diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py index 9ba901e4..56ad168b 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py @@ -314,3 +314,30 @@ def lambda_handler(event: Dict[str, Any], context: Context) -> None: except Exception: LOGGER.exception(UNEXPECTED) raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None + + +def terraform_handler(event: Dict[str, Any], context: Context) -> None: + """Lambda Handler. + + Args: + event: event data + context: runtime information + + Raises: + ValueError: Unexpected error executing Lambda function + """ + LOGGER.info("....Lambda Handler Started....") + event_info = {"Event": event} + LOGGER.info(event_info) + try: + if "Records" not in event and "RequestType" not in event and ("source" not in event and event["source"] != "aws.controltower"): + raise ValueError( + f"The event did not include Records or RequestType. Review CloudWatch logs '{context.log_group_name}' for details." + ) from None + elif "Records" in event and event["Records"][0]["EventSource"] == "aws:sns": + process_sns_records(event["Records"]) + elif "RequestType" in event: + process_cloudformation_event(event, context) + except Exception: + LOGGER.exception(UNEXPECTED) + raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None diff --git a/aws_sra_examples/terraform/common/main.tf b/aws_sra_examples/terraform/common/main.tf index f6988e0f..3fc18857 100644 --- a/aws_sra_examples/terraform/common/main.tf +++ b/aws_sra_examples/terraform/common/main.tf @@ -132,7 +132,9 @@ resource "local_file" "config_file_creation" { enable_kubernetes_audit_logs = true enable_malware_protection = true enable_rds_login_events = true - enable_eks_runtime_monitoring = true + enable_runtime_monitoring = true + enable_ecs_fargate_agent_management = true + enable_ec2_agent_management = true enable_eks_addon_management = true enable_lambda_network_logs = true guardduty_control_tower_regions_only = true diff --git a/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/invoke.tf b/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/invoke.tf index b10152f2..c16f74ca 100644 --- a/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/invoke.tf +++ b/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/invoke.tf @@ -26,7 +26,9 @@ resource "aws_lambda_invocation" "lambda_invoke" { "ENABLE_EKS_AUDIT_LOGS" : "${var.enable_kubernetes_audit_logs}", "AUTO_ENABLE_MALWARE_PROTECTION" : "${var.enable_malware_protection}", "ENABLE_RDS_LOGIN_EVENTS" : "${var.enable_rds_login_events}", - "ENABLE_EKS_RUNTIME_MONITORING" : "${var.enable_eks_runtime_monitoring}", + "ENABLE_RUNTIME_MONITORING" : "${var.enable_runtime_monitoring}", + "ENABLE_ECS_FARGATE_AGENT_MANAGEMENT": "${var.enable_ecs_fargate_agent_management}", + "ENABLE_EC2_AGENT_MANAGEMENT": "${var.enable_ec2_agent_management}", "ENABLE_EKS_ADDON_MANAGEMENT" : "${var.enable_eks_addon_management}", "ENABLE_LAMBDA_NETWORK_LOGS" : "${var.enable_lambda_network_logs}", } diff --git a/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/main.tf b/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/main.tf index ec55c2f0..0ed15881 100644 --- a/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/main.tf +++ b/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/main.tf @@ -58,6 +58,16 @@ data "aws_iam_policy_document" "sra_guardduty_org_policy_cloudformation" { } } +data "aws_iam_policy_document" "sra_guardduty_org_policy_acct" { + #checkov:skip=CKV_AWS_356: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions + statement { + sid = "AcctListRegions" + effect = "Allow" + actions = ["account:ListRegions"] + resources = ["*"] + } +} + data "aws_iam_policy_document" "sra_guardduty_org_policy_ssm_access" { statement { sid = "SSMAccess" @@ -233,6 +243,11 @@ resource "aws_iam_policy" "sra_guardduty_org_policy_cloudformation" { policy = data.aws_iam_policy_document.sra_guardduty_org_policy_cloudformation.json } +resource "aws_iam_policy" "sra_guardduty_org_policy_acct" { + name = "sra-guardduty-org-policy-acct" + policy = data.aws_iam_policy_document.sra_guardduty_org_policy_acct.json +} + resource "aws_iam_policy" "sra_guardduty_org_policy_ssm_access" { name = "ssm-access" policy = data.aws_iam_policy_document.sra_guardduty_org_policy_ssm_access.json @@ -283,6 +298,12 @@ resource "aws_iam_policy_attachment" "sra_guardduty_org_policy_attachment_cloudf policy_arn = aws_iam_policy.sra_guardduty_org_policy_cloudformation.arn } +resource "aws_iam_policy_attachment" "sra_guardduty_org_policy_attachment_acct" { + name = "sra-guardduty-org-policy-attachment-acct" + roles = [aws_iam_role.guardduty_lambda_role.name] + policy_arn = aws_iam_policy.sra_guardduty_org_policy_acct.arn +} + resource "aws_iam_policy_attachment" "sra_guardduty_org_policy_attachment_ssm_access" { name = "sra-guardduty-org-policy-attachment-ssm-access" roles = [aws_iam_role.guardduty_lambda_role.name] @@ -465,4 +486,4 @@ resource "aws_sns_topic_subscription" "guardduty_dlq_alarm_subscription" { topic_arn = aws_sns_topic.guardduty_dlq_alarm_topic[0].arn protocol = "email" endpoint = var.sra_alarm_email -} \ No newline at end of file +} diff --git a/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/variables.tf b/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/variables.tf index dae5c2e2..25220185 100644 --- a/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/variables.tf +++ b/aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/variables.tf @@ -125,11 +125,21 @@ variable "enable_rds_login_events" { type = string } -variable "enable_eks_runtime_monitoring" { +variable "enable_runtime_monitoring" { description = "Auto enable EKS Runtime Monitoring" type = string } +variable "enable_ecs_fargate_agent_management" { + description = "Auto enable ECS Fargate Agent Management" + type = string +} + +variable "enable_ec2_agent_management" { + description = "Auto EC2 Agent Management" + type = string +} + variable "enable_eks_addon_management" { description = "Auto enable EKS Add-on Management" type = string diff --git a/aws_sra_examples/terraform/solutions/guard_duty/main.tf b/aws_sra_examples/terraform/solutions/guard_duty/main.tf index 38811947..98edf42a 100644 --- a/aws_sra_examples/terraform/solutions/guard_duty/main.tf +++ b/aws_sra_examples/terraform/solutions/guard_duty/main.tf @@ -77,7 +77,9 @@ module "guardduty_configuration" { enable_kubernetes_audit_logs = var.enable_kubernetes_audit_logs enable_malware_protection = var.enable_malware_protection enable_rds_login_events = var.enable_rds_login_events - enable_eks_runtime_monitoring = var.enable_eks_runtime_monitoring + enable_runtime_monitoring = var.enable_runtime_monitoring + enable_ecs_fargate_agent_management = var.enable_ecs_fargate_agent_management + enable_ec2_agent_management = var.enable_ec2_agent_management enable_eks_addon_management = var.enable_eks_addon_management enable_lambda_network_logs = var.enable_lambda_network_logs finding_publishing_frequency = var.finding_publishing_frequency diff --git a/aws_sra_examples/terraform/solutions/guard_duty/variables.tf b/aws_sra_examples/terraform/solutions/guard_duty/variables.tf index d07600a0..591502df 100644 --- a/aws_sra_examples/terraform/solutions/guard_duty/variables.tf +++ b/aws_sra_examples/terraform/solutions/guard_duty/variables.tf @@ -57,11 +57,21 @@ variable "enable_rds_login_events" { type = string } -variable "enable_eks_runtime_monitoring" { +variable "enable_runtime_monitoring" { description = "Auto enable EKS Runtime Monitoring" type = string } +variable "enable_ecs_fargate_agent_management" { + description = "Auto enable ECS Fargate Agent Management" + type = string +} + +variable "enable_ec2_agent_management" { + description = "Auto EC2 Agent Management" + type = string +} + variable "enable_eks_addon_management" { description = "Auto enable EKS Add-on Management" type = string diff --git a/aws_sra_examples/terraform/solutions/main.tf b/aws_sra_examples/terraform/solutions/main.tf index 91624bce..637ae028 100644 --- a/aws_sra_examples/terraform/solutions/main.tf +++ b/aws_sra_examples/terraform/solutions/main.tf @@ -42,7 +42,9 @@ module "guard_duty" { enable_kubernetes_audit_logs = var.enable_kubernetes_audit_logs enable_malware_protection = var.enable_malware_protection enable_rds_login_events = var.enable_rds_login_events - enable_eks_runtime_monitoring = var.enable_eks_runtime_monitoring + enable_runtime_monitoring = var.enable_runtime_monitoring + enable_ecs_fargate_agent_management = var.enable_ecs_fargate_agent_management + enable_ec2_agent_management = var.enable_ec2_agent_management enable_eks_addon_management = var.enable_eks_addon_management enable_lambda_network_logs = var.enable_lambda_network_logs finding_publishing_frequency = var.finding_publishing_frequency diff --git a/aws_sra_examples/terraform/solutions/variables.tf b/aws_sra_examples/terraform/solutions/variables.tf index c52aa830..cbbd67e3 100644 --- a/aws_sra_examples/terraform/solutions/variables.tf +++ b/aws_sra_examples/terraform/solutions/variables.tf @@ -152,11 +152,21 @@ variable "enable_rds_login_events" { type = string } -variable "enable_eks_runtime_monitoring" { +variable "enable_runtime_monitoring" { description = "Auto enable EKS Runtime Monitoring" type = string } +variable "enable_ecs_fargate_agent_management" { + description = "Auto enable ECS Fargate Agent Management" + type = string +} + +variable "enable_ec2_agent_management" { + description = "Auto EC2 Agent Management" + type = string +} + variable "enable_eks_addon_management" { description = "Auto enable EKS Add-on Management" type = string