This is continuation of AWS account settings as code with Terraform and Terragrunt. Be sure to start with part one. Part will I’ll be blocking Amazon S3 bucket public access, enable EBS volume encryption at the AWS account level, and apply the IAM account password policies.
Cost: These exact settings applied on the account have no cost unless you use customer managed keys from KMS.
AWS IAM account password policies
# password policy
resource "aws_iam_account_password_policy" "this" {
minimum_password_length = 10
max_password_age = 365
password_reuse_prevention = 10
require_lowercase_characters = true
require_numbers = true
require_uppercase_characters = true
require_symbols = true
allow_users_to_change_password = true
}
This applies the IAM account password settings as code.
This change requires the IAM permission “UpdateAccountPasswordPolicy” action allowed.
Update your “settings” repository dev branch. Then in the “settings” terragrunt update your code with
terragrunt init --terragrunt-source-update
terragrunt plan
# then
terragrunt apply
Check by going to the IAM service dashboard… now have a green check mark for “Apply an IAM password policy”.

Block Amazon S3 bucket public access
So many horror stories on the news about Amazon Simple Storage Service (S3) buckets being accidentally open to the public. Let’s prevent accidental public access on S3 buckets at the account level just in case if you get to block at the bucket level.
resource "aws_s3_account_public_access_block" "this" {
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
This sets the following settings on S3. As stated on the S3 “Block public access…” in the S3 console.
- Blocks public access to buckets and objects granted through new access control lists (ACLs)
- Blocks public access to buckets and objects granted through any access control lists (ACLs)
- Blocks public access to buckets and objects granted through new public bucket or access point policies
- Blocks public and cross-account access to buckets and objects through any public bucket or access point policies
You’ll need “PutAccountPublicAccessBlock” S3 action for this setting.
Update your “settings” repository dev branch. Then in the “settings” terragrunt update your code with
terragrunt init --terragrunt-source-update
terragrunt plan
# then
terragrunt apply
Verify by going to S3 service -> on the left navigation click “Block public access (account settings)“. You should see all green “On” for every single line.

Default EBS volume encryption
This account level setting will always set EC2 default EBS volume encryption during creation of any EBS volume regardless of what and how it’s provisioned. If you provision an EC2 using the console or use of any of the AWS CLI commands or any of the AWS SDKS and you don’t explicitly apply EBS volume encryption then this will do it for you! It’s quite amazing and simple to apply or remove.
What key will it use? It can use a default Amazon managed key or your a customer (you) managed KMS key. I haven’t setup KMS keys yet, so I’ll use the default Amazon managed key for now.
resource "aws_ebs_encryption_by_default" "this" {
enabled = true
}
You’ll need the following IAM policy statement to apply this setting.
{
"Sid": "AllowsEBSdefaultEncryption",
"Effect": "Allow",
"Action": [
"ec2:GetEbsEncryptionByDefault",
"ec2:EnableEbsEncryptionByDefault",
"ec2:DisableEbsEncryptionByDefault",
"ec2:ResetEbsDefaultKmsKeyId",
"ec2:ModifyEbsDefaultKmsKeyId"
],
"Resource": "*"
}
and again, update your Terraform git repository then update your Terragrunt deployment code and apply.
Navigate to the EC2 service then on the main page on the right panel within the “Account attributes” click on “EBS encryption“.


Bonus
Billing settings
These aren’t automated but it’s only enabled once your consolidated billing account. If you have permissions to enable billing alerts and emails. Within the Billing Preferences select the following settings.


That’s it for now!
As always if you see any errors, mistakes, have suggestions or questions please comment below. Don’t forget to like, share, and subscribe for more!
Image by Денис Марчук from Pixabay
Published by