// the find
nozaq/terraform-aws-secure-baseline
Terraform module to set up your AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations and AWS Foundational Security Best Practices.
A Terraform module that wires up CIS Foundations v1.4 and AWS FSBP controls across all AWS regions in one shot: CloudTrail, GuardDuty, Config, SecurityHub, IAM password policy, VPC hardening, and a set of CloudWatch alarms for critical account events. Target audience is platform/infra teams who want a defensible security baseline without assembling it themselves from 15 separate modules.
- Properly handles multi-region deployment by requiring explicit provider aliases — you know exactly which regions are covered, no magic or implicit iteration that could silently miss a region.
- Well-decomposed into independent submodules (alarm-baseline, guardduty-baseline, etc.) so you can pull in only the pieces you need without taking the whole thing.
- Covers the expensive-to-get-right stuff by default: CloudTrail Insights, S3 object-level logging, KMS encryption on trails, Glacier archival, and account-level S3 public access block.
- Has an AWS Organizations path with master/member separation, which is where most teams actually run — not just the single-account happy path.
- Last push was July 2024 and it's still on CIS v1.4 — v3.0 shipped in 2023 and the gap is non-trivial (MFA for root, new IAM controls). You'd be passing a 'CIS compliant' audit against a stale benchmark.
- The provider-per-region pattern in the usage block is a real maintenance tax: adding a new AWS region means updating the module call in every consuming repo, and there's no mechanism to say 'all regions except these'.
- No drift detection or remediation — Config rules fire findings but the module doesn't wire up auto-remediation SSM documents or Lambda remediators. You get visibility, not enforcement.
- The CloudWatch alarms module uses SNS for notifications but there's no default subscription setup, so alarms go nowhere until you manually add subscribers — easy to deploy and think you're covered when you're not.