ alarms"
+ type = string
+ default = ""
+}
+
+########################################################################
+# Service Configurations
+########################################################################
+variable "enable_member_account_parameters" {
+ description = "Enable or disable Members Account Paramters module"
+ type = bool
+ default = true
+}
+
+variable "enable_gd" {
+ description = "Enable or disable Guard Duty module"
+ type = bool
+ default = true
+}
+
+variable "enable_sh" {
+ description = "Enable or disable Security Hub module"
+ type = bool
+ default = true
+}
+
+variable "enable_access_analyzer" {
+ description = "Enable or disable IAM Access Analyzer module"
+ type = bool
+ default = true
+}
+
+variable "enable_macie" {
+ description = "Enable or disable Macie module"
+ type = bool
+ default = true
+}
+
+variable "enable_cloudtrail_org" {
+ description = "Enable or disable CloudTrail Organization module"
+ type = bool
+ default = true
+}
+
+variable "enable_inspector" {
+ description = "Enable or disable Inspector module"
+ type = bool
+ default = true
+}
+
+variable "enable_iam_password_policy" {
+ description = "Enable or disable IAM Password Policy Module"
+ type = bool
+ default = true
+}
+
+########################################################################
+# Guard Duty Settings
+########################################################################
+variable "disable_guard_duty" {
+ description = "Update to 'true' to disable GuardDuty in all accounts and regions before deleting the TF."
+ type = string
+ default = "false"
+}
+
+variable "enable_s3_logs" {
+ description = "Auto enable S3 logs"
+ type = string
+}
+
+variable "enable_kubernetes_audit_logs" {
+ description = "Auto enable Kubernetes Audit Logs"
+ type = string
+}
+
+variable "enable_malware_protection" {
+ description = "Auto enable Malware Protection"
+ type = string
+}
+
+variable "enable_rds_login_events" {
+ description = "Auto enable RDS Login Events"
+ type = string
+}
+
+variable "enable_eks_runtime_monitoring" {
+ description = "Auto enable EKS Runtime Monitoring"
+ type = string
+}
+
+variable "enable_eks_addon_management" {
+ description = "Auto enable EKS Add-on Management"
+ type = string
+}
+
+variable "enable_lambda_network_logs" {
+ description = "Auto enable Lambda Network Logs"
+ type = string
+}
+
+variable "finding_publishing_frequency" {
+ description = "Finding publishing frequency"
+ type = string
+ default = "FIFTEEN_MINUTES"
+}
+
+variable "guardduty_control_tower_regions_only" {
+ description = "Only enable in the Control Tower governed regions"
+ type = string
+ default = "true"
+}
+
+########################################################################
+# Security Hub Configurations
+########################################################################
+variable "cis_standard_version" {
+ description = "CIS Standard Version"
+ type = string
+}
+
+variable "compliance_frequency" {
+ description = "Frequency to Check for Organizational Compliance (in days between 1 and 30, default is 7)"
+ type = number
+}
+
+variable "securityhub_control_tower_regions_only" {
+ description = "Only enable in the Control Tower governed regions"
+ type = bool
+}
+
+variable "disable_security_hub" {
+ description = "Update to 'true' to disable Security Hub in all accounts and regions before deleting the stack"
+ type = bool
+}
+
+variable "enable_cis_standard" {
+ description = "Indicates whether to enable the CIS AWS Foundations Benchmark Standard"
+ type = bool
+}
+
+variable "enable_pci_standard" {
+ description = "Indicates whether to enable the Payment Card Industry Data Security Standard (PCI DSS)"
+ type = bool
+}
+
+variable "enable_nist_standard" {
+ description = "Indicates whether to enable the National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5"
+ type = bool
+}
+
+variable "enable_security_best_practices_standard" {
+ description = "Indicates whether to enable the AWS Foundational Security Best Practices Standard"
+ type = bool
+}
+
+variable "pci_standard_version" {
+ description = "PCI Standard Version"
+ type = string
+}
+
+variable "nist_standard_version" {
+ description = "NIST Standard Version"
+ type = string
+}
+
+variable "security_best_practices_standard_version" {
+ description = "SBP Standard Version"
+ type = string
+}
+
+########################################################################
+# Inspector Configurations
+########################################################################
+variable "ecr_rescan_duration" {
+ description = "ECR Rescan Duration"
+ type = string
+ default = "LIFETIME"
+}
+
+variable "scan_components" {
+ description = "Components to scan (e.g., 'ec2,ecs')"
+ type = string
+ default = "ec2"
+}
+
+variable "inspector_control_tower_regions_only" {
+ description = "Only enable in the Control Tower governed regions"
+ type = string
+ default = "true"
+}
+
+variable "disable_inspector" {
+ description = "Set to true BEFORE removing/destroying the solution to reduce the chance of orphaned resources/configuraitons"
+ type = bool
+ default = false
+}
+
+########################################################################
+# IAM Password Policy
+########################################################################
+variable "iam_password_policy_allow_users_to_change_password" {
+ type = string
+ description = "You can permit all IAM users in your account to use the IAM console to change their own passwords."
+}
+
+variable "iam_password_policy_hard_expiry" {
+ type = string
+ description = "You can prevent IAM users from choosing a new password after their current password has expired."
+}
+
+variable "iam_password_policy_max_password_age" {
+ type = string
+ description = "You can set IAM user passwords to be valid for only the specified number of days."
+}
+
+variable "iam_password_policy_minimum_password_length" {
+ type = string
+ description = "You can specify the minimum number of characters allowed in an IAM user password."
+}
+
+variable "iam_password_policy_password_reuse_prevention" {
+ type = string
+ description = "You can prevent IAM users from reusing a specified number of previous passwords."
+}
+
+variable "iam_password_policy_require_lowercase_characters" {
+ type = string
+ description = "You can require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z)."
+}
+
+variable "iam_password_policy_require_numbers" {
+ type = string
+ description = "You can require that IAM user passwords contain at least one numeric character (0 to 9)."
+}
+
+variable "iam_password_policy_require_symbols" {
+ type = string
+ description = "You can require that IAM user passwords contain at least one of the following nonalphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] {} | '"
+}
+
+variable "iam_password_policy_require_uppercase_characters" {
+ type = string
+ description = "You can require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z)."
+}
+
+########################################################################
+# Macie Configurations
+########################################################################
+variable "macie_finding_publishing_frequency" {
+ type = string
+ description = "Macie finding publishing frequency"
+}
+
+variable "disable_macie" {
+ type = string
+ description = "Update to 'true' to disable Macie in all accounts and regions before deleting the TF."
+}
+
+########################################################################
+# CloudTrail Configurations
+########################################################################
+
+variable "enable_data_events_only" {
+ description = "Only Enable Cloud Trail Data Events"
+ type = string
+}
+
+variable "enable_lambda_data_events" {
+ description = "Enable Cloud Trail Data Events for all Lambda functions"
+ type = string
+}
+
+variable "enable_s3_data_events" {
+ description = "Enable Cloud Trail S3 Data Events for all buckets"
+ type = string
+}
+
+variable "disable_cloudtrail" {
+ description = "set to TRUE before disabling the entire solution to remove its configuration before destroying resources"
+ type = bool
+ default = false
+}