Module:
sourcefuse/arc-security/aws
Registry: https://registry.terraform.io/modules/sourcefuse/arc-security/aws
Category: Security / Compliance
Source: https://github.com/sourcefuse/terraform-aws-arc-security
Tip
🤖 New: Use this module with AI assistants via the ARC IaC MCP Server — search, scaffold, and security-scan ARC modules from natural language. Quick setup ↓
Enables and configures AWS security services — GuardDuty, Security Hub, AWS Config, and Inspector — with SNS notifications.
- GuardDuty threat detection with SNS alerts
- Security Hub with configurable compliance standards
- AWS Config rules and conformance packs
- Amazon Inspector for vulnerability scanning
- SNS topics for security findings notifications
- IAM roles for Config recorder
For more information about this repository and its usage, please see Terraform AWS Cloud Security Module Usage Guide.
module "cloud_security" {
source = "sourcefuse/arc-security/aws"
version = "1.0.2"
region = var.region
environment = var.environment
namespace = var.namespace
enable_inspector = true
enable_aws_config = true
enable_guard_duty = true
enable_security_hub = false
create_config_iam_role = true
aws_config_sns_subscribers = local.aws_config_sns_subscribers
guard_duty_sns_subscribers = local.guard_duty_sns_subscribers
security_hub_sns_subscribers = local.security_hub_sns_subscribers
aws_config_managed_rules = var.aws_config_managed_rules
enabled_security_hub_standards = local.security_hub_standards
create_inspector_iam_role = var.create_inspector_iam_role
inspector_enabled_rules = var.inspector_enabled_rules
inspector_schedule_expression = var.inspector_schedule_expression
inspector_assessment_event_subscription = var.inspector_assessment_event_subscription
tags = module.tags.tags
}| Name | Type | Description |
|---|---|---|
namespace |
string |
Namespace prefix |
environment |
string |
Deployment environment |
region |
string |
AWS region |
| Name | Description |
|---|---|
guardduty_detector_id |
GuardDuty detector ID |
security_hub_arn |
Security Hub ARN |
config_recorder_id |
AWS Config recorder ID |
The complete inputs/outputs reference is auto-generated below.
| Name | Version |
|---|---|
| terraform | >= 1.5.0 |
| aws | >= 5.0, < 6.0 |
| Name | Version |
|---|---|
| aws | 5.99.1 |
| Name | Source | Version |
|---|---|---|
| aws_config_storage | cloudposse/config-storage/aws | 1.0.2 |
| config | cloudposse/config/aws | 1.5.2 |
| guard_duty | cloudposse/guardduty/aws | 0.6.0 |
| guard_duty_sns_topic | cloudposse/sns-topic/aws | 0.20.1 |
| inspector | ./modules/inspector | n/a |
| security_hub | cloudposse/security-hub/aws | 0.12.2 |
| securityhub_sns_kms_key | cloudposse/kms-key/aws | 0.12.2 |
| securityhub_sns_topic | cloudposse/sns-topic/aws | 0.21.0 |
| sns_guard_duty | cloudposse/sns-topic/aws | 0.21.0 |
| Name | Type |
|---|---|
| aws_cloudwatch_event_rule.guard_duty_findings | resource |
| aws_cloudwatch_event_rule.imported_findings | resource |
| aws_cloudwatch_event_target.guard_duty_imported_findings | resource |
| aws_cloudwatch_event_target.security_hub_imported_findings | resource |
| aws_kms_alias.this | resource |
| aws_kms_key.this | resource |
| aws_sns_topic_policy.sns_topic_guard_duty | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.guard_duty_sns_topic_policy | data source |
| aws_iam_policy_document.securityhub_sns_kms_key_policy | data source |
| aws_iam_session_context.current | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| add_inspector_member_accounts | Whether to associate as a member account with your Amazon Inspector delegated administrator account. | bool |
false |
no |
| aws_config_managed_rules | A list of AWS Managed Rules that should be enabled on the account. See the following for a list of possible rules to enable: https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html |
map(object({ |
{} |
no |
| aws_config_sns_subscribers | A map of subscription configurations for SNS topics For more information, see: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#argument-reference protocol: The protocol to use. The possible values for this are: sqs, sms, lambda, application. (http or https are partially supported, see link) (email is an option but is unsupported in terraform, see link). endpoint: The endpoint to send data to, the contents will vary with the protocol. (see link for more information) endpoint_auto_confirms: Boolean indicating whether the end point is capable of auto confirming subscription e.g., PagerDuty. Default is false raw_message_delivery: Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property). Default is false |
map(object({ |
n/a | yes |
| create_config_iam_role | Flag to indicate whether an iam role should be created for aws config. | bool |
false |
no |
| enable_aws_config | Whether to enable AWS Config | bool |
true |
no |
| enable_guard_duty | Whether to enable Guard Duty | bool |
true |
no |
| enable_inspector | Whether to enable Inspector | bool |
true |
no |
| enable_inspector_at_orgnanization | Whether to enable Inspecter at Org level, if false account_list should be provided | bool |
false |
no |
| enable_security_hub | Whether to enable Security Hub | bool |
true |
no |
| enabled_security_hub_standards | A list of standards/rulesets to enable See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription#argument-reference The possible values are: - standards/aws-foundational-security-best-practices/v/1.0.0 - ruleset/cis-aws-foundations-benchmark/v/1.2.0 - standards/pci-dss/v/3.2.1 |
list(any) |
n/a | yes |
| environment | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | string |
n/a | yes |
| force_destroy | (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable | bool |
false |
no |
| guard_duty_s3_protection_enabled | Flag to indicate whether S3 protection will be turned on in GuardDuty. | bool |
false |
no |
| guard_duty_sns_subscribers | A map of subscription configurations for SNS topics For more information, see: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#argument-reference protocol: The protocol to use. The possible values for this are: sqs, sms, lambda, application. (http or https are partially supported, see link) (email is an option but is unsupported in terraform, see link). endpoint: The endpoint to send data to, the contents will vary with the protocol. (see link for more information) endpoint_auto_confirms: Boolean indicating whether the end point is capable of auto confirming subscription e.g., PagerDuty. Default is false raw_message_delivery: Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property). Default is false |
map(object({ |
null |
no |
| inspector_account_list | List of Account for which inspector has to be enabled | list(string) |
n/a | yes |
| inspector_resource_types | Type of resources to scan. Valid values are EC2, ECR, LAMBDA and LAMBDA_CODE. At least one item is required. | list(string) |
[ |
no |
| inspector_schedule_expression | AWS Schedule Expression to indicate how often the inspector scheduled event shoud run | string |
"rate(7 days)" |
no |
| inspector_sns_subscribers | A map of subscription configurations for SNS topics For more information, see: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#argument-reference protocol: The protocol to use. The possible values for this are: sqs, sms, lambda, application. (http or https are partially supported, see link) (email is an option but is unsupported in terraform, see link). endpoint: The endpoint to send data to, the contents will vary with the protocol. (see link for more information) endpoint_auto_confirms: Boolean indicating whether the end point is capable of auto confirming subscription e.g., PagerDuty. Default is false raw_message_delivery: Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property). Default is false |
map(object({ |
null |
no |
| namespace | Namespace for the resources. | string |
n/a | yes |
| region | AWS region | string |
"us-east-1" |
no |
| security_hub_sns_subscribers | A map of subscription configurations for SNS topics For more information, see: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#argument-reference protocol: The protocol to use. The possible values for this are: sqs, sms, lambda, application. (http or https are partially supported, see link) (email is an option but is unsupported in terraform, see link). endpoint: The endpoint to send data to, the contents will vary with the protocol. (see link for more information) endpoint_auto_confirms: Boolean indicating whether the end point is capable of auto confirming subscription e.g., PagerDuty. Default is false raw_message_delivery: Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property). Default is false |
map(object({ |
null |
no |
| tags | Tags for AWS resources | map(string) |
n/a | yes |
| Name | Description |
|---|---|
| aws_config_configuration_recorder_id | The ID of the AWS Config Recorder |
| aws_config_iam_role | IAM Role used to make read or write requests to the delivery channel and to describe the AWS resources associated with the account. |
| aws_config_sns_topic | SNS topic |
| aws_config_sns_topic_subscriptions | SNS topic subscriptions |
| guard_duty_detector | GuardDuty detector |
| guard_duty_sns_topic | SNS topic |
| guard_duty_sns_topic_subscriptions | SNS topic subscriptions |
| inspector_aws_cloudwatch_event_rule | The AWS Inspector event rule |
| inspector_aws_cloudwatch_event_target | The AWS Inspector event target |
| security_hub_enabled_subscriptions | A list of subscriptions that have been enabled |
| security_hub_sns_topic | The SNS topic that was created |
| security_hub_sns_topic_subscriptions | The SNS topic that was created |
while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch
For Example
git commit -m "your commit message #major"By specifying this , it will bump the version and if you dont specify this in your commit message then by default it will consider patch and will bump that accordingly
- Configure pre-commit hooks
pre-commit install
- Tests are available in
testdirectory - Configure the dependencies
cd test/ go mod init github.com/sourcefuse/terraform-aws-refarch-<module_name> go get github.com/gruntwork-io/terratest/modules/terraform
- Now execute the test
go test -timeout 30m
The ARC IaC MCP Server is a hosted Model Context Protocol service that lets AI assistants browse, search, scaffold, compare, and security-scan any of the SourceFuse ARC Terraform modules — directly from natural language.
What you can do with it:
- Discover — search and filter modules by keyword or AWS resource type.
- Understand — get inputs, outputs, and resources for any module without leaving your editor.
- Scaffold — generate production-ready, multi-file Terraform with cross-module wiring already done.
- Secure — scan generated or existing HCL for misconfigurations before it hits a PR.
- Compare — diff modules side-by-side to make informed architectural decisions.
The MCP endpoint is https://arc-iac-mcp.sourcef.us/mcp. Pick your client:
Claude Code CLI:
claude mcp add arc-iac --transport http https://arc-iac-mcp.sourcef.us/mcpClaude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"arc-iac": {
"url": "https://arc-iac-mcp.sourcef.us/mcp"
}
}
}Cursor / Windsurf / Kiro — add the same block to .cursor/mcp.json (or the equivalent for your client).
- "List all ARC modules sorted by downloads"
- "What inputs does
arc-ecsrequire?" - "Scaffold a production-ready
arc-dbAurora setup with Secrets Manager" - "Compare
arc-eksandarc-ecsfor running 10 microservices" - "Scan this Terraform before I raise a PR:
<paste HCL>"
See the ARC IaC MCP repo for the full tool reference, troubleshooting tips, and local-development instructions.
See CONTRIBUTING.md for commit conventions and development setup.
This project is authored by:
- SourceFuse

