From 7c51f5736a971d3a1cb9f194edfbfe951b83ff90 Mon Sep 17 00:00:00 2001
From: Khai Do <3697686+zaro0508@users.noreply.github.com>
Date: Tue, 3 Dec 2024 14:19:13 -0800
Subject: [PATCH] [IT-3951] Fix guardduty container (#6)

We enable guardduty security monitoring for ECS in every account.
For that to work we need to give Fragate tasks access to do ECS stuff
with the service-role/AmazonECSTaskExecutionRolePolicy[1].

[1] https://docs.aws.amazon.com/guardduty/latest/ug/prereq-runtime-monitoring-ecs-support.html#before-enable-runtime-monitoring-ecs
---
 src/service_stack.py | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/src/service_stack.py b/src/service_stack.py
index 26775a3..19319b7 100644
--- a/src/service_stack.py
+++ b/src/service_stack.py
@@ -58,6 +58,28 @@ def __init__(
             )
         )
 
+        # default ECS execution policy plus Guardduty access
+        execution_role = iam.Role(
+            self,
+            "ExecutionRole",
+            assumed_by=iam.ServicePrincipal("ecs-tasks.amazonaws.com"),
+            managed_policies=[
+                iam.ManagedPolicy.from_aws_managed_policy_name(
+                    "service-role/AmazonECSTaskExecutionRolePolicy"
+                ),
+            ],
+        )
+        execution_role.add_to_policy(
+            iam.PolicyStatement(
+                actions=[
+                    "logs:CreateLogStream",
+                    "logs:PutLogEvents",
+                ],
+                resources=["*"],
+                effect=iam.Effect.ALLOW,
+            )
+        )
+
         # ECS task with fargate
         self.task_definition = ecs.FargateTaskDefinition(
             self,
@@ -65,6 +87,7 @@ def __init__(
             cpu=1024,
             memory_limit_mib=4096,
             task_role=task_role,
+            execution_role=execution_role,
         )
 
         image = ecs.ContainerImage.from_registry(props.container_location)