It's 100% Open Source and licensed under the APACHE2.
Sets up guard duty in the Master account with trusted IP and threat lists, can invite member accounts forked from [email protected]:QuiNovas/terraform-aws-guardduty.git
https://aws.amazon.com/guardduty/
No requirements.
Name | Version |
---|---|
aws | n/a |
No modules.
Name | Type |
---|---|
aws_guardduty_detector.master | resource |
aws_guardduty_ipset.MyIPSet | resource |
aws_guardduty_member.members | resource |
aws_guardduty_organization_configuration.example | resource |
aws_guardduty_threatintelset.MyThreatIntelSet | resource |
aws_s3_bucket.guard_duty_lists | resource |
aws_s3_bucket.logging | resource |
aws_s3_bucket_logging.guard_duty_lists | resource |
aws_s3_bucket_policy.guard_duty_lists | resource |
aws_s3_bucket_public_access_block.guard_duty_lists | resource |
aws_s3_bucket_public_access_block.logging | resource |
aws_s3_bucket_server_side_encryption_configuration.guard_duty_lists | resource |
aws_s3_bucket_server_side_encryption_configuration.logging | resource |
aws_s3_bucket_versioning.guard_duty_lists | resource |
aws_s3_object.MyIPSet | resource |
aws_s3_object.MyThreatIntelSet | resource |
aws_caller_identity.current | data source |
aws_iam_policy_document.guard_duty_lists | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
account_name | The account name. Used as a prefix to name resources. | string |
"" |
no |
enable | Enable/Disable guardduty.You can set the enable attribute to false for suspend monitoring and feedback reporting while keeping existing data. | bool |
true |
no |
ip_set_active | Specifies whether GuardDuty is to start using the uploaded IPSet | string |
false |
no |
ip_set_format | The format of the file that contains the IPSet. Valid values: TXT | STIX | OTX_CSV | ALIEN_VAULT | PROOF_POINT | FIRE_EYE | string |
"TXT" |
no |
ip_set_list_path | The path of the IP safe list file | string |
"" |
no |
kms_key | n/a | any |
n/a | yes |
log_bucket | Account level Log bucket id | string |
n/a | yes |
member_list | The list of member accounts to be added. Each member list need to have values of account_id, member_email and invite boolean | list(any) |
[] |
no |
member_list_count | The count of members to be added to this master guard duty | string |
0 |
no |
mfa_delete | n/a | string |
"Disabled" |
no |
threat_intel_list_path | The path of the Threat intel file | string |
"" |
no |
threat_intel_set_active | Specifies whether GuardDuty is to start using the uploaded ThreatIntelSet | string |
false |
no |
threat_intel_set_format | The format of the file that contains the ThreatIntelSet. Valid values: TXT | STIX | OTX_CSV | ALIEN_VAULT | PROOF_POINT | FIRE_EYE | string |
"TXT" |
no |
Name | Description |
---|---|
GuardDuty | The GuardDuty detector |
This is the policy required to build this project:
The Terraform resource required is:
resource "aws_iam_policy" "terraform_pike" {
name_prefix = "terraform_pike"
path = "/"
description = "Pike Autogenerated policy from IAC"
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:GetAccelerateConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLogging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTagging",
"s3:GetReplicationConfiguration",
"s3:ListBucket",
"s3:PutBucketLogging",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketVersioning",
"s3:PutEncryptionConfiguration",
"s3:PutObject"
],
"Resource": "*"
}
]
})
}
Check out these related projects.
- terraform-aws-statebucket - Terraform s3 state buckets
Got a question?
File a GitHub issue.
Please use the issue tracker to report any bugs or file feature requests.
See LICENSE for full details.
Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.