Security Hub CIS Benchmark
๐ฆ Overviewโ
This Terraform module enables AWS Security Hub and subscribes the account to the CIS AWS Foundations Benchmark v1.4.0 standard.
It provides a turnkey security compliance baseline for AWS environments, ideal for audit-readiness and best-practice alignment.
โ Key Featuresโ
- Enables AWS Security Hub in a specific region
- Automatically subscribes to the CIS AWS Foundations Benchmark v1.4.0
- Tags the deployment environment for tracking
- Outputs status and subscription reference
๐ผ Use Casesโ
- Establishing a CIS-compliant AWS environment
- Jumpstarting cloud security posture management
- Meeting audit or industry security framework requirements
- Adding continuous monitoring to AWS accounts
๐ฅ Input Variablesโ
| Name | Type | Description |
|---|---|---|
| region | string | AWS region where Security Hub will be enabled |
| environment | string | Deployment environment tag (e.g., dev, staging, prod) |
๐ค Outputsโ
| Name | Description |
|---|---|
| security_hub_status | Indicates whether Security Hub was successfully enabled |
| cis_standard_subscription_arn | ARN of the CIS AWS Foundations Benchmark subscription |
๐ Deployment Readinessโ
- โ Compatible with Terraform 1.0+
- โ Tested with AWS provider 5.x
- ๐งช Requires permissions for
securityhub:*
๐ ๏ธ Example Usageโ
module "security_hub_standard" {
source = "git::ssh://git@github.com/archiphire/aws-level-1-modules.git//security/security-hub-standard?ref=v1.0.0"
region = "us-east-1"
environment = "prod"
}
terraform init
terraform plan
terraform apply
or
tofu init
tofu plan
tofu apply
๐งน Cleanup Optionsโ
Terraform Destroy (for isolated test environments):
terraform destroy
or
tofu destroy
Manual Deletion (for production environments):
If integrated with monitoring workflows or central compliance accounts, disable Security Hub manually via the AWS Console or CLI.
๐ก๏ธ Notesโ
This is a Level 1 security module meant to provide out-of-the-box CIS Benchmark alignment.
For broader enterprise deployments or organization-wide aggregation, extend with AWS Organizations integrations, delegated admin settings, or alert routing to SIEM/SOAR platforms.
๐ Deployment Package Noticeโ
This module is part of the Level 1 AWS License Tier. To access the full deployment package and source code, subscribe to Archiphire.