diff --git a/security/iam-analyzer/main.tf b/security/iam-analyzer/main.tf
new file mode 100644
index 0000000..9496755
--- /dev/null
+++ b/security/iam-analyzer/main.tf
@@ -0,0 +1,4 @@
+resource "aws_accessanalyzer_analyzer" "example" {
+  analyzer_name = var.name
+  tags = var.tags
+}
diff --git a/security/iam-analyzer/variables.tf b/security/iam-analyzer/variables.tf
new file mode 100644
index 0000000..95939d1
--- /dev/null
+++ b/security/iam-analyzer/variables.tf
@@ -0,0 +1,9 @@
+variable "name" {
+  default = "ctay-iam-analyzer"
+}
+
+variable "tags" {
+  default     = {}
+  type        = map
+  description = "Optional tag mapping to apply to the infrastructure"
+}
diff --git a/security/securityhub/main.tf b/security/securityhub/main.tf
new file mode 100644
index 0000000..4d8c987
--- /dev/null
+++ b/security/securityhub/main.tf
@@ -0,0 +1,7 @@
+resource "aws_securityhub_account" "main" {}
+
+resource "aws_securityhub_standards_subscription" "cis" {
+  standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
+
+  depends_on = [aws_securityhub_account.main]
+}