Question 1

How to use an existing S3 bucket with terraform-aws-secure-baseline?

Accepted Answer

Set the use_external_audit_log_bucket input variable to true and specify the bucket name. The module includes an external-bucket example for integrating with pre-existing log storage.

Question 2

terraform-aws-secure-baseline vs AWS Control Tower for security compliance?

Accepted Answer

This module offers more granular, Terraform-based control aligned with specific benchmarks, while AWS Control Tower provides a managed, opinionated framework for multi-account governance, suitable for different use cases.

Question 3

Does terraform-aws-secure-baseline work in AWS China regions?

Accepted Answer

It should work if AWS services are available, but you need to define providers for those regions (e.g., aws.cn-north-1) and ensure compliance with local regulations, as the module targets standard AWS partitions.

Question 4

How to disable specific services like GuardDuty in the module?

Accepted Answer

Use boolean input variables like guardduty_enabled set to false. The README lists toggles for each submodule, such as alarm_baseline_enabled and config_baseline_enabled.

Question 5

What AWS costs should I expect with terraform-aws-secure-baseline?

Accepted Answer

Costs vary based on usage; enabling CloudTrail, Config, GuardDuty, and SecurityHub incurs additional charges. Consult AWS pricing, as the module doesn't provide estimates, and services like CloudTrail Insights are on by default.

Question 6

How to upgrade from v0.19 to v1.0 of terraform-aws-secure-baseline?

Accepted Answer

Follow the version 1.0 upgrade guide linked in the README, which details steps to migrate after breaking changes, such as requiring AWS provider v4.0 or later.

terraform-aws-secure-baseline

What is terraform-aws-secure-baseline?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions