Skip to content

Update Terraform implementation with security best practices #299

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

Update Terraform implementation with security best practices #299

wants to merge 8 commits into from

Conversation

nictom-aws
Copy link
Contributor

Fixes #

Security and Infrastructure Improvements

This PR includes significant security enhancements and infrastructure improvements:

Infrastructure Updates

  • Updated AWS provider to version 5.31.0+ (from 5.1.0)
  • Added explicit Terraform version requirement (>= 1.0.0)
  • Applied consistent tagging strategy across all resources
  • Formatted all Terraform files with terraform fmt
  • Added AmazonQ.md with documentation of changes and recommendations

Security Enhancements

  • Enhanced S3 bucket security:

    • Implemented access logging for audit trails
    • Added lifecycle policies for proper data retention
    • Enforced SSL/TLS for all S3 operations
    • Changed object ownership to BucketOwnerEnforced (disabling ACLs)
    • Enabled bucket key for server-side encryption
    • Added bucket policies to enforce secure access

  • Improved KMS configurations:

    • Implemented key rotation
    • Set proper deletion windows
    • Restricted key policies following least privilege

  • Strengthened Secrets Manager:

    • Added rotation with Lambda functions
    • Set appropriate recovery windows

  • IAM improvements:

    • Implemented least privilege policies throughout
    • Fixed security findings from Checkov and Trivy scans

By submitting this pull request, I confirm that my contribution is made under the terms of the [Apache 2.0 license].

Apache 2.0 License

tnicholson-aws and others added 8 commits April 11, 2025 14:50
@tnicholson-aws
fixed tf deprecation added benchmark 3
c501e9f
@cyphronix
Merge remote-tracking branch 'upstream/main'
9f9a32b
@cyphronix
updating variable definitions for CKV_AWS_338; also missing end curly…
12b0765 
… brace
@cyphronix
Merge remote-tracking branch 'upstream/main'
26f3d96
@cyphronix
Merge remote-tracking branch 'upstream/main'
cd867fb
@nictom-aws
Merge branch 'aws-samples:main' into main
620e8c0
@nictom-aws
Update Terraform implementation with security best practices
46f5bcf 
This commit includes the following improvements:
- Updated AWS provider to version 5.31.0+ (from 5.1.0)
- Added explicit Terraform version requirement (>= 1.0.0)
- Enhanced S3 bucket security with access logging, lifecycle policies, and SSL enforcement
- Improved KMS key configurations with proper deletion windows and rotation
- Added Secrets Manager rotation with Lambda functions
- Implemented least privilege IAM policies
- Fixed Checkov and Trivy findings
- Applied consistent tagging strategy across all resources
- Added AmazonQ.md with documentation of changes and recommendations
- Formatted all Terraform files with terraform fmt
@nictom-aws
remove results
ea46233
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nictom-aws @tnicholson-aws @cyphronix