Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 65 additions & 16 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,17 @@ This project implements security configurations based on the [ACSC Hardening Mic
├── scripts/ # Deployment and utility scripts
│ ├── Deploy-ACSCToAzure.ps1
│ └── New-ACSCMachineConfigurationPackage.ps1
├── terraform/ # Terraform deployment modules
│ ├── azure/ # Azure-specific module
│ │ ├── main.tf # Main Terraform configuration
│ │ ├── variables.tf # Input variables
│ │ ├── outputs.tf # Output values
│ │ ├── policy.tf # Policy definitions and assignments
│ │ ├── terraform.tfvars.example # Example configuration
│ │ └── README.md # Azure module documentation
│ ├── aws/ # AWS-specific module (coming soon)
│ │ └── README.md # AWS module documentation
│ └── README.md # Terraform modules overview
├── build-release.ps1 # Automated build script
└── docs/ # Documentation
```
Expand Down Expand Up @@ -183,29 +194,67 @@ flowchart TD

## Quick Start

### Option 1: Automated Build via GitHub Actions (Recommended)
### Option 1: Terraform Deployment (Recommended)

The repository includes a GitHub Actions workflow for automated builds:
The easiest way to deploy is using the Terraform module, which automates the entire process:

**Azure Deployment:**
```bash
# Tag a release version
git tag v1.0.0
git push origin v1.0.0

# GitHub Actions will automatically:
# - Compile DSC configurations
# - Create Machine Configuration packages
# - Generate SHA256 hashes
# - Create a GitHub Release with all artifacts
cd terraform/azure
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your Azure subscription details

terraform init
terraform plan
terraform apply
```

Download the release artifacts and deploy to Azure using the provided scripts.
**AWS Deployment:**
```bash
cd terraform/aws
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your AWS configuration

terraform init
terraform plan
terraform apply

# Tag EC2 instances to receive hardening
aws ec2 create-tags --resources i-INSTANCE-ID --tags Key=ACSC-Hardening,Value=Enabled
```

See [terraform/README.md](terraform/README.md) for detailed documentation on both modules.

The Terraform modules automatically:
- Download packages from GitHub releases
- Create storage (Azure Storage Account / S3 Bucket) and upload packages
- Generate secure access tokens/permissions
- Create and configure policies/associations
- Set up managed identities and roles

### Option 2: Local Build
See [terraform/README.md](terraform/README.md) for detailed documentation.

### Option 2: PowerShell Deployment with GitHub Release

Deploy using the PowerShell script with automatic GitHub release download:

```powershell
.\scripts\Deploy-ACSCToAzure.ps1 `
-SubscriptionId "your-subscription-id" `
-ResourceGroupName "your-resource-group" `
-StorageAccountName "yourstorageaccount" `
-UseGitHubRelease
```

### Option 3: Local Build and Deploy

1. **Build packages locally**
```powershell
# Creates packages in ./release directory
```bash
# Tag a release version
git tag v1.0.0
git push origin v1.0.0

# Or build locally
.\build-release.ps1 -Version "1.0.0"
```

Expand All @@ -219,7 +268,7 @@ Download the release artifacts and deploy to Azure using the provided scripts.

3. **Monitor compliance** in Azure Policy dashboard (20-30 minutes for initial evaluation)

### Option 3: Manual Setup
### Option 4: Manual Setup

1. **Install required modules**
```powershell
Expand Down
109 changes: 109 additions & 0 deletions terraform/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
# ACSC Windows Hardening - Terraform Modules

This directory contains Terraform modules for deploying ACSC (Australian Cyber Security Centre) Windows hardening configurations to cloud environments.

## Available Modules

### Azure Module

The Azure module deploys ACSC hardening policies using Azure Machine Configuration (formerly Azure Policy Guest Configuration).

**Location:** [`azure/`](azure/)

**Features:**
- Azure Storage Account for DSC MOF packages
- Automatic GitHub release integration
- Azure Policy definitions and assignments
- Managed identities and RBAC configuration
- Support for both High and Medium priority configurations

**Quick Start:**
```bash
cd azure
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your Azure subscription details
terraform init
terraform plan
terraform apply
```

See [azure/README.md](azure/README.md) for detailed documentation.

### AWS Module

The AWS module deploys ACSC hardening policies using AWS Systems Manager and related services.

**Location:** [`aws/`](aws/)

**Status:** ✅ Available

**Features:**
- S3 bucket for DSC MOF packages with encryption and versioning
- Automatic GitHub release integration
- SSM Documents for DSC configuration application
- State Manager associations for automated remediation
- IAM roles and instance profiles for EC2 instances
- Support for both High and Medium priority configurations

**Quick Start:**
```bash
cd aws
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your AWS configuration
terraform init
terraform plan
terraform apply
```

See [aws/README.md](aws/README.md) for detailed documentation.

## Module Comparison

| Feature | Azure Module | AWS Module |
|---------|-------------|------------|
| Storage | Azure Storage Account | S3 Bucket |
| Configuration Management | Azure Machine Configuration | Systems Manager State Manager |
| Compliance/Policy | Azure Policy | Systems Manager Compliance |
| Authentication | Managed Identity | IAM Instance Profile |
| Package Distribution | SAS Token URLs | S3 Direct Access |
| Auto-remediation | ApplyAndAutoCorrect mode | State Manager associations |
| Extension Auto-install | Yes | No (SSM Agent required) |

## Prerequisites

### Azure Module
- Terraform >= 1.0
- Azure CLI or Service Principal authentication
- Azure subscription with Policy Contributor permissions

### AWS Module
- Terraform >= 1.0
- AWS CLI or IAM credentials
- AWS account with appropriate permissions
- Windows EC2 instances with SSM Agent installed
- EC2 instances with SSM Agent installed

## Contributing

Contributions are welcome! Please:
1. Fork the repository
2. Create a feature branch
3. Submit a pull request with detailed description
4. Ensure all configurations are tested

## License

This project is licensed under the MIT License - see the [LICENSE](../LICENSE) file for details.

## Support

For issues related to:
- **Azure implementation:** See [azure/README.md](azure/README.md)
- **AWS implementation:** See [aws/README.md](aws/README.md) (when available)
- **General questions:** Open an issue in the GitHub repository

## References

- [ACSC Windows Hardening Guidelines](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/hardening-microsoft-windows-10-and-windows-11-workstations)
- [Azure Machine Configuration Documentation](https://learn.microsoft.com/en-us/azure/governance/machine-configuration/overview)
- [AWS Systems Manager Documentation](https://docs.aws.amazon.com/systems-manager/)
22 changes: 22 additions & 0 deletions terraform/aws/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Terraform files
.terraform/
.terraform.lock.hcl
*.tfstate
*.tfstate.*
*.tfplan
*.tfvars
!terraform.tfvars.example

# Crash log files
crash.log
crash.*.log

# Override files
override.tf
override.tf.json
*_override.tf
*_override.tf.json

# CLI configuration files
.terraformrc
terraform.rc
Loading