Script47 · Script47 · Jan 10, 2026 · Feb 20, 2025 · Jan 10, 2026 · Jan 10, 2026
diff --git a/github-oidc-iam-role/README.md b/github-oidc-iam-role/README.md
@@ -1,7 +1,5 @@
 # GitHub OIDC IAM Role
 
-## About
-
 This module allows you to setup an IAM role for GitHub OIDC.
 
 - IAM role with trust policy with `sub` pattern restrictions

diff --git a/github-oidc-provider/README.md b/github-oidc-provider/README.md
@@ -1,7 +1,5 @@
 # GitHub OIDC Provider
 
-## About
-
 This module allows you to setup the provider for GitHub OIDC.
 
 ## Usage

diff --git a/guardrails/README.md b/guardrails/README.md
@@ -0,0 +1,47 @@
+# Guardrails
+
+This module allows you to setup default guardrails to harden your AWS account with the following features:
+
+- EBS encryption by default
+- S3 account wide public block access
+- IAM account password policy
+
+## Usage
+
+See `variables.tf` for the full argument reference.
+
+```hcl
+module "guardrails" {
+  source      = "github.com/script47/aws-tf-modules/guardrails"
+
+  ebs = {
+    encrypted = true
+  }
+
+  s3 = {
+    public_access_block = {
+        enabled                 = true
+        block_public_acls       = true
+        block_public_policy     = true
+        ignore_public_acls      = true
+        restrict_public_buckets = true
+    }
+  }
+
+  iam = {
+    password_policy = {
+      enabled                        = true
+      allow_users_to_change_password = true
+      password_reuse_prevention      = 0
+      hard_expiry                    = false
+      max_password_age               = null
+      minimum_password_length        = 12
+
+      require_lowercase_characters   = true
+      require_uppercase_characters   = true
+      require_numbers                = true
+      require_symbols                = true
+    }
+  }
+}
+```
diff --git a/guardrails/ebs.tf b/guardrails/ebs.tf
@@ -0,0 +1,3 @@
+resource "aws_ebs_encryption_by_default" "this" {
+  enabled = var.ebs.encrypted
+}
diff --git a/guardrails/iam.tf b/guardrails/iam.tf
@@ -0,0 +1,14 @@
+resource "aws_iam_account_password_policy" "this" {
+  count = var.iam.password_policy.enabled ? 1 : 0
+
+  allow_users_to_change_password = var.iam.password_policy.allow_users_to_change_password
+  password_reuse_prevention      = var.iam.password_policy.password_reuse_prevention
+  hard_expiry                    = var.iam.password_policy.hard_expiry
+  max_password_age               = var.iam.password_policy.max_password_age
+  minimum_password_length        = var.iam.password_policy.minimum_password_length
+
+  require_lowercase_characters   = var.iam.password_policy.require_lowercase_characters
+  require_uppercase_characters   = var.iam.password_policy.require_uppercase_characters
+  require_numbers                = var.iam.password_policy.require_numbers
+  require_symbols                = var.iam.password_policy.require_symbols
+}
diff --git a/guardrails/providers.tf b/guardrails/providers.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.13"
+
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "~> 6"
+    }
+  }
+}
diff --git a/guardrails/s3.tf b/guardrails/s3.tf
@@ -0,0 +1,8 @@
+resource "aws_s3_account_public_access_block" "this" {
+  count = var.s3.public_access_block.enabled
+
+  block_public_acls       = var.s3.public_access_block.block_public_acls
+  block_public_policy     = var.s3.public_access_block.block_public_policy
+  ignore_public_acls      = var.s3.public_access_block.ignore_public_acls
+  restrict_public_buckets = var.s3.public_access_block.restrict_public_buckets
+}
diff --git a/guardrails/variables.tf b/guardrails/variables.tf
@@ -0,0 +1,41 @@
+variable "ebs" {
+  description = "EBS account-level config"
+  type = object({
+    encrypted = optional(bool, true)
+  })
+  default = {}
+}
+
+variable "s3" {
+  description = "S3 account-level config"
+  type = object({
+    public_access_block = optional(object({
+      enabled                 = optional(bool, true)
+      block_public_acls       = optional(bool, true)
+      block_public_policy     = optional(bool, true)
+      ignore_public_acls      = optional(bool, true)
+      restrict_public_buckets = optional(bool, true)      
+    }), {})
+  })
+  default = {}
+}
+
+variable "iam" {
+  description = "IAM account-level config"
+  type = object({
+    password_policy = optional(object({
+      enabled                        = optional(bool, true)
+      allow_users_to_change_password = optional(bool, true)
+      password_reuse_prevention      = optional(number, 0)
+      hard_expiry                    = optional(bool, false)
+      max_password_age               = optional(number, null)
+      minimum_password_length        = optional(number, 12)
+
+      require_lowercase_characters   = optional(bool, true)
+      require_uppercase_characters   = optional(bool, true)
+      require_numbers                = optional(bool, true)
+      require_symbols                = optional(bool, true)
+    }), {})
+  })
+  default = {}
+}
diff --git a/lambda-function/README.md b/lambda-function/README.md
@@ -1,7 +1,5 @@
 # Lambda Function
 
-## About
-
 This module allows you to setup a Lambda function.
 
 ## Usage

diff --git a/lambda-layer/README.md b/lambda-layer/README.md
@@ -1,7 +1,5 @@
 # Lambda Layer
 
-## About
-
 This module allows you to setup a Lambda layer.
 
 ## Usage

diff --git a/ses-domain-identity/README.md b/ses-domain-identity/README.md
@@ -1,7 +1,5 @@
 # SES Domain Identity
 
-## About
-
 This module allows you to setup domain identification for SES with the following features:
 
 - Domain verification

diff --git a/sqs/README.md b/sqs/README.md
@@ -1,7 +1,5 @@
 # SQS
 
-## About
-
 This module allows you to setup an SQS queue:
 
 - Server-side encryption enabled by default (AWS-SSE)

diff --git a/static-site/README.md b/static-site/README.md
@@ -1,7 +1,5 @@
 # Static Site
 
-## About
-
 This module allows you to setup a static site with the following features:
 
 - S3 bucket for static content (secure, private access only via CloudFront OAC)