AWS Security Baseline: Terraform Deployment Kit

Deploy comprehensive AWS security baseline using Terraform with automated monitoring, threat detection, and compliance controls so startups meet enterprise security requirements faster.

初心者
Infrastructure-as-Code

プロンプト

Create a comprehensive AWS security baseline using Terraform that includes:

1. Multi-region CloudTrail with encryption, log file validation, and CloudWatch integration
2. GuardDuty with S3 protection and malware scanning enabled
3. Security Hub with AWS Foundational Best Practices standard
4. AWS WAF with OWASP Top 10 rules and rate limiting (2000 req/5min)
5. AWS Inspector for EC2, ECR, and Lambda vulnerability scanning
6. CloudWatch Dashboard with 8 widgets showing security metrics
7. 4 CloudWatch Alarms: root account usage, unauthorized API calls (5+ in 5min), IAM policy changes, S3 bucket policy changes
8. 3 IAM roles with least-privilege access:
- BreakGlassAdmin (requires ExternalId for emergency access)
- SecurityAuditor (read-only security monitoring)
- DeveloperTemplate (least-privilege development access)
9. KMS encryption with auto-rotation for CloudTrail and SNS
10. S3 state management with versioning and DynamoDB locking
11. SNS topic for security alerts with email subscription

Requirements:
- Use modular Terraform structure (root + security_baseline module)
- Include comprehensive documentation: README, QUICKSTART, SECURITY-BASELINE with SOC 2 mapping
- Provide migration script for S3 backend
- Include .gitignore for sensitive files
- Add terraform.tfvars.example template
- Create demo scripts for 5-minute and 10-minute presentations
- Ensure all resources are tagged with Project, Environment, ManagedBy
- Configure proper IAM policies and trust relationships
- Enable versioning and encryption on all S3 buckets
- Set up metric filters for security event detection

Output should be production-ready, well-documented, and deployable in under 10 minutes.

使用方法

ベータ

PREREQUISITES
Required:
AWS Account with administrative access
AWS CLI v2.x configured with credentials
Terraform v1.0+ installed
Email address for security alerts
Basic understanding of AWS services

Recommended:
VS Code or similar IDE
jq for JSON parsing (optional)
30 minutes for initial setup and testing

SETUP INSTRUCTIONS
Step 1: Initial Setup
# Clone or create project directory
mkdir aws-security-baseline && cd aws-security-baseline

# Use Kiro CLI to generate infrastructure
kiro-cli chat
# Paste the primary prompt above

Step 2: Configure Variables
cd terraform
cp terraform.tfvars.example terraform.tfvars

# Edit terraform.tfvars with your values:
# - aws_region (default: us-east-1)
# - environment (default: production)
# - alert_email (REQUIRED: your email)
# - break_glass_external_id (REQUIRED: secure random string)

Step 3: Deploy Infrastructure
# Initialize Terraform
terraform init

# Review planned changes
terraform plan

# Deploy (takes 3-5 minutes)
terraform apply -auto-approve

Step 4: Confirm SNS Subscription
# Check your email and confirm the SNS subscription
# Subject: "AWS Notification - Subscription Confirmation"

Step 5: Migrate to S3 Backend (Optional)
# For team collaboration and state locking
./migrate-to-s3.sh

CONFIGURATION PARAMETERS
Required Variables:
alert_email: Email for security notifications
break_glass_external_id: Secret for emergency admin access (min 32 chars)

Optional Variables:
aws_region: AWS region (default: us-east-1)
environment: Environment tag (default: production)
project_name: Project identifier (default: SecurityBaseline)

Outputs:
dashboard_url: CloudWatch Dashboard URL
guardduty_detector_id: GuardDuty detector ID
security_hub_arn: Security Hub ARN
sns_topic_arn: Security alerts SNS topic
iam_roles: ARNs for 3 IAM roles
cloudtrail_arn: CloudTrail trail ARN
waf_web_acl_arn: WAF Web ACL ARN

これらのプロンプトを使用することにより、この免責事項に同意したものとみなされます。