Secure Cloud Baseline (SCB)

Terraform-based secure baseline for a single AWS account: logging, IAM, optional network, and guardrails. Aimed at startups and teams new to the cloud who want an auditable, cost-conscious foundation.

Domains: Logging (CloudTrail, CloudWatch, KMS, SNS) · IAM (password policy, break-glass admin, operator, read-only roles) · Network (optional VPC, subnets, endpoints, NAT) · Guardrails (GuardDuty, optional Config, Budgets)

Requirements

• Terraform >= 1.6.0
• AWS provider ~> 5.0
• AWS CLI configured (for bootstrap and apply)
• Bash (Makefile)

Quick start

1. Clone and configure env

   cp .env.example .env
   # Set AWS_REGION, AWS_ACCOUNT_ID, PREFIX in .env

2. Configure variables

   cp envs/foundation/foundation.tfvars.example envs/foundation/foundation.tfvars
   # Set project_name, aws_region, owner, admin_email (and any optional vars)

3. Bootstrap state backend (creates S3 bucket if missing, writes envs/foundation/backend.hcl if missing)

   make bootstrap

4. Init and plan

   make init
   make plan

5. Apply

   make apply

6. SNS email subscription (manual, one-time) After first apply, subscribe the admin_email to the security alerts SNS topic in the AWS Console (SNS → Topics → scb-security-alerts → Create subscription). Terraform cannot create confirmed email subscriptions.

Makefile targets

Target	Purpose
bootstrap	Create S3 state bucket (if missing), generate backend.hcl (if missing); requires .env
init	terraform init with backend config (requires backend.hcl)
plan	terraform plan with tfvars, writes plan-$(ENV).tfplan
apply	Apply plan-$(ENV).tfplan
destroy	Destroy resources for the selected ENV
validate	Validate Terraform configuration
test	Run Terraform test suite in tests/ (mock provider; no AWS or backend)
clean	Remove .terraform and plan files

Set ENV (default foundation) to use a different env dir under envs/. Guards _guard_tfvars and _guard_backend run automatically where needed.

Tests: make test runs the Terraform test suite with a mocked AWS provider (no credentials or S3 backend). See Testing for what each test file covers, which modules are exercised, and why. After running tests, run make init again if you need the remote backend for plan/apply.

IAM roles (no long-lived user keys)

• Break-glass admin — Assume with MFA; 1h session; full admin. For emergencies only.
• Operator — Assume with MFA; 8h session; PowerUser minus CloudTrail/S3 audit tampering.
• Read-only — Assume without MFA (for automation); ReadOnlyAccess.

Use AWS SSO or IAM Identity Center and assign these roles to permission sets, or assume directly with MFA where required.

Cost (defaults)

With default options (GuardDuty on, NAT off, Config off, no VPC): expect under ~$25/month for the baseline. Enabling VPC, NAT, flow logs, or Config adds cost; see docs/architecture.md and variable comments in envs/foundation/foundation.tfvars.example.

Docs

• Post-deployment checklist — Verify resources, security controls, and log flow after apply
• Architecture — What’s built, why, and benefits
• Security — Controls, rationale, and security impact
• Testing — Test suite, what’s tested per module, and how to run it

License

Apache 2.0. See LICENSE.