Giter Club home page Giter Club logo

terraform-aws-guardduty's Introduction

Terraform Module for AWS GuardDuty

Terraform module that creates AWS GuardDuty resources.

Usage

Standalone

module "guardduty" {
  source = "aws-ia/terraform-aws-guardduty/aws"

  replica_region               = "us-east-1"
  enable_guardduty             = true
  enable_s3_protection         = true
  enable_kubernetes_protection = true
  enable_malware_protection    = true
  enable_snapshot_retention    = true
  finding_publishing_frequency = "FIFTEEN_MINUTES"
  filter_config = [{
    name        = "guardduty_filter"
    description = "AWS GuardDuty example filter."
    rank        = 1
    action      = "ARCHIVE"
    criterion = [

      {
        field  = "region"
        equals = ["us-west-2"]
      },
      {
        field      = "service.additionalInfo.threatListName"
        not_equals = ["some-threat", "another-threat"]
      },
      {
        field        = "updatedAt"
        greater_than = "2023-01-01T00:00:00Z"
        less_than    = "2023-12-31T23:59:59Z"
      },
      {
        field                 = "severity"
        greater_than_or_equal = "4"
      }
  ] }]

  ipset_config = [{
    activate = false
    name     = "DefaultGuardDutyIPSet"
    format   = "TXT"
    content  = "10.0.0.0/8\n"
    key      = "DefaultGuardDutyIPSet"
  }]

  threatintelset_config = [{
    activate   = false
    name       = "DefaultGuardThreatIntelSet"
    format     = "TXT"
    content    = "1.10.16.0/20\n1.19.0.0/16\n"
    key        = "DefaultGuardThreatIntelSet"
    object_acl = "public-read"

  }]
  publish_to_s3        = true
  guardduty_bucket_acl = "private"
  tags                 = {}
}

Organizations

module "delegated_admin" {
  source = "aws-ia/terraform-aws-guardduty/aws//modules/organizations_admin"

  admin_account_id                 = data.aws_caller_identity.current.account_id
  auto_enable_organization_members = "ALL"
  guardduty_detector_id            = module.guardduty_detector.guardduty_detector.id

  enable_s3_protection         = true
  enable_kubernetes_protection = true
  enable_malware_protection    = true
}

module "guardduty_detector" {
  source = "aws-ia/terraform-aws-guardduty/aws"

  enable_guardduty = true

  enable_s3_protection         = true
  enable_kubernetes_protection = true
  enable_malware_protection    = true
  enable_snapshot_retention    = true
  finding_publishing_frequency = "FIFTEEN_MINUTES"
  tags                         = {}
}

Overview Diagrams

Standalone

standalone-diagram

Organizations

organizations-diagram

Terraform Module

Requirements

Name Version
terraform >= 1.0.0
aws >= 4.47
random >= 3.4

Providers

Name Version
aws >= 4.47
aws.replica >= 4.47
random >= 3.4

Modules

Name Source Version
log_bucket terraform-aws-modules/s3-bucket/aws 3.14.0
replica_bucket terraform-aws-modules/s3-bucket/aws 3.14.0
s3_bucket terraform-aws-modules/s3-bucket/aws 3.14.0

Resources

Name Type
aws_guardduty_detector.primary resource
aws_guardduty_filter.this resource
aws_guardduty_ipset.this resource
aws_guardduty_publishing_destination.this resource
aws_guardduty_threatintelset.this resource
aws_iam_policy.bucket_replication resource
aws_iam_role.bucket_replication resource
aws_iam_role_policy_attachment.replication resource
aws_kms_key.guardduty_key resource
aws_kms_key.replica_key resource
aws_s3_object.ipset_object resource
aws_s3_object.threatintelset_object resource
random_string.this resource
aws_caller_identity.current data source
aws_iam_policy_document.bucket_replication data source
aws_iam_policy_document.bucket_replication_assume_role data source
aws_iam_policy_document.guardduty_bucket_policy data source
aws_iam_policy_document.guardduty_kms_policy data source
aws_iam_policy_document.guardduty_replica_bucket_policy data source
aws_region.current data source

Inputs

Name Description Type Default Required
enable_guardduty Enable monitoring and feedback reporting. Setting to false is equivalent to 'suspending' GuardDuty. Defaults to true. bool true no
enable_kubernetes_protection Configure and enable Kubernetes audit logs as a data source for Kubernetes protection. Defaults to true. bool true no
enable_malware_protection Configure and enable Malware Protection as data source for EC2 instances with findings for the detector. Defaults to true. bool true no
enable_s3_protection Configure and enable S3 protection. Defaults to true. bool true no
enable_snapshot_retention Enable EBS Snaptshot retention for 30 days, if any Findings exists. Defaults to false. bool false no
filter_config Specifies AWS GuardDuty Filter configuration.
name - The name of the filter
rank - Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
action - Specifies the action that is to be applied to the findings that match the filter. Can be one of ARCHIVE or NOOP.
criterion - Configuration block for finding_criteria. Composed by field and one or more of the following operators: equals | not_equals | greater_than | greater_than_or_equal | less_than | less_than_or_equal.		 
list(object({
    name        = string
    description = optional(string)
    rank        = number
    action      = string
    criterion = list(object({
      field                 = string
      equals                = optional(list(string))
      not_equals            = optional(list(string))
      greater_than          = optional(string)
      greater_than_or_equal = optional(string)
      less_than             = optional(string)
      less_than_or_equal    = optional(string)
    }))
  }))
 null no
finding_publishing_frequency Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS. Defaults to SIX_HOURS. string "FIFTEEN_MINUTES" no
guardduty_bucket_acl Canned ACL to apply to the bucket. Valid values are private | public-read | public-read-write | aws-exec-read | authenticated-read | bucket-owner-read | bucket-owner-full-control. Defaults to null. string null no
guardduty_s3_bucket Name of the S3 Bucket for GuardDuty. Defaults to null. string null no
ipset_config Specifies AWS GuardDuty IPSet configuration.
activate - Specifies whether GuardDuty is to start using the uploaded IPSet.
name - The friendly name to identify the IPSet.
format - The format of the file that contains the IPSet. Valid values: TXT | STIX | OTX_CSV | ALIEN_VAULT | PROOF_POINT | FIRE_EYE.
content- Literal string value to use as the object content, which will be uploaded as UTF-8-encoded text. Example: 10.0.0.0/8\n.
key - Name of the object once it is in the bucket.		 
list(object({
    activate = bool
    name     = string
    format   = string
    content  = string
    key      = string
  }))
 null no
publish_to_s3 Specifies if the Amazon GuardDuty findings should be exported to S3. Defaults to false. bool false no
publishing_config Defines the findings publishing configuration. 
list(object({
    destination_arn  = string
    kms_key_arn      = string
    destination_type = optional(string)
  }))
 
[
  {
    "destination_arn": null,
    "destination_type": "S3",
    "kms_key_arn": null
  }
]
 no
replica_region Region where S3 bucket data from Amazon GuardDuty will be replicated. Defaults to null. string null no
tags Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. Defaults to {}. map(any) {} no
threatintelset_config Specifies AWS GuardDuty ThreatIntelSet configuration.
activate - Specifies whether GuardDuty is to start using the uploaded ThreatIntelSet.
name - The friendly name to identify the ThreatIntelSet.
format - The format of the file that contains the ThreatIntelSet. Valid values: TXT | STIX | OTX_CSV | ALIEN_VAULT | PROOF_POINT | FIRE_EYE.
content- Literal string value to use as the object content, which will be uploaded as UTF-8-encoded text. Example: 10.0.0.0/8\n.
key - Name of the object once it is in the bucket.
object_acl- Canned ACL to apply to the object. Valid values are private | public-read | public-read-write | aws-exec-read | authenticated-read | bucket-owner-read | bucket-owner-full-control.		 
list(object({
    activate   = bool
    name       = string
    format     = string
    content    = string
    key        = string
    object_acl = string
  }))
 null no

Outputs

Name Description
guardduty_detector AWS GuardDuty Detector.
guardduty_filter AWS GuardDuty Findings Filters definition.
guardduty_ipset AWS GuardDuty trusted IPSet configuration.
guardduty_kms_key Amazon KMS Key created to encrypt AWS GuardDuty's S3 Bucket.
guardduty_kms_replica_key Amazon KMS Key created to encrypt AWS GuardDuty's S3 Replica Bucket.
guardduty_log_bucket Amazon S3 Log Bucket created for AWS GuardDuty.
guardduty_publishing AWS GuardDuty Publishing destination to export findings.
guardduty_replica_bucket Amazon S3 Replica Bucket created for AWS GuardDuty.
guardduty_s3_bucket Amazon S3 Bucket created for AWS GuardDuty.
guardduty_threatintelset AWS GuardDuty known ThreatIntelSet configuration.

terraform-aws-guardduty's People

Contributors

rodrigobersa avatar tbulding avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

arun-cloudsec koenchill ajotaops datnguyen312 thefredfede akademskig apfm-terraform

terraform-aws-guardduty's Issues

The request is rejected because an invalid or out-of-range value is specified as an input parameter

I am experiancing an issue with organizations_admin module fails with a wierd and missleading error at the resource 'aws_guardduty_organization_configuration'.

I believe that the resource 'aws_guardduty_organization_configuration' fails to apply due to missing depends_on for resource 'aws_guardduty_organization_admin_account'.

│ Error: updating GuardDuty Organization Configuration (8c7c91f6dfe7464da1a2aa1c408013d7): BadRequestException: The request is rejected because an invalid or out-of-range value is specified as an input parameter.
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "0c26485a-b1eb-490e-9615-9fe57806550c"
│   },
│   Message_: "The request is rejected because an invalid or out-of-range value is specified as an input parameter.",
│   Type: "InvalidInputException"
│ }

After investigating and adding the depends_on for the aws_guardduty_organization_configuration resource locally the issue is resolved.

I will be happy to contrebute and open a PR if needed. cheers

Issue delegating admin account

I am attempting to import manually created settings and manage them using this module. I am running into an issue where I am unable to import the guardduty admin account.

Here is the config.

  ...
  admin_account_id = data.aws_caller_identity.current.account_id

  auto_enable_organization_members = "NEW"

  enable_kubernetes_protection = true
  enable_malware_protection    = true
  enable_s3_protection         = true

  guardduty_detector_id = module.guardduty_detector.guardduty_detector.id
  ...

Here is the error.

terragrunt import 'aws_guardduty_organization_admin_account.this[0]' '1234567890'
aws_guardduty_organization_admin_account.this[0]: Importing from ID "1234567890"...
aws_guardduty_organization_admin_account.this[0]: Import prepared!
  Prepared aws_guardduty_organization_admin_account for import
aws_guardduty_organization_admin_account.this[0]: Refreshing state... [id=1234567890]
╷
│ Error: reading GuardDuty Organization Admin Account (1234567890): BadRequestException: The request failed because you are not the master account for your AWS Organization.
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "e2db002a-e1d1-49af-93b9-cc4bde0b146f"
│   },
│   Message_: "The request failed because you are not the master account for your AWS Organization.",
│   Type: "InvalidInputException"
│ }

I am not seeing a way in this module to skip the admin account resource creation and only import the org configuration, which I was able to import successfully. The account was delegated via the root account originally but I would like to manage all the config in the delegated account. Hopefully I am missing something?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.