From ec59785b37180d224a60082e0d4639b92d56acf8 Mon Sep 17 00:00:00 2001
From: Khai Do <zaro0508@gmail.com>
Date: Mon, 2 Dec 2024 16:37:12 -0800
Subject: [PATCH] [IT-3951] Fix guardduty container

We enable guardduty security monitoring for ECS in every account.
For that to work we need to give the Fragate task execution role
access to do ECS stuff with the service-role/AmazonECSTaskExecutionRolePolicy[1].

[1] https://docs.aws.amazon.com/guardduty/latest/ug/prereq-runtime-monitoring-ecs-support.html#before-enable-runtime-monitoring-ecs
---
 src/service_stack.py | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/src/service_stack.py b/src/service_stack.py
index 26775a3..19319b7 100644
--- a/src/service_stack.py
+++ b/src/service_stack.py
@@ -58,6 +58,28 @@ def __init__(
             )
         )
 
+        # default ECS execution policy plus Guardduty access
+        execution_role = iam.Role(
+            self,
+            "ExecutionRole",
+            assumed_by=iam.ServicePrincipal("ecs-tasks.amazonaws.com"),
+            managed_policies=[
+                iam.ManagedPolicy.from_aws_managed_policy_name(
+                    "service-role/AmazonECSTaskExecutionRolePolicy"
+                ),
+            ],
+        )
+        execution_role.add_to_policy(
+            iam.PolicyStatement(
+                actions=[
+                    "logs:CreateLogStream",
+                    "logs:PutLogEvents",
+                ],
+                resources=["*"],
+                effect=iam.Effect.ALLOW,
+            )
+        )
+
         # ECS task with fargate
         self.task_definition = ecs.FargateTaskDefinition(
             self,
@@ -65,6 +87,7 @@ def __init__(
             cpu=1024,
             memory_limit_mib=4096,
             task_role=task_role,
+            execution_role=execution_role,
         )
 
         image = ecs.ContainerImage.from_registry(props.container_location)