Skip to content

durrello/aws-secure-foundations

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AWS Secure Foundations

Reference Terraform for using core AWS services the right way — with security and cloud operations baked in from the start, not bolted on later. Each example is small, self-contained, CI-validated (terraform fmt + validate), and explains why as much as how.

These are teaching references, not a turnkey landing zone. Read the README in each example, understand the why, then adapt to your account. Nothing here stores a plaintext secret, uses a long-lived access key, or grants * permissions.

The principles

  1. No long-lived credentials. Use IAM roles and short-lived credentials everywhere — for apps, CI/CD, and cross-service access. Static access keys are the #1 thing that leaks.
  2. Least privilege, always. Scope every policy to specific actions on specific resource ARNs. "Action": "*" and "Resource": "*" are almost never correct.
  3. Secrets live in a secret store, never in code, env files, or Terraform state you can read.
  4. Encrypt with intent. Prefer customer-managed KMS keys with tight key policies for anything sensitive, so access to the key is a second, auditable control.
  5. Turn on the account-level guardrails. GuardDuty, Security Hub, Config, IAM Access Analyzer, and CloudTrail are cheap relative to a breach and give you detection + an audit trail.

Examples

Example What it shows Key services
secrets-manager Store a secret and grant one role read-only access to only that secret Secrets Manager, IAM
iam-least-privilege A role scoped to exactly one bucket's objects — no wildcards IAM, S3
codeconnections Connect CI/CD to GitHub with no stored token CodeConnections (CodeStar Connections), IAM
kms-encryption Customer-managed KMS key with a least-privilege key policy, used to encrypt S3 KMS, S3
security-baseline Turn on the account guardrails in one module GuardDuty, Security Hub, Config, IAM Access Analyzer, CloudTrail

Usage

Each example is an independent Terraform root module. From any example directory:

terraform init
terraform plan      # review before applying
terraform apply

Set the required variables (see each example's variables.tf). Some resources (e.g. a CodeConnections connection) are created in a PENDING state and must be authorized once in the console — the example README calls this out.

Cost note

Most examples are near-free, but the security-baseline enables paid services (GuardDuty, Config, Security Hub). They're inexpensive for a small account but not zero — read that README first.

License

MIT — see LICENSE.


Written by Durrell Gemuh — DevOps & Cloud Infrastructure Engineer, AWS Community Builder (Cloud Operations).

About

How to use core AWS services the right way — Secrets Manager, least-privilege IAM, CodeConnections, KMS, and a security baseline (GuardDuty, Security Hub, Config, IAM Access Analyzer, CloudTrail). Terraform, CI-validated.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors