Adding GuardDuty RunTime Monitoring feature (#213)

* adding runtime monitoring feature

* json error fix

* adding ec2 agent management feature

* flake8 fixes

* more linting fixes

* updated changelog

* ami bakery linting fixes

* ami bakery isort linting fixes

---------

Co-authored-by: ievgeniia ieromenko <[email protected]>

CHANGELOG.md

@@ -3,6 +3,8 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2024-05-03](#2024-05-03)
+- [2024-04-15](#2024-04-15)
 - [2024-02-12](#2024-02-12)
 - [2024-02-09](#2024-02-09)
 - [2024-01-29](#2024-01-29)
@@ -51,6 +53,15 @@
 All notable changes to this project will be documented in this file.
 
 ---
+## 2024-05-03
+
+- Updated [GuardDuty Organization](aws_sra_examples/solutions/guardduty/guardduty_org) solution to add Runtime Monitoring protection.
+- Updated [GuardDuty Organization](aws_sra_examples/solutions/guardduty/guardduty_org) solution default setting to deploy in all enabled regions.
+
+## 2024-04-15
+
+- Updated [Common CFCT Setup](aws_sra_examples/solutions/common/common_cfct_setup) solution to download the latest CfCT template.
+
 ## 2024-02-12
 
 - Added [AMI Bakery](aws_sra_examples/solutions/ami_bakery/ami_bakery_org) solution for AMI image management.

aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml

@@ -143,6 +143,10 @@ resources:
       # GuardDuty Solution
       - parameter_key: pDisableGuardDuty
         parameter_value: 'No'
+      - parameter_key: pGuardDutyCustomerGovernedRegionsOnly
+        parameter_value: 'false'
+      - parameter_key: pGuardDutyEnabledRegions
+        parameter_value: ''
       - parameter_key: pAutoEnableS3Logs
         parameter_value: 'true'
       - parameter_key: pAutoEnableKubernetesAuditLogs
@@ -151,10 +155,14 @@ resources:
         parameter_value: 'true'
       - parameter_key: pEnableRdsLoginEvents
         parameter_value: 'true'
-      - parameter_key: pEnableEksRuntimeMonitoring
+      - parameter_key: pEnableRuntimeMonitoring
         parameter_value: 'true'
       - parameter_key: pEnableEksAddonManagement
         parameter_value: 'true'
+      - parameter_key: pEnableEcsFargateAgentManagement
+        parameter_value: 'true'
+      - parameter_key: pEnableEc2AgentManagement
+        parameter_value: 'true'
       - parameter_key: pEnableLambdaNetworkLogs
         parameter_value: 'true'
       - parameter_key: pGuardDutyFindingPublishingFrequency

aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml

@@ -146,16 +146,21 @@ Metadata:
           default: GuardDuty Solution
         Parameters:
           - pDisableGuardDuty
+          - pGuardDutyCustomerGovernedRegionsOnly
+          - pGuardDutyEnabledRegions
           - pAutoEnableS3Logs
           - pAutoEnableKubernetesAuditLogs
           - pAutoEnableMalwareProtection
           - pEnableRdsLoginEvents
-          - pEnableEksRuntimeMonitoring
+          - pEnableRuntimeMonitoring
           - pEnableEksAddonManagement
+          - pEnableEcsFargateAgentManagement
+          - pEnableEc2AgentManagement
           - pEnableLambdaNetworkLogs
           - pGuardDutyFindingPublishingFrequency
           - pGuardDutyOrgDeliveryBucketPrefix
           - pGuardDutyOrgDeliveryKeyAlias
+
       - Label:
           default: IAM Access Analyzer Solution
         Parameters:
@@ -316,10 +321,14 @@ Metadata:
         default: Auto Enable Malware Protection
       pEnableRdsLoginEvents:
         default: Auto enable RDS Login Events
-      pEnableEksRuntimeMonitoring:
-        default: Auto enable EKS Runtime Monitoring
+      pEnableRuntimeMonitoring:
+        default: Auto enable Runtime Monitoring
       pEnableEksAddonManagement:
         default: Auto enable EKS Add-on Management
+      pEnableEcsFargateAgentManagement:
+        default: Auto enable ECS Fargate Agent Management
+      pEnableEc2AgentManagement:
+        default: Auto enable EC2 Agent Management
       pEnableLambdaNetworkLogs:
         default: Auto enable Lambda Network Logs
       pBillingContactAction:
@@ -422,6 +431,10 @@ Metadata:
         default: (Optional) Exclude EC2 Default EBS Encryption Tags
       pExcludeS3BlockAccountPublicAccessTags:
         default: (Optional) Exclude S3 Block Account Public Access Tags
+      pGuardDutyCustomerGovernedRegionsOnly:
+        default: Enable GuardDuty in Customer Governed Regions Only
+      pGuardDutyEnabledRegions:
+        default: (Optional) Enabled Regions
       pFrequency:
         default: Frequency
       pGuarddutyEnabledForMoreThan48Hours:
@@ -753,16 +766,26 @@ Parameters:
     Default: 'true'
     Description: Auto enable RDS Login Events
     Type: String
-  pEnableEksRuntimeMonitoring:
+  pEnableRuntimeMonitoring:
     AllowedValues: ['true', 'false']
     Default: 'true'
-    Description: Auto enable EKS Runtime Monitoring
+    Description: Auto enable Runtime Monitoring
     Type: String
   pEnableEksAddonManagement:
     AllowedValues: ['true', 'false']
     Default: 'true'
     Description: Auto enable EKS Add-on Management
     Type: String
+  pEnableEcsFargateAgentManagement:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable ECS Fargate Agent Management
+    Type: String
+  pEnableEc2AgentManagement:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable EC2 Agent Management
+    Type: String
   pEnableLambdaNetworkLogs:
     AllowedValues: ['true', 'false']
     Default: 'true'
@@ -1058,6 +1081,21 @@ Parameters:
       '(Optional) Resource Tags that denote an Account should be excluded from this solution in JSON format: [{"Key": "string", "Value": "string"},
       ... ]. For example, [{"Key": "exclude-s3-block-account-public-access", "Value": "true"}].'
     Type: String
+  pGuardDutyCustomerGovernedRegionsOnly:
+    AllowedValues: ['true', 'false']
+    Default: 'false'
+    Description: Indicates whether to enable GuardDuty in the customer's Goverened Regions only. Example - Control Tower regions, or Common Prerequisites regions.
+    Type: String
+  pGuardDutyEnabledRegions:
+    AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
+    ConstraintDescription:
+      Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g.
+      us-east-1,ap-southeast-2)
+    Default: ''
+    Description:
+      (Optional) Enabled regions (AWS regions, separated by commas).
+    Type: String
+
   pFrequency:
     AllowedValues: [1hour, 3hours, 6hours, 12hours, 24hours]
     Default: 1hour
@@ -1704,6 +1742,15 @@ Rules:
     Assertions:
       - AssertDescription: "'Resource Types' parameter is required if 'All Supported' parameter is set to 'false'."
         Assert: !Not [!Equals [!Ref pResourceTypes, '']]
+  CheckGuardDutyRuntimeEnabled:
+    RuleCondition: !Equals [!Ref pEnableRuntimeMonitoring, 'false']
+    Assertions:
+      - Assert: !Not [!Equals [!Ref pEnableEksAddonManagement, 'true']]
+        AssertDescription: "'Enable EKS Addon Management' requires Guardduty Runtime Monitoring to be enabled"
+      - Assert: !Not [!Equals [!Ref pEnableEcsFargateAgentManagement, 'true']]
+        AssertDescription: "'Enable Ecs Fargate Agent Management' requires Guardduty Runtime Monitoring to be enabled"
+      - Assert: !Not [!Equals [!Ref pEnableEc2AgentManagement, 'true']]
+        AssertDescription: "'Enable Ec2 Agent Management' requires Guardduty Runtime Monitoring to be enabled"
 
 Conditions:
   cUsingKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']]
@@ -2401,8 +2448,12 @@ Resources:
         pAutoEnableKubernetesAuditLogs: !Ref pAutoEnableKubernetesAuditLogs
         pAutoEnableMalwareProtection: !Ref pAutoEnableMalwareProtection
         pEnableRdsLoginEvents: !Ref pEnableRdsLoginEvents
-        pEnableEksRuntimeMonitoring: !Ref pEnableEksRuntimeMonitoring
+        pControlTowerRegionsOnly: !Ref pGuardDutyCustomerGovernedRegionsOnly
+        pEnabledRegions: !Ref pGuardDutyEnabledRegions
+        pEnableRuntimeMonitoring: !Ref pEnableRuntimeMonitoring
         pEnableEksAddonManagement: !Ref pEnableEksAddonManagement
+        pEnableEcsFargateAgentManagement: !Ref pEnableEcsFargateAgentManagement
+        pEnableEc2AgentManagement: !Ref pEnableEc2AgentManagement
         pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs
         pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false]
         pDisableGuardDuty: !If [cDisableGuardDuty, true, false]

aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-module-main.yaml

@@ -53,11 +53,15 @@ Metadata:
           default: GuardDuty
         Parameters:
           - pDisableGuardDuty
+          - pControlTowerRegionsOnly
+          - pEnabledRegions
           - pAutoEnableS3Logs
           - pAutoEnableKubernetesAuditLogs
           - pAutoEnableMalwareProtection
           - pEnableRdsLoginEvents
-          - pEnableEksRuntimeMonitoring
+          - pEnableRuntimeMonitoring
+          - pEnableEcsFargateAgentManagement
+          - pEnableEc2AgentManagement
           - pEnableEksAddonManagement
           - pEnableLambdaNetworkLogs
           - pGuardDutyFindingPublishingFrequency
@@ -119,10 +123,14 @@ Metadata:
         default: pAutoEnableMalwareProtection
       pEnableRdsLoginEvents:
         default: pEnableRdsLoginEvents
-      pEnableEksRuntimeMonitoring:
-        default: pEnableEksRuntimeMonitoring
+      pEnableRuntimeMonitoring:
+        default: pEnableRuntimeMonitoring
       pEnableEksAddonManagement:
         default: pEnableEksAddonManagement
+      pEnableEcsFargateAgentManagement:
+        default: Auto enable ECS Fargate Agent Management
+      pEnableEc2AgentManagement:
+        default: Auto enable EC2 Agent Management
       pEnableLambdaNetworkLogs:
         default: pEnableLambdaNetworkLogs
       pGuardDutyFindingPublishingFrequency:
@@ -133,6 +141,10 @@ Metadata:
         default: pGuardDutyOrgDeliveryKeyAlias
       pCreateAWSControlTowerExecutionRole:
         default: Create AWS Control Tower Execution Role
+      pControlTowerRegionsOnly:
+        default: Control Tower Regions Only
+      pEnabledRegions:
+        default: (Optional) Enabled Regions
 
 Parameters:
   pSRAHelperBucketNamePrefix:
@@ -257,6 +269,19 @@ Parameters:
     Default: "1"
     Description: Random parameter
     Type: String
+  pControlTowerRegionsOnly:
+    Type: String
+    Description: Only enable in the Control Tower governed regions (set to true for environments without AWS Control Tower)
+    Default: 'false'
+    AllowedValues: ['true', 'false']
+  pEnabledRegions:
+    AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$'
+    ConstraintDescription:
+      Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g.
+      us-east-1,ap-southeast-2)
+    Default: ''
+    Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions.
+    Type: String
 
 
   pCreateLambdaLogGroup:
@@ -292,16 +317,26 @@ Parameters:
     Default: 'true'
     Description: Auto enable RDS Login Events
     Type: String   
-  pEnableEksRuntimeMonitoring:
+  pEnableRuntimeMonitoring:
     AllowedValues: ['true', 'false']
     Default: 'true'
-    Description: Auto enable EKS Runtime Monitoring
+    Description: Auto enable Runtime Monitoring
     Type: String   
   pEnableEksAddonManagement:
     AllowedValues: ['true', 'false']
     Default: 'true'
     Description: Auto enable EKS Add-on Management
     Type: String
+  pEnableEcsFargateAgentManagement:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable ECS Fargate Agent Management
+    Type: String
+  pEnableEc2AgentManagement:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable EC2 Agent Management
+    Type: String
   pEnableLambdaNetworkLogs:
     AllowedValues: ['true', 'false']
     Default: 'true'
@@ -331,6 +366,17 @@ Parameters:
     Description: (Optional) Email address for receiving SRA alarms
     Type: String
 
+Rules:
+  CheckGuardDutyRuntimeEnabled:
+    RuleCondition: !Equals [!Ref pEnableRuntimeMonitoring, 'false']
+    Assertions:
+      - Assert: !Not [!Equals [!Ref pEnableEksAddonManagement, 'true']]
+        AssertDescription: "'Enable EKS Addon Management' requires Guardduty Runtime Monitoring to be enabled"
+      - Assert: !Not [!Equals [!Ref pEnableEcsFargateAgentManagement, 'true']]
+        AssertDescription: "'Enable Ecs Fargate Agent Management' requires Guardduty Runtime Monitoring to be enabled"
+      - Assert: !Not [!Equals [!Ref pEnableEc2AgentManagement, 'true']]
+        AssertDescription: "'Enable Ec2 Agent Management' requires Guardduty Runtime Monitoring to be enabled"
+
 Conditions:
   cUsingKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']]
   cUseGraviton: !Or
@@ -1125,8 +1171,10 @@ Resources:
         pAutoEnableKubernetesAuditLogs: !Ref pAutoEnableKubernetesAuditLogs
         pAutoEnableMalwareProtection: !Ref pAutoEnableMalwareProtection
         pEnableRdsLoginEvents: !Ref pEnableRdsLoginEvents
-        pEnableEksRuntimeMonitoring: !Ref pEnableEksRuntimeMonitoring
+        pEnableRuntimeMonitoring: !Ref pEnableRuntimeMonitoring
         pEnableEksAddonManagement: !Ref pEnableEksAddonManagement
+        pEnableEcsFargateAgentManagement: !Ref pEnableEcsFargateAgentManagement
+        pEnableEc2AgentManagement: !Ref pEnableEc2AgentManagement
         pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs
         pCreateLambdaLogGroup: !Ref pCreateLambdaLogGroup
         pDisableGuardDuty: !Ref pDisableGuardDuty
@@ -1145,6 +1193,8 @@ Resources:
         pSecurityAccountId: !Ref pSecurityAccountId
         pLogArchiveAccountId: !Ref pLogArchiveAccountId
         pCreateAWSControlTowerExecutionRole: !Ref pCreateAWSControlTowerExecutionRole
+        pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly
+        pEnabledRegions: !Ref pEnabledRegions
 
 Outputs:
   oPublishingDestinationBucketName: