Macie baseline

README.md

@@ -31,6 +31,7 @@ See [Benchmark Compliance](./compliance.md) to check which items in various benc
 - Enable AWS Config in each regions to automatically take configuration snapshots.
 - Enable SecurityHub and subscribe available standards.
 - Enable GuardDuty in each regions.
+- Enable Macie.
 
 ### Networking & Computing
 
@@ -100,6 +101,7 @@ This module is composed of several submodules and each of which can be used inde
 - [ebs-baseline](./modules/ebs-baseline)
 - [guardduty-baseline](./modules/guardduty-baseline)
 - [iam-baseline](./modules/iam-baseline)
+- [macie-baseline](./modules/macie-baseline)
 - [s3-baseline](./modules/s3-baseline)
 - [secure-bucket](./modules/secure-bucket)
 - [securityhub-baseline](./modules/securityhub-baseline)
@@ -195,6 +197,7 @@ This module is composed of several submodules and each of which can be used inde
 | <a name="module_guardduty_baseline_us-west-1"></a> [guardduty\_baseline\_us-west-1](#module\_guardduty\_baseline\_us-west-1) | ./modules/guardduty-baseline | n/a |
 | <a name="module_guardduty_baseline_us-west-2"></a> [guardduty\_baseline\_us-west-2](#module\_guardduty\_baseline\_us-west-2) | ./modules/guardduty-baseline | n/a |
 | <a name="module_iam_baseline"></a> [iam\_baseline](#module\_iam\_baseline) | ./modules/iam-baseline | n/a |
+| <a name="module_macie_baseline"></a> [macie\_baseline](#module\_macie\_baseline) | ./modules/macie-baseline | n/a |
 | <a name="module_s3_baseline"></a> [s3\_baseline](#module\_s3\_baseline) | ./modules/s3-baseline | n/a |
 | <a name="module_securityhub_baseline_ap-northeast-1"></a> [securityhub\_baseline\_ap-northeast-1](#module\_securityhub\_baseline\_ap-northeast-1) | ./modules/securityhub-baseline | n/a |
 | <a name="module_securityhub_baseline_ap-northeast-2"></a> [securityhub\_baseline\_ap-northeast-2](#module\_securityhub\_baseline\_ap-northeast-2) | ./modules/securityhub-baseline | n/a |
@@ -330,6 +333,10 @@ This module is composed of several submodules and each of which can be used inde
 | <a name="input_require_uppercase_characters"></a> [require\_uppercase\_characters](#input\_require\_uppercase\_characters) | Whether to require uppercase characters for user passwords. | `bool` | `false` | no |
 | <a name="input_root_usage_enabled"></a> [root\_usage\_enabled](#input\_root\_usage\_enabled) | The boolean flag whether the root\_usage alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
 | <a name="input_route_table_changes_enabled"></a> [route\_table\_changes\_enabled](#input\_route\_table\_changes\_enabled) | The boolean flag whether the route\_table\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
+| <a name="input_macie_disable_email_notification"></a> [macie\_disable\_email\_notification](#input\_macie\_disable\_email\_notification) | Boolean whether an email notification is sent to the accounts. | `bool` | `false` | no |
+| <a name="input_macie_enabled"></a> [macie\_enabled](#input\_macie\_enabled) | Boolean whether the macie-baseline module is enabled or disabled | `bool` | `true` | no |
+| <a name="input_macie_finding_publishing_frequency"></a> [macie\_finding\_publishing\_frequency](#input\_macie\_finding\_publishing\_frequency) | Specifies the frequency of notifications sent for subsequent finding occurrences. | `string` | `"SIX_HOURS"` | no |
+| <a name="input_macie_invitation_message"></a> [macie\_invitation\_message](#input\_macie\_invitation\_message) | Message for invitation. | `string` | `"This is an automatic invitation message from macie-baseline module."` | no |
 | <a name="input_s3_block_public_acls"></a> [s3\_block\_public\_acls](#input\_s3\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true. | `bool` | `true` | no |
 | <a name="input_s3_block_public_policy"></a> [s3\_block\_public\_policy](#input\_s3\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true. | `bool` | `true` | no |
 | <a name="input_s3_bucket_policy_changes_enabled"></a> [s3\_bucket\_policy\_changes\_enabled](#input\_s3\_bucket\_policy\_changes\_enabled) | The boolean flag whether the s3\_bucket\_policy\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |

main.tf

@@ -116,6 +116,23 @@ module "alarm_baseline" {
   tags = var.tags
 }
 
+# --------------------------------------------------------------------------------------------------
+# Macie Baseline
+# --------------------------------------------------------------------------------------------------
+
+module "macie_baseline" {
+  source = "./modules/macie-baseline"
+
+  enabled                      = contains(var.target_regions, "ap-northeast-1") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = var.master_account_id
+  member_accounts              = var.member_accounts
+
+  tags = var.tags
+}
+
 # --------------------------------------------------------------------------------------------------
 # S3 Baseline
 # --------------------------------------------------------------------------------------------------

modules/macie-baseline/README.md

@@ -0,0 +1,48 @@
+# macie-baseline
+
+Enable Macie in all regions.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_macie2_account.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_account) | resource |
+| [aws_macie2_invitation_accepter.master](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_invitation_accepter) | resource |
+| [aws_macie2_member.members](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_member) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_disable_email_notification"></a> [disable\_email\_notification](#input\_disable\_email\_notification) | Boolean whether an email notification is sent to the accounts. | `bool` | `false` | no |
+| <a name="input_enabled"></a> [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
+| <a name="input_finding_publishing_frequency"></a> [finding\_publishing\_frequency](#input\_finding\_publishing\_frequency) | Specifies the frequency of notifications sent for subsequent finding occurrences. | `string` | `"SIX_HOURS"` | no |
+| <a name="input_invitation_message"></a> [invitation\_message](#input\_invitation\_message) | Message for invitation. | `string` | `"This is an automatic invitation message from guardduty-baseline module."` | no |
+| <a name="input_master_account_id"></a> [master\_account\_id](#input\_master\_account\_id) | AWS account ID for master account. | `string` | `""` | no |
+| <a name="input_member_accounts"></a> [member\_accounts](#input\_member\_accounts) | A list of IDs and emails of AWS accounts which associated as member accounts. | <pre>list(object({<br>    account_id = string<br>    email      = string<br>  }))</pre> | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map` | <pre>{<br>  "Terraform": true<br>}</pre> | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_macie_account"></a> [macie\_account](#output\_macie\_account) | Macie Account |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/macie-baseline/main.tf

@@ -0,0 +1,28 @@
+# --------------------------------------------------------------------------------------------------
+# Enables GuardDuty.
+# --------------------------------------------------------------------------------------------------
+
+resource "aws_macie2_account" "default" {
+  count = var.enabled ? 1 : 0
+
+  status                       = "ENABLED"
+  finding_publishing_frequency = var.finding_publishing_frequency
+}
+
+resource "aws_macie2_member" "members" {
+  count = var.enabled ? length(var.member_accounts) : 0
+
+  status = "ENABLED"
+  invite = true
+
+  account_id                            = var.member_accounts[count.index].account_id
+  invitation_disable_email_notification = var.disable_email_notification
+  email                                 = var.member_accounts[count.index].email
+  invitation_message                    = var.invitation_message
+}
+
+resource "aws_macie2_invitation_accepter" "master" {
+  count = var.enabled && var.master_account_id != "" ? 1 : 0
+
+  administrator_account_id = var.master_account_id
+}

modules/macie-baseline/outputs.tf

@@ -0,0 +1,4 @@
+output "aws_macie2_account" {
+  description = "Macie Account"
+  value       = var.enabled ? aws_macie2_account.default[0] : null
+}

modules/macie-baseline/variables.tf

@@ -0,0 +1,40 @@
+variable "enabled" {
+  description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "disable_email_notification" {
+  description = "Boolean whether an email notification is sent to the accounts."
+  default     = false
+}
+
+variable "finding_publishing_frequency" {
+  description = "Specifies the frequency of notifications sent for subsequent finding occurrences."
+  default     = "SIX_HOURS"
+}
+
+variable "invitation_message" {
+  description = "Message for invitation."
+  default     = "This is an automatic invitation message from guardduty-baseline module."
+}
+
+variable "master_account_id" {
+  description = "AWS account ID for master account."
+  default     = ""
+}
+
+variable "member_accounts" {
+  description = "A list of IDs and emails of AWS accounts which associated as member accounts."
+  type = list(object({
+    account_id = string
+    email      = string
+  }))
+  default = []
+}
+
+variable "tags" {
+  description = "Specifies object tags key and value. This applies to all resources created by this module."
+  default = {
+    "Terraform" = true
+  }
+}

modules/macie-baseline/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 0.13"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.0.0"
+    }
+  }
+}

variables.tf

@@ -464,6 +464,29 @@ variable "guardduty_invitation_message" {
   default     = "This is an automatic invitation message from guardduty-baseline module."
 }
 
+# --------------------------------------------------------------------------------------------------
+# Variables for macie-baseline module.
+# --------------------------------------------------------------------------------------------------
+variable "macie_enabled" {
+  description = "Boolean whether the macie-baseline module is enabled or disabled"
+  default     = true
+}
+
+variable "macie_disable_email_notification" {
+  description = "Boolean whether an email notification is sent to the accounts."
+  default     = false
+}
+
+variable "macie_finding_publishing_frequency" {
+  description = "Specifies the frequency of notifications sent for subsequent finding occurrences."
+  default     = "SIX_HOURS"
+}
+
+variable "macie_invitation_message" {
+  description = "Message for invitation."
+  default     = "This is an automatic invitation message from macie-baseline module."
+}
+
 # --------------------------------------------------------------------------------------------------
 # Variables for s3-baseline module.
 # --------------------------------------------------------------------------------------------------