Skip to content

schubergphilis/terraform-aws-mcaf-account-baseline

BranchesTags

Repository files navigation

terraform-aws-mcaf-account-baseline

Terraform module to manage baseline configuration for AWS accounts.

How to use

Basic configuration

module "account_baseline" {
  source = "github.com/schubergphilis/terraform-aws-mcaf-account-baseline?ref=VERSION"
}

EU Region Enablement

By default, this module enables all non-default EU regions (eu-central-2, eu-south-1, eu-south-2). To actually use these regions, they must also be included in the allowed regions SCP of the mcaf-landing-zone module.

This module ensures that you can use all EU regions out of the box. If you intend to allow a region across your entire organization, the recommended approach is to also configure it as a governed region via AWS Control Tower. This ensures consistent enforcement of security, compliance, and operational guardrails.

AWS Config Rules

If you would like to authorise other accounts to aggregate AWS Config data, account IDs and regions can be passed to var.aws_config using the attributes aggregator_account_ids and aggregator_regions respectively.

Note Control Tower already authorizes the audit account to aggregate Config data from all other accounts in the organization, so there is no need to specify the audit account ID in the aggregator_account_ids list.

Example:

aws_config = {
  aggregator_account_ids = ["123456789012"]
  aggregator_regions     = ["eu-west-1"]
}

MCAF Service Quotas Manager integration

This module can deploy the IAM role required by the MCAF Service Quotas Manager module. The assuming_principal_identifier should be the ServiceQuotasManagerExecutionRole. This is by default arn:aws:iam::<account_id>:role/ServiceQuotasManagerExecutionRole-<region_name>.

Note

The Service Quotas Manager module should be deployed first before deploying this integration. Only existing IAM roles can be referenced as principals.

Requirements

Name Version
terraform >= 1.7.0
aws >= 6.7.0

Providers

Name Version
aws >= 6.7.0

Modules

Name Source Version
regional_resources_baseline ./modules/regional-resources-baseline n/a
service_quota_manager_role schubergphilis/mcaf-role/aws ~> 0.5.3

Resources

Name Type
aws_account_region.default resource
aws_config_aggregate_authorization.default resource
aws_ec2_image_block_public_access.default resource
aws_iam_account_password_policy.default resource
aws_s3_account_public_access_block.default resource
aws_region.current data source

Inputs

Name Description Type Default Required
account_password_policy AWS account password policy parameters 
object({
    allow_users_to_change        = bool
    max_age                      = number
    minimum_length               = number
    require_lowercase_characters = bool
    require_numbers              = bool
    require_symbols              = bool
    require_uppercase_characters = bool
    reuse_prevention_history     = number
  })
 
{
  "allow_users_to_change": true,
  "max_age": 90,
  "minimum_length": 14,
  "require_lowercase_characters": true,
  "require_numbers": true,
  "require_symbols": true,
  "require_uppercase_characters": true,
  "reuse_prevention_history": 24
}
 no
aws_config AWS Config settings 
object({
    aggregator_account_ids = list(string)
    aggregator_regions     = list(string)
  })
 null no
aws_ebs_encryption_by_default Set to true to enable AWS Elastic Block Store encryption by default bool true no
aws_ebs_encryption_custom_key Set to true and specify the aws_kms_key_arns to use in place of the AWS-managed default CMK bool false no
aws_ebs_snapshot_block_public_access_state Configure regionally the EBS snapshot public sharing policy, alternatives: block-all-sharing and unblocked string "block-new-sharing" no
aws_ec2_image_block_public_access_state Configure blocking new AMIs from being publicly shared, alternatives: unblocked string "block-new-sharing" no
aws_kms_key_arns Map of region name => KMS Key ARN to use for EBS default encryption (and optionally other resources). Safely attaches/creates KMS resources only when a key for the region exists. map(string) {} no
aws_s3_public_access_block_config S3 bucket-level Public Access Block config 
object({
    enabled                 = optional(bool, true)
    block_public_acls       = optional(bool, true)
    block_public_policy     = optional(bool, true)
    ignore_public_acls      = optional(bool, true)
    restrict_public_buckets = optional(bool, true)
  })
 {} no
aws_ssm_automation_log_group_name CloudWatch Logs log group name for SSM Automation. string "/aws/ssm/automation" no
aws_ssm_automation_logging_enabled When true, enable SSM Automation customer-script logging to CloudWatch Logs in each baseline region. bool true no
aws_ssm_documents_public_sharing_permission Configure the SSM documents public sharing policy, alternatives: Enable string "Disable" no
enable_additional_eu_regions Enable all additional EU AWS Regions beyond the default ones bool true no
extra_regions_to_baseline List of additional regions to apply the baseline, defaults to us-east-1 list(string) 
[
  "us-east-1"
]
 no
service_quotas_manager_role Create the role needed to integrate the terraform-aws-mcaf-service-quotas-manager module 
object({
    assuming_principal_identifier = string
    path                          = optional(string, "/")
    permissions_boundary          = optional(string, null)
  })
 null no
tags Map of tags map(string) {} no

Outputs

No outputs.

About

Terraform module to setup a baseline configuration for AWS accounts

registry.terraform.io/modules/schubergphilis/mcaf-account-baseline/aws/latest

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing
Activity
Custom properties

Stars

5 stars

Watchers

27 watching

Forks

5 forks
Report repository

Releases 19

v7.0.1 Latest
Oct 31, 2025
+ 18 releases

Packages

No packages published

Contributors 8

Languages