Terraform-based secure baseline for a single AWS account: logging, IAM, and guardrails. Aimed at startups and teams new to the cloud who want an auditable, cost-conscious foundation.
Domains: Logging (CloudTrail, CloudWatch, KMS, SNS, security alarms) · IAM (password policy, break-glass admin, operator, read-only roles) · Guardrails (Security Hub with CIS/FSBP/NIST standards, GuardDuty, IAM Access Analyzer, account hardening, optional Config, Budgets)
- Terraform >= 1.6.0
- AWS provider ~> 6.33.0
- AWS CLI configured (for bootstrap and apply)
- Bash (Makefile)
-
Clone and configure env
cp .env.example .env # Set AWS_REGION, AWS_ACCOUNT_ID, PREFIX in .env -
Configure variables
cp envs/foundation/foundation.tfvars.example envs/foundation/foundation.tfvars # Set project_name, aws_region, owner, admin_email (and any optional vars) -
Bootstrap state backend (creates S3 bucket if missing, writes
envs/foundation/backend.hclif missing)make bootstrap
-
Init and plan
make init make plan
-
Apply
make apply
-
SNS email subscription (manual, one-time) After first apply, subscribe the
admin_emailto the security alerts SNS topic in the AWS Console (SNS → Topics →scb-security-alerts→ Create subscription). Terraform cannot create confirmed email subscriptions.
| Target | Purpose |
|---|---|
bootstrap |
Create S3 state bucket (if missing), generate backend.hcl (if missing); requires .env |
init |
terraform init with backend config (requires backend.hcl) |
plan |
terraform plan with tfvars, writes plan-$(ENV).tfplan |
apply |
Apply plan-$(ENV).tfplan |
destroy |
Destroy resources for the selected ENV |
validate |
Validate Terraform configuration |
test |
Run Terraform test suite in tests/ (mock provider; no AWS or backend) |
clean |
Remove .terraform and plan files |
Set ENV (default foundation) to use a different env dir under envs/. Guards _guard_tfvars and _guard_backend run automatically where needed.
Tests: make test runs the Terraform test suite with a mocked AWS provider (no credentials or S3 backend). See Testing for what each test file covers, which modules are exercised, and why. After running tests, run make init again if you need the remote backend for plan/apply.
- Break-glass admin — Assume with MFA; 1h session; full admin. For emergencies only.
- Operator — Assume with MFA; 8h session; PowerUser minus CloudTrail/S3 audit tampering.
- Read-only — Assume without MFA (for automation); ReadOnlyAccess.
Use AWS SSO or IAM Identity Center and assign these roles to permission sets, or assume directly with MFA where required.
These free account-level settings are applied automatically to prevent common mistakes:
- S3 account-level public access block — prevents any bucket from being made public
- EBS default encryption — all new EBS volumes are encrypted automatically
- IMDSv2 required — prevents SSRF-based credential theft on EC2 instances
- SSM document sharing blocked — prevents accidental public sharing
- IAM Access Analyzer — identifies resources shared outside the account
| Feature | Default | Estimated cost |
|---|---|---|
| CloudTrail + S3 + CloudWatch | Always on | ~$5-10/month |
| KMS key | Always on | ~$1/month |
| GuardDuty | On | ~$3-5/month |
| Security Hub (3 standards) | On | Free 30-day trial, then ~$5-10/month |
| AWS Config | Off | ~$2-5/month if enabled |
| Budgets, account hardening, IAM | Always on | Free |
Default baseline (Config off): ~$15-25/month. With Config enabled: ~$20-30/month. Costs scale with API activity and number of resources. See envs/foundation/foundation.tfvars.example for all optional features.
- Architecture — What’s built, why, and benefits
- Security — Controls, rationale, and security impact
- Testing — Test suite, what’s tested per module, and how to run it
Apache 2.0. See LICENSE.