From e9dcb5674c695cffaa0233e0ebe6f6aecb60535d Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Sun, 24 Mar 2024 11:12:33 -0400 Subject: [PATCH 1/8] adding runtime monitoring feature --- .../manifest.yaml | 8 +- .../easy_setup/templates/sra-easy-setup.yaml | 52 +++- .../sra-guardduty-org-module-main.yaml | 51 +++- .../templates/sra-guardduty-org-solution.yaml | 42 ++- .../manifest.yaml | 6 +- .../sra-guardduty-org-main-ssm.json | 8 +- .../guardduty/guardduty_org/lambda/src/app.py | 55 ++-- .../guardduty_org/lambda/src/guardduty.py | 266 +++++++----------- .../sra-guardduty-org-configuration.yaml | 19 +- .../templates/sra-guardduty-org-main-ssm.yaml | 35 ++- 10 files changed, 298 insertions(+), 244 deletions(-) diff --git a/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml b/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml index 528e96dc..bab43108 100644 --- a/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml +++ b/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml @@ -143,6 +143,10 @@ resources: # GuardDuty Solution - parameter_key: pDisableGuardDuty parameter_value: 'No' + - parameter_key: pGuardDutyCustomerGovernedRegionsOnly + parameter_value: 'false' + - parameter_key: pGuardDutyEnabledRegions + parameter_value: '' - parameter_key: pAutoEnableS3Logs parameter_value: 'true' - parameter_key: pAutoEnableKubernetesAuditLogs @@ -151,10 +155,12 @@ resources: parameter_value: 'true' - parameter_key: pEnableRdsLoginEvents parameter_value: 'true' - - parameter_key: pEnableEksRuntimeMonitoring + - parameter_key: pEnableRuntimeMonitoring parameter_value: 'true' - parameter_key: pEnableEksAddonManagement parameter_value: 'true' + - parameter_key: pEnableEcsFargateAgentManagement + parameter_value: 'true' - parameter_key: pEnableLambdaNetworkLogs parameter_value: 'true' - parameter_key: pGuardDutyFindingPublishingFrequency diff --git a/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml b/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml index 7e1d4ce7..d42f3630 100644 --- a/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml +++ b/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml @@ -146,16 +146,20 @@ Metadata: default: GuardDuty Solution Parameters: - pDisableGuardDuty + - pGuardDutyCustomerGovernedRegionsOnly + - pGuardDutyEnabledRegions - pAutoEnableS3Logs - pAutoEnableKubernetesAuditLogs - pAutoEnableMalwareProtection - pEnableRdsLoginEvents - - pEnableEksRuntimeMonitoring + - pEnableRuntimeMonitoring - pEnableEksAddonManagement + - pEnableEcsFargateAgentManagement - pEnableLambdaNetworkLogs - pGuardDutyFindingPublishingFrequency - pGuardDutyOrgDeliveryBucketPrefix - pGuardDutyOrgDeliveryKeyAlias + - Label: default: IAM Access Analyzer Solution Parameters: @@ -316,10 +320,12 @@ Metadata: default: Auto Enable Malware Protection pEnableRdsLoginEvents: default: Auto enable RDS Login Events - pEnableEksRuntimeMonitoring: - default: Auto enable EKS Runtime Monitoring + pEnableRuntimeMonitoring: + default: Auto enable Runtime Monitoring pEnableEksAddonManagement: default: Auto enable EKS Add-on Management + pEnableEcsFargateAgentManagement: + default: Auto enable ECS Fargate Agent Management pEnableLambdaNetworkLogs: default: Auto enable Lambda Network Logs pBillingContactAction: @@ -422,6 +428,10 @@ Metadata: default: (Optional) Exclude EC2 Default EBS Encryption Tags pExcludeS3BlockAccountPublicAccessTags: default: (Optional) Exclude S3 Block Account Public Access Tags + pGuardDutyCustomerGovernedRegionsOnly: + default: Enable GuardDuty in Customer Governed Regions Only + pGuardDutyEnabledRegions: + default: (Optional) Enabled Regions pFrequency: default: Frequency pGuarddutyEnabledForMoreThan48Hours: @@ -753,16 +763,21 @@ Parameters: Default: 'true' Description: Auto enable RDS Login Events Type: String - pEnableEksRuntimeMonitoring: + pEnableRuntimeMonitoring: AllowedValues: ['true', 'false'] Default: 'true' - Description: Auto enable EKS Runtime Monitoring + Description: Auto enable Runtime Monitoring Type: String pEnableEksAddonManagement: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable EKS Add-on Management Type: String + pEnableEcsFargateAgentManagement: + AllowedValues: ['true', 'false'] + Default: 'true' + Description: Auto enable ECS Fargate Agent Management + Type: String pEnableLambdaNetworkLogs: AllowedValues: ['true', 'false'] Default: 'true' @@ -1058,6 +1073,21 @@ Parameters: '(Optional) Resource Tags that denote an Account should be excluded from this solution in JSON format: [{"Key": "string", "Value": "string"}, ... ]. For example, [{"Key": "exclude-s3-block-account-public-access", "Value": "true"}].' Type: String + pGuardDutyCustomerGovernedRegionsOnly: + AllowedValues: ['true', 'false'] + Default: 'false' + Description: Indicates whether to enable GuardDuty in the Goverened Regions only + Type: String + pGuardDutyEnabledRegions: + AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$' + ConstraintDescription: + Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g. + us-east-1,ap-southeast-2) + Default: '' + Description: + (Optional) Enabled regions (AWS regions, separated by commas). + Type: String + pFrequency: AllowedValues: [1hour, 3hours, 6hours, 12hours, 24hours] Default: 1hour @@ -1704,6 +1734,13 @@ Rules: Assertions: - AssertDescription: "'Resource Types' parameter is required if 'All Supported' parameter is set to 'false'." Assert: !Not [!Equals [!Ref pResourceTypes, '']] + CheckGuardDutyRuntimeEnabled: + RuleCondition: !Equals [!Ref pEnableRuntimeMonitoring, 'false'] + Assertions: + - Assert: !Not [!Equals [!Ref pEnableEksAddonManagement, 'true']] + AssertDescription: "'Enable EKS Addon Management' requires Guardduty Runtime Monitoring to be enabled" + - Assert: !Not [!Equals [!Ref pEnableEcsFargateAgentManagement, 'true']] + AssertDescription: "'Enable Ecs Fargate Agent Management' requires Guardduty Runtime Monitoring to be enabled" Conditions: cUsingKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']] @@ -2401,8 +2438,11 @@ Resources: pAutoEnableKubernetesAuditLogs: !Ref pAutoEnableKubernetesAuditLogs pAutoEnableMalwareProtection: !Ref pAutoEnableMalwareProtection pEnableRdsLoginEvents: !Ref pEnableRdsLoginEvents - pEnableEksRuntimeMonitoring: !Ref pEnableEksRuntimeMonitoring + pControlTowerRegionsOnly: !Ref pGuardDutyCustomerGovernedRegionsOnly + pEnabledRegions: !Ref pGuardDutyEnabledRegions + pEnableRuntimeMonitoring: !Ref pEnableRuntimeMonitoring pEnableEksAddonManagement: !Ref pEnableEksAddonManagement + pEnableEcsFargateAgentManagement: !Ref pEnableEcsFargateAgentManagement pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false] pDisableGuardDuty: !If [cDisableGuardDuty, true, false] diff --git a/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-module-main.yaml b/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-module-main.yaml index b2cf5b3a..10cc0804 100644 --- a/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-module-main.yaml +++ b/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-module-main.yaml @@ -53,11 +53,14 @@ Metadata: default: GuardDuty Parameters: - pDisableGuardDuty + - pControlTowerRegionsOnly + - pEnabledRegions - pAutoEnableS3Logs - pAutoEnableKubernetesAuditLogs - pAutoEnableMalwareProtection - pEnableRdsLoginEvents - - pEnableEksRuntimeMonitoring + - pEnableRuntimeMonitoring + - pEnableEcsFargateAgentManagement - pEnableEksAddonManagement - pEnableLambdaNetworkLogs - pGuardDutyFindingPublishingFrequency @@ -119,10 +122,12 @@ Metadata: default: pAutoEnableMalwareProtection pEnableRdsLoginEvents: default: pEnableRdsLoginEvents - pEnableEksRuntimeMonitoring: - default: pEnableEksRuntimeMonitoring + pEnableRuntimeMonitoring: + default: pEnableRuntimeMonitoring pEnableEksAddonManagement: default: pEnableEksAddonManagement + pEnableEcsFargateAgentManagement: + default: Auto enable ECS Fargate Agent Management pEnableLambdaNetworkLogs: default: pEnableLambdaNetworkLogs pGuardDutyFindingPublishingFrequency: @@ -133,6 +138,10 @@ Metadata: default: pGuardDutyOrgDeliveryKeyAlias pCreateAWSControlTowerExecutionRole: default: Create AWS Control Tower Execution Role + pControlTowerRegionsOnly: + default: Control Tower Regions Only + pEnabledRegions: + default: (Optional) Enabled Regions Parameters: pSRAHelperBucketNamePrefix: @@ -257,6 +266,19 @@ Parameters: Default: "1" Description: Random parameter Type: String + pControlTowerRegionsOnly: + Type: String + Description: Only enable in the Control Tower governed regions (set to true for environments without AWS Control Tower) + Default: 'false' + AllowedValues: ['true', 'false'] + pEnabledRegions: + AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$' + ConstraintDescription: + Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g. + us-east-1,ap-southeast-2) + Default: '' + Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions. + Type: String pCreateLambdaLogGroup: @@ -292,16 +314,21 @@ Parameters: Default: 'true' Description: Auto enable RDS Login Events Type: String - pEnableEksRuntimeMonitoring: + pEnableRuntimeMonitoring: AllowedValues: ['true', 'false'] Default: 'true' - Description: Auto enable EKS Runtime Monitoring + Description: Auto enable Runtime Monitoring Type: String pEnableEksAddonManagement: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable EKS Add-on Management Type: String + pEnableEcsFargateAgentManagement: + AllowedValues: ['true', 'false'] + Default: 'true' + Description: Auto enable ECS Fargate Agent Management + Type: String pEnableLambdaNetworkLogs: AllowedValues: ['true', 'false'] Default: 'true' @@ -331,6 +358,15 @@ Parameters: Description: (Optional) Email address for receiving SRA alarms Type: String +Rules: + CheckGuardDutyRuntimeEnabled: + RuleCondition: !Equals [!Ref pEnableRuntimeMonitoring, 'false'] + Assertions: + - Assert: !Not [!Equals [!Ref pEnableEksAddonManagement, 'true']] + AssertDescription: "'Enable EKS Addon Management' requires Guardduty Runtime Monitoring to be enabled" + - Assert: !Not [!Equals [!Ref pEnableEcsFargateAgentManagement, 'true']] + AssertDescription: "'Enable Ecs Fargate Agent Management' requires Guardduty Runtime Monitoring to be enabled" + Conditions: cUsingKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']] cUseGraviton: !Or @@ -1125,8 +1161,9 @@ Resources: pAutoEnableKubernetesAuditLogs: !Ref pAutoEnableKubernetesAuditLogs pAutoEnableMalwareProtection: !Ref pAutoEnableMalwareProtection pEnableRdsLoginEvents: !Ref pEnableRdsLoginEvents - pEnableEksRuntimeMonitoring: !Ref pEnableEksRuntimeMonitoring + pEnableRuntimeMonitoring: !Ref pEnableRuntimeMonitoring pEnableEksAddonManagement: !Ref pEnableEksAddonManagement + pEnableEcsFargateAgentManagement: !Ref pEnableEcsFargateAgentManagement pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs pCreateLambdaLogGroup: !Ref pCreateLambdaLogGroup pDisableGuardDuty: !Ref pDisableGuardDuty @@ -1145,6 +1182,8 @@ Resources: pSecurityAccountId: !Ref pSecurityAccountId pLogArchiveAccountId: !Ref pLogArchiveAccountId pCreateAWSControlTowerExecutionRole: !Ref pCreateAWSControlTowerExecutionRole + pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly + pEnabledRegions: !Ref pEnabledRegions Outputs: oPublishingDestinationBucketName: diff --git a/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-solution.yaml b/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-solution.yaml index 38cf397e..6bef7ec1 100644 --- a/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-solution.yaml +++ b/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-solution.yaml @@ -48,12 +48,15 @@ Metadata: default: GuardDuty Solution Parameters: - pDisableGuardDuty + - pControlTowerRegionsOnly + - pEnabledRegions - pAutoEnableS3Logs - pAutoEnableKubernetesAuditLogs - pAutoEnableMalwareProtection - pEnableRdsLoginEvents - - pEnableEksRuntimeMonitoring + - pEnableRuntimeMonitoring - pEnableEksAddonManagement + - pEnableEcsFargateAgentManagement - pEnableLambdaNetworkLogs - pGuardDutyFindingPublishingFrequency - pGuardDutyOrgDeliveryBucketPrefix @@ -129,10 +132,12 @@ Metadata: default: Auto Enable Malware Protection pEnableRdsLoginEvents: default: Auto enable RDS Login Events - pEnableEksRuntimeMonitoring: - default: Auto enable EKS Runtime Monitoring + pEnableRuntimeMonitoring: + default: Auto enable Runtime Monitoring pEnableEksAddonManagement: default: Auto enable EKS Add-on Management + pEnableEcsFargateAgentManagement: + default: Auto enable ECS Fargate Agent Management pEnableLambdaNetworkLogs: default: Auto enable Lambda Network Logs pGuardDutyFindingPublishingFrequency: @@ -141,6 +146,10 @@ Metadata: default: GuardDuty Delivery Bucket Prefix pGuardDutyOrgDeliveryKeyAlias: default: GuardDuty Delivery KMS Key Alias + pControlTowerRegionsOnly: + default: Control Tower Regions Only + pEnabledRegions: + default: (Optional) Enabled Regions Parameters: pRepoURL: @@ -302,16 +311,21 @@ Parameters: Default: 'true' Description: Auto enable RDS Login Events Type: String - pEnableEksRuntimeMonitoring: + pEnableRuntimeMonitoring: AllowedValues: ['true', 'false'] Default: 'true' - Description: Auto enable EKS Runtime Monitoring + Description: Auto enable Runtime Monitoring Type: String pEnableEksAddonManagement: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable EKS Add-on Management Type: String + pEnableEcsFargateAgentManagement: + AllowedValues: ['true', 'false'] + Default: 'true' + Description: Auto enable ECS Fargate Agent Management + Type: String pEnableLambdaNetworkLogs: AllowedValues: ['true', 'false'] Default: 'true' @@ -334,6 +348,19 @@ Parameters: Default: sra-guardduty-org-delivery-key Description: GuardDuty Delivery KMS Key Alias Type: String + pControlTowerRegionsOnly: + Type: String + Description: Only enable in the Control Tower governed regions (set to true for environments without AWS Control Tower) + Default: 'false' + AllowedValues: ['true', 'false'] + pEnabledRegions: + AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$' + ConstraintDescription: + Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g. + us-east-1,ap-southeast-2) + Default: '' + Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions. + Type: String # Rules: @@ -846,8 +873,9 @@ Resources: pAutoEnableKubernetesAuditLogs: !Ref pAutoEnableKubernetesAuditLogs pAutoEnableMalwareProtection: !Ref pAutoEnableMalwareProtection pEnableRdsLoginEvents: !Ref pEnableRdsLoginEvents - pEnableEksRuntimeMonitoring: !Ref pEnableEksRuntimeMonitoring + pEnableRuntimeMonitoring: !Ref pEnableRuntimeMonitoring pEnableEksAddonManagement: !Ref pEnableEksAddonManagement + pEnableEcsFargateAgentManagement: !Ref pEnableEcsFargateAgentManagement pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false] pDisableGuardDuty: !If [cDisableGuardDuty, true, false] @@ -858,6 +886,8 @@ Resources: pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel pSRAAlarmEmail: !Ref pSRAAlarmEmail + pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly + pEnabledRegions: !Ref pEnabledRegions CommonPrerequisitesMainSsmWaitHandle: Condition: cCommonPrerequisitesNotInstalled diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/manifest.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/manifest.yaml index fdd0f39a..74cf0b4a 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/manifest.yaml +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/manifest.yaml @@ -19,14 +19,16 @@ resources: parameter_value: 'true' - parameter_key: pEnableRdsLoginEvents parameter_value: 'true' - - parameter_key: pEnableEksRuntimeMonitoring + - parameter_key: pEnableRuntimeMonitoring parameter_value: 'true' - parameter_key: pEnableEksAddonManagement parameter_value: 'true' + - parameter_key: pEnableEcsFargateAgentManagement + parameter_value: 'true' - parameter_key: pEnableLambdaNetworkLogs parameter_value: 'true' - parameter_key: pControlTowerRegionsOnly - parameter_value: 'true' + parameter_value: 'false' - parameter_key: pCreateLambdaLogGroup parameter_value: 'false' - parameter_key: pDisableGuardDuty diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/parameters/sra-guardduty-org-main-ssm.json b/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/parameters/sra-guardduty-org-main-ssm.json index 37398f11..a08c2c97 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/parameters/sra-guardduty-org-main-ssm.json +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/parameters/sra-guardduty-org-main-ssm.json @@ -16,20 +16,24 @@ "ParameterValue": "true" }, { - "ParameterKey": "pEnableEksRuntimeMonitoring", + "ParameterKey": "pEnableRuntimeMonitoring", "ParameterValue": "true" }, { "ParameterKey": "pEnableEksAddonManagement", "ParameterValue": "true" }, + { + "ParameterKey": "pEnableEcsFargateAgentManagement", + "ParameterValue": "true" + } { "ParameterKey": "pEnableLambdaNetworkLogs", "ParameterValue": "true" }, { "ParameterKey": "pControlTowerRegionsOnly", - "ParameterValue": "true" + "ParameterValue": "false" }, { "ParameterKey": "pCreateLambdaLogGroup", diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py index 9c8bee17..0a081b94 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py @@ -42,6 +42,7 @@ # Global variables PRINCIPAL_NAME = "malware-protection.guardduty.amazonaws.com" +SERVICE_NAME = "guardduty.amazonaws.com" UNEXPECTED = "Unexpected!" MAX_RUN_COUNT = 30 # 5 minute wait = 30 x 10 seconds SLEEP_SECONDS = 10 @@ -89,9 +90,12 @@ def get_validated_parameters(event: CloudFormationCustomResourceEvent) -> dict: parameter_pattern_validator("ENABLE_EKS_AUDIT_LOGS", params.get("ENABLE_EKS_AUDIT_LOGS", ""), pattern=true_false_pattern) parameter_pattern_validator("AUTO_ENABLE_MALWARE_PROTECTION", params.get("AUTO_ENABLE_MALWARE_PROTECTION", ""), pattern=true_false_pattern) parameter_pattern_validator("ENABLE_RDS_LOGIN_EVENTS", params.get("ENABLE_RDS_LOGIN_EVENTS", ""), pattern=true_false_pattern) - parameter_pattern_validator("ENABLE_EKS_RUNTIME_MONITORING", params.get("ENABLE_EKS_RUNTIME_MONITORING", ""), pattern=true_false_pattern) parameter_pattern_validator("ENABLE_EKS_ADDON_MANAGEMENT", params.get("ENABLE_EKS_ADDON_MANAGEMENT", ""), pattern=true_false_pattern) parameter_pattern_validator("ENABLE_LAMBDA_NETWORK_LOGS", params.get("ENABLE_LAMBDA_NETWORK_LOGS", ""), pattern=true_false_pattern) + parameter_pattern_validator("ENABLE_RUNTIME_MONITORING", params.get("ENABLE_RUNTIME_MONITORING", ""), pattern=true_false_pattern) + parameter_pattern_validator( + "ENABLE_ECS_FARGATE_AGENT_MANAGEMENT", params.get("ENABLE_ECS_FARGATE_AGENT_MANAGEMENT", ""), pattern=true_false_pattern + ) parameter_pattern_validator("CONFIGURATION_ROLE_NAME", params.get("CONFIGURATION_ROLE_NAME", ""), pattern=r"^[\w+=,.@-]{1,64}$") parameter_pattern_validator("CONTROL_TOWER_REGIONS_ONLY", params.get("CONTROL_TOWER_REGIONS_ONLY", ""), pattern=true_false_pattern) parameter_pattern_validator("DELEGATED_ADMIN_ACCOUNT_ID", params.get("DELEGATED_ADMIN_ACCOUNT_ID", ""), pattern=r"^\d{12}$") @@ -198,7 +202,7 @@ def process_create_update_event(params: dict, regions: list) -> None: while not detectors_exist and run_count < MAX_RUN_COUNT: run_count += 1 detectors_exist = guardduty.check_for_detectors(session, regions) - LOGGER.info(f"All Detectors Exist?: {detectors_exist} Count: {run_count}") + LOGGER.info(f"All Detectors Exist?: {detectors_exist}. Count: {run_count}") if not detectors_exist: sleep(SLEEP_SECONDS) @@ -209,18 +213,20 @@ def process_create_update_event(params: dict, regions: list) -> None: enable_eks_audit_logs = (params.get("ENABLE_EKS_AUDIT_LOGS", "false")).lower() in "true" auto_enable_malware_protection = (params.get("AUTO_ENABLE_MALWARE_PROTECTION", "false")).lower() in "true" enable_rds_login_events = (params.get("ENABLE_RDS_LOGIN_EVENTS", "false")).lower() in "true" - enable_eks_runtime_monitoring = (params.get("ENABLE_EKS_RUNTIME_MONITORING", "false")).lower() in "true" enable_eks_addon_management = (params.get("ENABLE_EKS_ADDON_MANAGEMENT", "false")).lower() in "true" enable_lambda_network_logs = (params.get("ENABLE_LAMBDA_NETWORK_LOGS", "false")).lower() in "true" + enable_runtime_monitoring = (params.get("ENABLE_RUNTIME_MONITORING", "false")).lower() in "true" + enable_ecs_fargate_agent_management = (params.get("ENABLE_ECS_FARGATE_AGENT_MANAGEMENT", "false")).lower() in "true" gd_features = { - "auto_enable_s3_logs": auto_enable_s3_logs, - "enable_eks_audit_logs": enable_eks_audit_logs, - "auto_enable_malware_protection": auto_enable_malware_protection, - "enable_rds_login_events": enable_rds_login_events, - "enable_eks_runtime_monitoring": enable_eks_runtime_monitoring, - "enable_eks_addon_management": enable_eks_addon_management, - "enable_lambda_network_logs": enable_lambda_network_logs, + "S3_DATA_EVENTS": auto_enable_s3_logs, + "EKS_AUDIT_LOGS": enable_eks_audit_logs, + "EBS_MALWARE_PROTECTION": auto_enable_malware_protection, + "RDS_LOGIN_EVENTS": enable_rds_login_events, + "LAMBDA_NETWORK_LOGS": enable_lambda_network_logs, + "RUNTIME_MONITORING": enable_runtime_monitoring, + "EKS_ADDON_MANAGEMENT": enable_eks_addon_management, + "ECS_FARGATE_AGENT_MANAGEMENT": enable_ecs_fargate_agent_management, } guardduty.configure_guardduty( @@ -273,6 +279,8 @@ def process_cloudformation_event(event: CloudFormationCustomResourceEvent, conte LOGGER.info("...Disable GuardDuty from (process_cloudformation_event)") account_ids = common.get_account_ids([], params["DELEGATED_ADMIN_ACCOUNT_ID"]) guardduty.process_delete_event(params, regions, account_ids, False) + guardduty.disable_aws_service_access(PRINCIPAL_NAME) + guardduty.disable_aws_service_access(SERVICE_NAME) return f"sra-guardduty-{params['DELEGATED_ADMIN_ACCOUNT_ID']}" @@ -302,30 +310,3 @@ def lambda_handler(event: Dict[str, Any], context: Context) -> None: except Exception: LOGGER.exception(UNEXPECTED) raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None - - -def terraform_handler(event: Dict[str, Any], context: Context) -> None: - """Lambda Handler. - - Args: - event: event data - context: runtime information - - Raises: - ValueError: Unexpected error executing Lambda function - """ - LOGGER.info("....Lambda Handler Started....") - event_info = {"Event": event} - LOGGER.info(event_info) - try: - if "Records" not in event and "RequestType" not in event and ("source" not in event and event["source"] != "aws.controltower"): - raise ValueError( - f"The event did not include Records or RequestType. Review CloudWatch logs '{context.log_group_name}' for details." - ) from None - elif "Records" in event and event["Records"][0]["EventSource"] == "aws:sns": - process_sns_records(event["Records"]) - elif "RequestType" in event: - process_cloudformation_event(event, context) - except Exception: - LOGGER.exception(UNEXPECTED) - raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py index cf6a8f75..4f2555df 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py @@ -42,15 +42,6 @@ BOTO3_CONFIG = Config(retries={"max_attempts": 10, "mode": "standard"}) CHECK_ACCT_MEMBER_RETRIES = 10 -auto_enable_s3_logs = bool -enable_eks_audit_logs = bool -auto_enable_malware_protection = bool -enable_rds_login_events = bool -enable_eks_runtime_monitoring = bool -enable_eks_addon_management = bool -enable_lambda_network_logs = bool - - try: MANAGEMENT_ACCOUNT_SESSION = boto3.Session() ORG_CLIENT: OrganizationsClient = MANAGEMENT_ACCOUNT_SESSION.client("organizations", config=BOTO3_CONFIG) @@ -215,10 +206,41 @@ def create_members(guardduty_client: GuardDutyClient, detector_id: str, accounts LOGGER.info(f"Unprocessed Member Accounts: {unprocessed_accounts}") raise ValueError("Unprocessed Member Accounts while Creating Members") - missing_members: list = check_members(guardduty_client, detector_id, accounts) - if len(missing_members) > 0: - LOGGER.info(f"Check members failure: {missing_members}") - raise ValueError("Check members failure") + +def set_features_list(gd_features: dict) -> list: + """Set a list of GuardDuty features with status configurations. + + Args: + gd_features: GuardDuty features + + Returns: + list of GuardDuty features with status configurations + """ + features_config: list = [] + name = "" + status = "" + + for feature_name in gd_features: + feature_to_set = {"Name": name, "Status": status} + if gd_features[feature_name] is True: + status = "ENABLED" + else: + status = "DISABLED" + if feature_name == "RUNTIME_MONITORING": + runtime_monitoring_config = {"Name": feature_name, "Status": status, "AdditionalConfiguration": []} + runtime_monitoring_config["Name"] = feature_name + runtime_monitoring_config["Status"] = status + features_config.append(runtime_monitoring_config) + elif feature_name == "ECS_FARGATE_AGENT_MANAGEMENT" or feature_name == "EKS_ADDON_MANAGEMENT": + feature_to_set["Name"] = feature_name + feature_to_set["Status"] = status + runtime_monitoring_config["AdditionalConfiguration"].append(feature_to_set) + else: + feature_to_set["Name"] = feature_name + feature_to_set["Status"] = status + features_config.append(feature_to_set) + + return features_config def set_configuration_params( @@ -237,52 +259,10 @@ def set_configuration_params( configuration_params: Configuration parameters """ LOGGER.info("Updating Member Detectors") - configuration_params: Dict[str, Any] = {"DetectorId": detector_id, "AccountIds": account_ids, "Features": []} + config = set_features_list(gd_features) + configuration_params: Dict[str, Any] = {"DetectorId": detector_id, "AccountIds": account_ids, "Features": config} LOGGER.info("Setting feature configuration parameters once...") - if gd_features["auto_enable_s3_logs"]: - configuration_params["Features"].append({"Name": "S3_DATA_EVENTS", "Status": "ENABLED"}) - else: - configuration_params["Features"].append({"Name": "S3_DATA_EVENTS", "Status": "DISABLED"}) - if gd_features["enable_eks_audit_logs"]: - configuration_params["Features"].append({"Name": "EKS_AUDIT_LOGS", "Status": "ENABLED"}) - else: - configuration_params["Features"].append({"Name": "EKS_AUDIT_LOGS", "Status": "DISABLED"}) - if gd_features["auto_enable_malware_protection"]: - configuration_params["Features"].append({"Name": "EBS_MALWARE_PROTECTION", "Status": "ENABLED"}) - else: - configuration_params["Features"].append({"Name": "EBS_MALWARE_PROTECTION", "Status": "DISABLED"}) - if gd_features["enable_rds_login_events"]: - configuration_params["Features"].append({"Name": "RDS_LOGIN_EVENTS", "Status": "ENABLED"}) - else: - configuration_params["Features"].append({"Name": "RDS_LOGIN_EVENTS", "Status": "DISABLED"}) - if gd_features["enable_eks_runtime_monitoring"] and gd_features["enable_eks_addon_management"]: - configuration_params["Features"].append( - { - "Name": "EKS_RUNTIME_MONITORING", - "Status": "ENABLED", - "AdditionalConfiguration": [{"Name": "EKS_ADDON_MANAGEMENT", "Status": "ENABLED"}], - } - ) - elif gd_features["enable_eks_runtime_monitoring"] and not gd_features["enable_eks_addon_management"]: - configuration_params["Features"].append( - { - "Name": "EKS_RUNTIME_MONITORING", - "Status": "ENABLED", - "AdditionalConfiguration": [{"Name": "EKS_ADDON_MANAGEMENT", "Status": "DISABLED"}], - } - ) - else: - configuration_params["Features"].append( - { - "Name": "EKS_RUNTIME_MONITORING", - "Status": "DISABLED", - "AdditionalConfiguration": [{"Name": "EKS_ADDON_MANAGEMENT", "Status": "DISABLED"}], - } - ) - if gd_features["enable_lambda_network_logs"]: - configuration_params["Features"].append({"Name": "LAMBDA_NETWORK_LOGS", "Status": "ENABLED"}) - else: - configuration_params["Features"].append({"Name": "LAMBDA_NETWORK_LOGS", "Status": "DISABLED"}) + return configuration_params @@ -399,7 +379,6 @@ def update_member_detectors( LOGGER.info("Iterating through api calls for each group of accounts...") for api_call_number in range(0, number_of_create_members_calls): configuration_params["AccountIds"] = account_ids[api_call_number * 50 : (api_call_number * 50) + 50] - LOGGER.info(f"Configuration parameters are: {configuration_params}") LOGGER.info(f"Calling update_member_detectors with params {configuration_params}") update_member_response = guardduty_client.update_member_detectors(**configuration_params) @@ -421,51 +400,31 @@ def set_org_configuration_params(detector_id: str, gd_features: dict) -> dict: Returns: dict: GuardDuty organization configuration parameters """ - org_configuration_params: Dict[str, Any] = {"DetectorId": detector_id, "AutoEnable": True, "Features": []} - if gd_features["auto_enable_s3_logs"]: - org_configuration_params["Features"].append({"Name": "S3_DATA_EVENTS", "AutoEnable": "NEW"}) - else: - org_configuration_params["Features"].append({"Name": "S3_DATA_EVENTS", "AutoEnable": "NONE"}) - if gd_features["enable_eks_audit_logs"]: - org_configuration_params["Features"].append({"Name": "EKS_AUDIT_LOGS", "AutoEnable": "NEW"}) - else: - org_configuration_params["Features"].append({"Name": "EKS_AUDIT_LOGS", "AutoEnable": "NONE"}) - if gd_features["auto_enable_malware_protection"]: - org_configuration_params["Features"].append({"Name": "EBS_MALWARE_PROTECTION", "AutoEnable": "NEW"}) - else: - org_configuration_params["Features"].append({"Name": "EBS_MALWARE_PROTECTION", "AutoEnable": "NONE"}) - if gd_features["enable_rds_login_events"]: - org_configuration_params["Features"].append({"Name": "RDS_LOGIN_EVENTS", "AutoEnable": "NEW"}) - else: - org_configuration_params["Features"].append({"Name": "RDS_LOGIN_EVENTS", "AutoEnable": "NONE"}) - if gd_features["enable_eks_runtime_monitoring"] and gd_features["enable_eks_addon_management"]: - org_configuration_params["Features"].append( - { - "Name": "EKS_RUNTIME_MONITORING", - "AutoEnable": "NEW", - "AdditionalConfiguration": [{"Name": "EKS_ADDON_MANAGEMENT", "AutoEnable": "NEW"}], - } - ) - elif gd_features["enable_eks_runtime_monitoring"] and not gd_features["enable_eks_addon_management"]: - org_configuration_params["Features"].append( - { - "Name": "EKS_RUNTIME_MONITORING", - "AutoEnable": "NEW", - "AdditionalConfiguration": [{"Name": "EKS_ADDON_MANAGEMENT", "AutoEnable": "NONE"}], - } - ) - else: - org_configuration_params["Features"].append( - { - "Name": "EKS_RUNTIME_MONITORING", - "AutoEnable": "NONE", - "AdditionalConfiguration": [{"Name": "EKS_ADDON_MANAGEMENT", "AutoEnable": "NONE"}], - } - ) - if gd_features["enable_lambda_network_logs"]: - org_configuration_params["Features"].append({"Name": "LAMBDA_NETWORK_LOGS", "AutoEnable": "NEW"}) - else: - org_configuration_params["Features"].append({"Name": "LAMBDA_NETWORK_LOGS", "AutoEnable": "NONE"}) + features_config: list = [] + org_configuration_params: Dict[str, Any] = {"DetectorId": detector_id, "AutoEnable": True, "Features": features_config} + name = "" + type = "" + + for feature_name in gd_features: + org_feature_to_set = {"Name": name, "AutoEnable": type} + if gd_features[feature_name] is True: + type = "ALL" + else: + type = "NONE" + if feature_name == "RUNTIME_MONITORING": + runtime_monitoring_config = {"Name": feature_name, "AutoEnable": type, "AdditionalConfiguration": []} + runtime_monitoring_config["Name"] = feature_name + runtime_monitoring_config["AutoEnable"] = type + features_config.append(runtime_monitoring_config) + elif feature_name == "ECS_FARGATE_AGENT_MANAGEMENT" or feature_name == "EKS_ADDON_MANAGEMENT": + org_feature_to_set["Name"] = feature_name + org_feature_to_set["AutoEnable"] = type + runtime_monitoring_config["AdditionalConfiguration"].append(org_feature_to_set) + else: + org_feature_to_set["Name"] = feature_name + org_feature_to_set["AutoEnable"] = type + features_config.append(org_feature_to_set) + return org_configuration_params @@ -474,65 +433,22 @@ def set_admin_configuration_params( finding_publishing_frequency: str, gd_features: dict, ) -> dict: - """Admin configuration parameters for GuardDuty. + """Set delegated administrator configuration parameters for GuardDuty. Args: - detector_id (str): The GuardDuty detector ID - finding_publishing_frequency (str): The frequency at which findings are published - gd_features (dict): The GuardDuty features + detector_id: The GuardDuty detector ID + finding_publishing_frequency: The frequency at which findings are published + gd_features: The GuardDuty features Returns: dict: The admin configuration parameters for GuardDuty """ + config = set_features_list(gd_features) admin_configuration_params: Dict[str, Any] = { "DetectorId": detector_id, "FindingPublishingFrequency": finding_publishing_frequency, - "Features": [], + "Features": config, } - if gd_features["auto_enable_s3_logs"]: - admin_configuration_params["Features"].append({"Name": "S3_DATA_EVENTS", "Status": "ENABLED"}) - else: - admin_configuration_params["Features"].append({"Name": "S3_DATA_EVENTS", "Status": "DISABLED"}) - if gd_features["enable_eks_audit_logs"]: - admin_configuration_params["Features"].append({"Name": "EKS_AUDIT_LOGS", "Status": "ENABLED"}) - else: - admin_configuration_params["Features"].append({"Name": "EKS_AUDIT_LOGS", "Status": "DISABLED"}) - if gd_features["auto_enable_malware_protection"]: - admin_configuration_params["Features"].append({"Name": "EBS_MALWARE_PROTECTION", "Status": "ENABLED"}) - else: - admin_configuration_params["Features"].append({"Name": "EBS_MALWARE_PROTECTION", "Status": "DISABLED"}) - if gd_features["enable_rds_login_events"]: - admin_configuration_params["Features"].append({"Name": "RDS_LOGIN_EVENTS", "Status": "ENABLED"}) - else: - admin_configuration_params["Features"].append({"Name": "RDS_LOGIN_EVENTS", "Status": "DISABLED"}) - if gd_features["enable_eks_runtime_monitoring"] and gd_features["enable_eks_addon_management"]: - admin_configuration_params["Features"].append( - { - "Name": "EKS_RUNTIME_MONITORING", - "Status": "ENABLED", - "AdditionalConfiguration": [{"Name": "EKS_ADDON_MANAGEMENT", "Status": "ENABLED"}], - } - ) - elif gd_features["enable_eks_runtime_monitoring"] and not gd_features["enable_eks_addon_management"]: - admin_configuration_params["Features"].append( - { - "Name": "EKS_RUNTIME_MONITORING", - "Status": "ENABLED", - "AdditionalConfiguration": [{"Name": "EKS_ADDON_MANAGEMENT", "Status": "DISABLED"}], - } - ) - else: - admin_configuration_params["Features"].append( - { - "Name": "EKS_RUNTIME_MONITORING", - "Status": "DISABLED", - "AdditionalConfiguration": [{"Name": "EKS_ADDON_MANAGEMENT", "Status": "DISABLED"}], - } - ) - if gd_features["enable_lambda_network_logs"]: - admin_configuration_params["Features"].append({"Name": "LAMBDA_NETWORK_LOGS", "Status": "ENABLED"}) - else: - admin_configuration_params["Features"].append({"Name": "LAMBDA_NETWORK_LOGS", "Status": "DISABLED"}) return admin_configuration_params @@ -541,28 +457,20 @@ def update_guardduty_configuration( gd_features: dict, detector_id: str, finding_publishing_frequency: str, - account_ids: list, ) -> None: - """Update GuardDuty configuration to auto enable new accounts and S3 log protection. + """Update GuardDuty configuration to auto enable GuardDuty and selected features in new accounts. Args: guardduty_client: GuardDuty Client gd_features: GuardDuty protection plans configuration detector_id: GuardDuty detector ID finding_publishing_frequency: Finding publishing frequency - account_ids: List of member account ids """ org_configuration_params = set_org_configuration_params(detector_id, gd_features) admin_configuration_params = set_admin_configuration_params(detector_id, finding_publishing_frequency, gd_features) guardduty_client.update_organization_configuration(**org_configuration_params) guardduty_client.update_detector(**admin_configuration_params) - update_member_detectors( - guardduty_client, - detector_id, - account_ids, - gd_features, - ) def configure_guardduty( # noqa: CFQ002, CFQ001 @@ -622,20 +530,36 @@ def configure_guardduty( # noqa: CFQ002, CFQ001 }, ) - # Create members for existing Organization accounts - LOGGER.info(f"Members created for existing accounts: {accounts} in {region}") - create_members(regional_guardduty, detector_id, accounts) - - LOGGER.info(f"Waiting {SLEEP_SECONDS} seconds before updating the configuration.") - sleep(SLEEP_SECONDS) + # Set GuardDuty Organization configuration to auto-enable selected features update_guardduty_configuration( regional_guardduty, gd_features, detector_id, finding_publishing_frequency, - account_ids, ) + # Create members for existing Organization accounts + create_members(regional_guardduty, detector_id, accounts) + LOGGER.info(f"Creating members for existing accounts: {accounts} in {region}") + + # Verify members created for existing Organization accounts + for region in region_list: + # regional_guardduty: GuardDutyClient = session.client("guardduty", region_name=region, config=BOTO3_CONFIG) + detectors = regional_guardduty.list_detectors() + if detectors["DetectorIds"]: + detector_id = detectors["DetectorIds"][0] + LOGGER.info(f"Checking for missing members. DetectorID: {detector_id} Region: {region}") + missing_members: list = check_members(regional_guardduty, detector_id, accounts) + if len(missing_members) > 0: + LOGGER.info(f"Check members failure: {missing_members}") + raise ValueError("Check members failure") + update_member_detectors( + regional_guardduty, + detector_id, + account_ids, + gd_features, + ) + def check_for_detectors(session: boto3.Session, regions: list) -> bool: # noqa: CCR001 (cognitive complexity) """Check to see if the GuardDuty detectors exist for all regions before configuring. @@ -699,7 +623,7 @@ def process_delete_event(params: dict, regions: list, account_ids: list, include management_sns_client.publish(TopicArn=params["SNS_TOPIC_ARN"], Message=json.dumps(sns_message)) -def disable_aws_service_access(service_principal: str = PRINCIPAL_NAME) -> None: +def disable_aws_service_access(service_principal: str) -> None: """Disable service access for the provided service principal within AWS Organizations. Args: @@ -742,7 +666,7 @@ def delete_detectors(guardduty_client: GuardDutyClient, region: str, is_delegate region: AWS Region is_delegated_admin: True or False """ - disable_aws_service_access(PRINCIPAL_NAME) + # disable_aws_service_access(PRINCIPAL_NAME) detectors = guardduty_client.list_detectors() if detectors["DetectorIds"]: diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml index 80bd3df7..18c86604 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml @@ -35,8 +35,9 @@ Metadata: - pAutoEnableKubernetesAuditLogs - pAutoEnableMalwareProtection - pEnableRdsLoginEvents - - pEnableEksRuntimeMonitoring + - pEnableRuntimeMonitoring - pEnableEksAddonManagement + - pEnableEcsFargateAgentManagement - pEnableLambdaNetworkLogs - pControlTowerRegionsOnly - pGuardDutyOrgConfigurationRoleName @@ -64,10 +65,12 @@ Metadata: default: Auto Enable Malware Protection pEnableRdsLoginEvents: default: Auto enable RDS Login Events - pEnableEksRuntimeMonitoring: - default: Auto enable EKS Runtime Monitoring + pEnableRuntimeMonitoring: + default: Auto enable Runtime Monitoring pEnableEksAddonManagement: default: Auto enable EKS Add-on Management + pEnableEcsFargateAgentManagement: + default: Auto enable ECS Fargate Agent Management pEnableLambdaNetworkLogs: default: Auto enable Lambda Network Logs pControlTowerRegionsOnly: @@ -130,7 +133,7 @@ Parameters: Default: 'true' Description: Auto enable RDS Login Events Type: String - pEnableEksRuntimeMonitoring: + pEnableRuntimeMonitoring: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable EKS Runtime Monitoring @@ -140,6 +143,11 @@ Parameters: Default: 'true' Description: Auto enable EKS Add-on Management Type: String + pEnableEcsFargateAgentManagement: + AllowedValues: ['true', 'false'] + Default: 'true' + Description: Auto enable ECS Fargate Agent Management + Type: String pEnableLambdaNetworkLogs: AllowedValues: ['true', 'false'] Default: 'true' @@ -513,8 +521,9 @@ Resources: AUTO_ENABLE_MALWARE_PROTECTION: !Ref pAutoEnableMalwareProtection ENABLE_EKS_AUDIT_LOGS: !Ref pAutoEnableKubernetesAuditLogs ENABLE_RDS_LOGIN_EVENTS: !Ref pEnableRdsLoginEvents - ENABLE_EKS_RUNTIME_MONITORING: !Ref pEnableEksRuntimeMonitoring + ENABLE_RUNTIME_MONITORING: !Ref pEnableRuntimeMonitoring ENABLE_EKS_ADDON_MANAGEMENT: !Ref pEnableEksAddonManagement + ENABLE_ECS_FARGATE_AGENT_MANAGEMENT: !Ref pEnableEcsFargateAgentManagement ENABLE_LAMBDA_NETWORK_LOGS: !Ref pEnableLambdaNetworkLogs CONFIGURATION_ROLE_NAME: !Ref pGuardDutyOrgConfigurationRoleName CONTROL_TOWER_REGIONS_ONLY: !Ref pControlTowerRegionsOnly diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main-ssm.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main-ssm.yaml index 37e57f47..7c283e08 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main-ssm.yaml @@ -46,8 +46,9 @@ Metadata: - pAutoEnableKubernetesAuditLogs - pAutoEnableMalwareProtection - pEnableRdsLoginEvents - - pEnableEksRuntimeMonitoring + - pEnableRuntimeMonitoring - pEnableEksAddonManagement + - pEnableEcsFargateAgentManagement - pEnableLambdaNetworkLogs - pControlTowerRegionsOnly - pEnabledRegions @@ -77,10 +78,12 @@ Metadata: default: Auto Enable Malware Protection pEnableRdsLoginEvents: default: Auto enable RDS Login Events - pEnableEksRuntimeMonitoring: - default: Auto enable EKS Runtime Monitoring + pEnableRuntimeMonitoring: + default: Auto enable Runtime Monitoring pEnableEksAddonManagement: default: Auto enable EKS Add-on Management + pEnableEcsFargateAgentManagement: + default: Auto enable ECS Fargate Agent Management pEnableLambdaNetworkLogs: default: Auto enable Lambda Network Logs pControlTowerRegionsOnly: @@ -156,16 +159,21 @@ Parameters: Default: 'true' Description: Auto enable RDS Login Events Type: String - pEnableEksRuntimeMonitoring: + pEnableRuntimeMonitoring: AllowedValues: ['true', 'false'] Default: 'true' - Description: Auto enable EKS Runtime Monitoring + Description: Auto enable Runtime Monitoring Type: String pEnableEksAddonManagement: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable EKS Add-on Management - Type: String + Type: String + pEnableEcsFargateAgentManagement: + AllowedValues: ['true', 'false'] + Default: 'true' + Description: Auto enable ECS Fargate Agent Management + Type: String pEnableLambdaNetworkLogs: AllowedValues: ['true', 'false'] Default: 'true' @@ -174,7 +182,7 @@ Parameters: pControlTowerRegionsOnly: Type: String Description: Only enable in the Control Tower governed regions (set to true for environments without AWS Control Tower) - Default: 'true' + Default: 'false' AllowedValues: ['true', 'false'] pCreateLambdaLogGroup: AllowedValues: ['true', 'false'] @@ -278,6 +286,16 @@ Parameters: Description: The SRA solution version. Used to trigger updates on the nested StackSets. Type: String +Rules: + CheckGuardDutyRuntimeEnabled: + RuleCondition: !Equals [!Ref pEnableRuntimeMonitoring, 'false'] + Assertions: + - Assert: !Not [!Equals [!Ref pEnableEksAddonManagement, 'true']] + AssertDescription: "'Enable EKS Addon Management' requires Guardduty Runtime Monitoring to be enabled" + - Assert: !Not [!Equals [!Ref pEnableEcsFargateAgentManagement, 'true']] + AssertDescription: "'Enable Ecs Fargate Agent Management' requires Guardduty Runtime Monitoring to be enabled" + + Resources: rGuardDutyDeleteDetectorIAMRoleStackSet: Type: AWS::CloudFormation::StackSet @@ -437,8 +455,9 @@ Resources: pAutoEnableKubernetesAuditLogs: !Ref pAutoEnableKubernetesAuditLogs pAutoEnableMalwareProtection: !Ref pAutoEnableMalwareProtection pEnableRdsLoginEvents: !Ref pEnableRdsLoginEvents - pEnableEksRuntimeMonitoring: !Ref pEnableEksRuntimeMonitoring + pEnableRuntimeMonitoring: !Ref pEnableRuntimeMonitoring pEnableEksAddonManagement: !Ref pEnableEksAddonManagement + pEnableEcsFargateAgentManagement: !Ref pEnableEcsFargateAgentManagement pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly pCreateLambdaLogGroup: !Ref pCreateLambdaLogGroup From 3ae6b0fd062aaa3b900bb6c2c72c36b1479994e1 Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Thu, 11 Apr 2024 09:51:03 -0400 Subject: [PATCH 2/8] json error fix --- .../parameters/sra-guardduty-org-main-ssm.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/parameters/sra-guardduty-org-main-ssm.json b/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/parameters/sra-guardduty-org-main-ssm.json index a08c2c97..ce6b86c5 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/parameters/sra-guardduty-org-main-ssm.json +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/parameters/sra-guardduty-org-main-ssm.json @@ -26,7 +26,7 @@ { "ParameterKey": "pEnableEcsFargateAgentManagement", "ParameterValue": "true" - } + }, { "ParameterKey": "pEnableLambdaNetworkLogs", "ParameterValue": "true" From 58447ec79619876743d3b885878c94aeb0877557 Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Thu, 11 Apr 2024 12:43:09 -0400 Subject: [PATCH 3/8] adding ec2 agent management feature --- .../manifest.yaml | 2 ++ .../easy_setup/templates/sra-easy-setup.yaml | 13 ++++++++++++- .../templates/sra-guardduty-org-module-main.yaml | 11 +++++++++++ .../templates/sra-guardduty-org-solution.yaml | 9 +++++++++ .../manifest.yaml | 2 ++ .../guardduty/guardduty_org/lambda/src/app.py | 3 +++ .../guardduty/guardduty_org/lambda/src/guardduty.py | 4 ++-- .../templates/sra-guardduty-org-configuration.yaml | 9 +++++++++ .../templates/sra-guardduty-org-main-ssm.yaml | 11 +++++++++++ 9 files changed, 61 insertions(+), 3 deletions(-) diff --git a/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml b/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml index bab43108..0c532cea 100644 --- a/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml +++ b/aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml @@ -161,6 +161,8 @@ resources: parameter_value: 'true' - parameter_key: pEnableEcsFargateAgentManagement parameter_value: 'true' + - parameter_key: pEnableEc2AgentManagement + parameter_value: 'true' - parameter_key: pEnableLambdaNetworkLogs parameter_value: 'true' - parameter_key: pGuardDutyFindingPublishingFrequency diff --git a/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml b/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml index d42f3630..dd8cb417 100644 --- a/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml +++ b/aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml @@ -155,6 +155,7 @@ Metadata: - pEnableRuntimeMonitoring - pEnableEksAddonManagement - pEnableEcsFargateAgentManagement + - pEnableEc2AgentManagement - pEnableLambdaNetworkLogs - pGuardDutyFindingPublishingFrequency - pGuardDutyOrgDeliveryBucketPrefix @@ -326,6 +327,8 @@ Metadata: default: Auto enable EKS Add-on Management pEnableEcsFargateAgentManagement: default: Auto enable ECS Fargate Agent Management + pEnableEc2AgentManagement: + default: Auto enable EC2 Agent Management pEnableLambdaNetworkLogs: default: Auto enable Lambda Network Logs pBillingContactAction: @@ -778,6 +781,11 @@ Parameters: Default: 'true' Description: Auto enable ECS Fargate Agent Management Type: String + pEnableEc2AgentManagement: + AllowedValues: ['true', 'false'] + Default: 'true' + Description: Auto enable EC2 Agent Management + Type: String pEnableLambdaNetworkLogs: AllowedValues: ['true', 'false'] Default: 'true' @@ -1076,7 +1084,7 @@ Parameters: pGuardDutyCustomerGovernedRegionsOnly: AllowedValues: ['true', 'false'] Default: 'false' - Description: Indicates whether to enable GuardDuty in the Goverened Regions only + Description: Indicates whether to enable GuardDuty in the customer's Goverened Regions only. Example - Control Tower regions, or Common Prerequisites regions. Type: String pGuardDutyEnabledRegions: AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$' @@ -1741,6 +1749,8 @@ Rules: AssertDescription: "'Enable EKS Addon Management' requires Guardduty Runtime Monitoring to be enabled" - Assert: !Not [!Equals [!Ref pEnableEcsFargateAgentManagement, 'true']] AssertDescription: "'Enable Ecs Fargate Agent Management' requires Guardduty Runtime Monitoring to be enabled" + - Assert: !Not [!Equals [!Ref pEnableEc2AgentManagement, 'true']] + AssertDescription: "'Enable Ec2 Agent Management' requires Guardduty Runtime Monitoring to be enabled" Conditions: cUsingKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']] @@ -2443,6 +2453,7 @@ Resources: pEnableRuntimeMonitoring: !Ref pEnableRuntimeMonitoring pEnableEksAddonManagement: !Ref pEnableEksAddonManagement pEnableEcsFargateAgentManagement: !Ref pEnableEcsFargateAgentManagement + pEnableEc2AgentManagement: !Ref pEnableEc2AgentManagement pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false] pDisableGuardDuty: !If [cDisableGuardDuty, true, false] diff --git a/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-module-main.yaml b/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-module-main.yaml index 10cc0804..d2be8cb4 100644 --- a/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-module-main.yaml +++ b/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-module-main.yaml @@ -61,6 +61,7 @@ Metadata: - pEnableRdsLoginEvents - pEnableRuntimeMonitoring - pEnableEcsFargateAgentManagement + - pEnableEc2AgentManagement - pEnableEksAddonManagement - pEnableLambdaNetworkLogs - pGuardDutyFindingPublishingFrequency @@ -128,6 +129,8 @@ Metadata: default: pEnableEksAddonManagement pEnableEcsFargateAgentManagement: default: Auto enable ECS Fargate Agent Management + pEnableEc2AgentManagement: + default: Auto enable EC2 Agent Management pEnableLambdaNetworkLogs: default: pEnableLambdaNetworkLogs pGuardDutyFindingPublishingFrequency: @@ -329,6 +332,11 @@ Parameters: Default: 'true' Description: Auto enable ECS Fargate Agent Management Type: String + pEnableEc2AgentManagement: + AllowedValues: ['true', 'false'] + Default: 'true' + Description: Auto enable EC2 Agent Management + Type: String pEnableLambdaNetworkLogs: AllowedValues: ['true', 'false'] Default: 'true' @@ -366,6 +374,8 @@ Rules: AssertDescription: "'Enable EKS Addon Management' requires Guardduty Runtime Monitoring to be enabled" - Assert: !Not [!Equals [!Ref pEnableEcsFargateAgentManagement, 'true']] AssertDescription: "'Enable Ecs Fargate Agent Management' requires Guardduty Runtime Monitoring to be enabled" + - Assert: !Not [!Equals [!Ref pEnableEc2AgentManagement, 'true']] + AssertDescription: "'Enable Ec2 Agent Management' requires Guardduty Runtime Monitoring to be enabled" Conditions: cUsingKmsKey: !Not [!Equals [!Ref pLambdaLogGroupKmsKey, '']] @@ -1164,6 +1174,7 @@ Resources: pEnableRuntimeMonitoring: !Ref pEnableRuntimeMonitoring pEnableEksAddonManagement: !Ref pEnableEksAddonManagement pEnableEcsFargateAgentManagement: !Ref pEnableEcsFargateAgentManagement + pEnableEc2AgentManagement: !Ref pEnableEc2AgentManagement pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs pCreateLambdaLogGroup: !Ref pCreateLambdaLogGroup pDisableGuardDuty: !Ref pDisableGuardDuty diff --git a/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-solution.yaml b/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-solution.yaml index 6bef7ec1..5cfebdbe 100644 --- a/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-solution.yaml +++ b/aws_sra_examples/modules/guardduty-org-module/templates/sra-guardduty-org-solution.yaml @@ -57,6 +57,7 @@ Metadata: - pEnableRuntimeMonitoring - pEnableEksAddonManagement - pEnableEcsFargateAgentManagement + - pEnableEc2AgentManagement - pEnableLambdaNetworkLogs - pGuardDutyFindingPublishingFrequency - pGuardDutyOrgDeliveryBucketPrefix @@ -138,6 +139,8 @@ Metadata: default: Auto enable EKS Add-on Management pEnableEcsFargateAgentManagement: default: Auto enable ECS Fargate Agent Management + pEnableEc2AgentManagement: + default: Auto enable EC2 Agent Management pEnableLambdaNetworkLogs: default: Auto enable Lambda Network Logs pGuardDutyFindingPublishingFrequency: @@ -326,6 +329,11 @@ Parameters: Default: 'true' Description: Auto enable ECS Fargate Agent Management Type: String + pEnableEc2AgentManagement: + AllowedValues: ['true', 'false'] + Default: 'true' + Description: Auto enable EC2 Agent Management + Type: String pEnableLambdaNetworkLogs: AllowedValues: ['true', 'false'] Default: 'true' @@ -876,6 +884,7 @@ Resources: pEnableRuntimeMonitoring: !Ref pEnableRuntimeMonitoring pEnableEksAddonManagement: !Ref pEnableEksAddonManagement pEnableEcsFargateAgentManagement: !Ref pEnableEcsFargateAgentManagement + pEnableEc2AgentManagement: !Ref pEnableEc2AgentManagement pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false] pDisableGuardDuty: !If [cDisableGuardDuty, true, false] diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/manifest.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/manifest.yaml index 74cf0b4a..dd2b0da6 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/manifest.yaml +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/manifest.yaml @@ -25,6 +25,8 @@ resources: parameter_value: 'true' - parameter_key: pEnableEcsFargateAgentManagement parameter_value: 'true' + - parameter_key: pEnableEc2AgentManagement + parameter_value: 'true' - parameter_key: pEnableLambdaNetworkLogs parameter_value: 'true' - parameter_key: pControlTowerRegionsOnly diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py index 0a081b94..10d13014 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py @@ -96,6 +96,7 @@ def get_validated_parameters(event: CloudFormationCustomResourceEvent) -> dict: parameter_pattern_validator( "ENABLE_ECS_FARGATE_AGENT_MANAGEMENT", params.get("ENABLE_ECS_FARGATE_AGENT_MANAGEMENT", ""), pattern=true_false_pattern ) + parameter_pattern_validator("ENABLE_EC2_AGENT_MANAGEMENT", params.get("ENABLE_EC2_AGENT_MANAGEMENT", ""), pattern=r"^[\w+=,.@-]{1,64}$") parameter_pattern_validator("CONFIGURATION_ROLE_NAME", params.get("CONFIGURATION_ROLE_NAME", ""), pattern=r"^[\w+=,.@-]{1,64}$") parameter_pattern_validator("CONTROL_TOWER_REGIONS_ONLY", params.get("CONTROL_TOWER_REGIONS_ONLY", ""), pattern=true_false_pattern) parameter_pattern_validator("DELEGATED_ADMIN_ACCOUNT_ID", params.get("DELEGATED_ADMIN_ACCOUNT_ID", ""), pattern=r"^\d{12}$") @@ -217,6 +218,7 @@ def process_create_update_event(params: dict, regions: list) -> None: enable_lambda_network_logs = (params.get("ENABLE_LAMBDA_NETWORK_LOGS", "false")).lower() in "true" enable_runtime_monitoring = (params.get("ENABLE_RUNTIME_MONITORING", "false")).lower() in "true" enable_ecs_fargate_agent_management = (params.get("ENABLE_ECS_FARGATE_AGENT_MANAGEMENT", "false")).lower() in "true" + enable_ec2_agent_management = (params.get("ENABLE_EC2_AGENT_MANAGEMENT", "false")).lower() in "true" gd_features = { "S3_DATA_EVENTS": auto_enable_s3_logs, @@ -227,6 +229,7 @@ def process_create_update_event(params: dict, regions: list) -> None: "RUNTIME_MONITORING": enable_runtime_monitoring, "EKS_ADDON_MANAGEMENT": enable_eks_addon_management, "ECS_FARGATE_AGENT_MANAGEMENT": enable_ecs_fargate_agent_management, + "EC2_AGENT_MANAGEMENT": enable_ec2_agent_management, } guardduty.configure_guardduty( diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py index 4f2555df..3dedcd6c 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py @@ -231,7 +231,7 @@ def set_features_list(gd_features: dict) -> list: runtime_monitoring_config["Name"] = feature_name runtime_monitoring_config["Status"] = status features_config.append(runtime_monitoring_config) - elif feature_name == "ECS_FARGATE_AGENT_MANAGEMENT" or feature_name == "EKS_ADDON_MANAGEMENT": + elif feature_name == "ECS_FARGATE_AGENT_MANAGEMENT" or feature_name == "EKS_ADDON_MANAGEMENT" or feature_name == "EC2_AGENT_MANAGEMENT": feature_to_set["Name"] = feature_name feature_to_set["Status"] = status runtime_monitoring_config["AdditionalConfiguration"].append(feature_to_set) @@ -416,7 +416,7 @@ def set_org_configuration_params(detector_id: str, gd_features: dict) -> dict: runtime_monitoring_config["Name"] = feature_name runtime_monitoring_config["AutoEnable"] = type features_config.append(runtime_monitoring_config) - elif feature_name == "ECS_FARGATE_AGENT_MANAGEMENT" or feature_name == "EKS_ADDON_MANAGEMENT": + elif feature_name == "ECS_FARGATE_AGENT_MANAGEMENT" or feature_name == "EKS_ADDON_MANAGEMENT" or feature_name == "EC2_AGENT_MANAGEMENT": org_feature_to_set["Name"] = feature_name org_feature_to_set["AutoEnable"] = type runtime_monitoring_config["AdditionalConfiguration"].append(org_feature_to_set) diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml index 18c86604..adef876c 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml @@ -38,6 +38,7 @@ Metadata: - pEnableRuntimeMonitoring - pEnableEksAddonManagement - pEnableEcsFargateAgentManagement + - pEnableEc2AgentManagement - pEnableLambdaNetworkLogs - pControlTowerRegionsOnly - pGuardDutyOrgConfigurationRoleName @@ -71,6 +72,8 @@ Metadata: default: Auto enable EKS Add-on Management pEnableEcsFargateAgentManagement: default: Auto enable ECS Fargate Agent Management + pEnableEc2AgentManagement: + default: Auto enable EC2 Agent Management pEnableLambdaNetworkLogs: default: Auto enable Lambda Network Logs pControlTowerRegionsOnly: @@ -148,6 +151,11 @@ Parameters: Default: 'true' Description: Auto enable ECS Fargate Agent Management Type: String + pEnableEc2AgentManagement: + AllowedValues: ['true', 'false'] + Default: 'true' + Description: Auto enable EC2 Agent Management + Type: String pEnableLambdaNetworkLogs: AllowedValues: ['true', 'false'] Default: 'true' @@ -524,6 +532,7 @@ Resources: ENABLE_RUNTIME_MONITORING: !Ref pEnableRuntimeMonitoring ENABLE_EKS_ADDON_MANAGEMENT: !Ref pEnableEksAddonManagement ENABLE_ECS_FARGATE_AGENT_MANAGEMENT: !Ref pEnableEcsFargateAgentManagement + ENABLE_EC2_AGENT_MANAGEMENT: !Ref pEnableEc2AgentManagement ENABLE_LAMBDA_NETWORK_LOGS: !Ref pEnableLambdaNetworkLogs CONFIGURATION_ROLE_NAME: !Ref pGuardDutyOrgConfigurationRoleName CONTROL_TOWER_REGIONS_ONLY: !Ref pControlTowerRegionsOnly diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main-ssm.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main-ssm.yaml index 7c283e08..8defc858 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main-ssm.yaml +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-main-ssm.yaml @@ -49,6 +49,7 @@ Metadata: - pEnableRuntimeMonitoring - pEnableEksAddonManagement - pEnableEcsFargateAgentManagement + - pEnableEc2AgentManagement - pEnableLambdaNetworkLogs - pControlTowerRegionsOnly - pEnabledRegions @@ -84,6 +85,8 @@ Metadata: default: Auto enable EKS Add-on Management pEnableEcsFargateAgentManagement: default: Auto enable ECS Fargate Agent Management + pEnableEc2AgentManagement: + default: Auto enable EC2 Agent Management pEnableLambdaNetworkLogs: default: Auto enable Lambda Network Logs pControlTowerRegionsOnly: @@ -174,6 +177,11 @@ Parameters: Default: 'true' Description: Auto enable ECS Fargate Agent Management Type: String + pEnableEc2AgentManagement: + AllowedValues: ['true', 'false'] + Default: 'true' + Description: Auto enable EC2 Agent Management + Type: String pEnableLambdaNetworkLogs: AllowedValues: ['true', 'false'] Default: 'true' @@ -294,6 +302,8 @@ Rules: AssertDescription: "'Enable EKS Addon Management' requires Guardduty Runtime Monitoring to be enabled" - Assert: !Not [!Equals [!Ref pEnableEcsFargateAgentManagement, 'true']] AssertDescription: "'Enable Ecs Fargate Agent Management' requires Guardduty Runtime Monitoring to be enabled" + - Assert: !Not [!Equals [!Ref pEnableEc2AgentManagement, 'true']] + AssertDescription: "'Enable Ec2 Agent Management' requires Guardduty Runtime Monitoring to be enabled" Resources: @@ -458,6 +468,7 @@ Resources: pEnableRuntimeMonitoring: !Ref pEnableRuntimeMonitoring pEnableEksAddonManagement: !Ref pEnableEksAddonManagement pEnableEcsFargateAgentManagement: !Ref pEnableEcsFargateAgentManagement + pEnableEc2AgentManagement: !Ref pEnableEc2AgentManagement pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly pCreateLambdaLogGroup: !Ref pCreateLambdaLogGroup From c58684a7d83c570fd4ce4710c3013c1e5e0834bc Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Thu, 11 Apr 2024 13:38:08 -0400 Subject: [PATCH 4/8] flake8 fixes --- .../guardduty_org/lambda/src/guardduty.py | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py index 3dedcd6c..b023ac84 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py @@ -228,8 +228,6 @@ def set_features_list(gd_features: dict) -> list: status = "DISABLED" if feature_name == "RUNTIME_MONITORING": runtime_monitoring_config = {"Name": feature_name, "Status": status, "AdditionalConfiguration": []} - runtime_monitoring_config["Name"] = feature_name - runtime_monitoring_config["Status"] = status features_config.append(runtime_monitoring_config) elif feature_name == "ECS_FARGATE_AGENT_MANAGEMENT" or feature_name == "EKS_ADDON_MANAGEMENT" or feature_name == "EC2_AGENT_MANAGEMENT": feature_to_set["Name"] = feature_name @@ -403,26 +401,24 @@ def set_org_configuration_params(detector_id: str, gd_features: dict) -> dict: features_config: list = [] org_configuration_params: Dict[str, Any] = {"DetectorId": detector_id, "AutoEnable": True, "Features": features_config} name = "" - type = "" + auto_enable_type = "" for feature_name in gd_features: - org_feature_to_set = {"Name": name, "AutoEnable": type} + org_feature_to_set = {"Name": name, "AutoEnable": auto_enable_type} if gd_features[feature_name] is True: - type = "ALL" + auto_enable_type = "ALL" else: - type = "NONE" + auto_enable_type = "NONE" if feature_name == "RUNTIME_MONITORING": - runtime_monitoring_config = {"Name": feature_name, "AutoEnable": type, "AdditionalConfiguration": []} - runtime_monitoring_config["Name"] = feature_name - runtime_monitoring_config["AutoEnable"] = type + runtime_monitoring_config = {"Name": feature_name, "AutoEnable": auto_enable_type, "AdditionalConfiguration": []} features_config.append(runtime_monitoring_config) elif feature_name == "ECS_FARGATE_AGENT_MANAGEMENT" or feature_name == "EKS_ADDON_MANAGEMENT" or feature_name == "EC2_AGENT_MANAGEMENT": org_feature_to_set["Name"] = feature_name - org_feature_to_set["AutoEnable"] = type + org_feature_to_set["AutoEnable"] = auto_enable_type runtime_monitoring_config["AdditionalConfiguration"].append(org_feature_to_set) else: org_feature_to_set["Name"] = feature_name - org_feature_to_set["AutoEnable"] = type + org_feature_to_set["AutoEnable"] = auto_enable_type features_config.append(org_feature_to_set) return org_configuration_params @@ -492,7 +488,11 @@ def configure_guardduty( # noqa: CFQ002, CFQ001 finding_publishing_frequency: Finding publishing frequency kms_key_arn: KMS Key ARN publishing_destination_arn: Publishing Destination ARN (S3 Bucket) + + Raises: + ValueError: "Check members failure" """ + accounts = common.get_all_organization_accounts([delegated_account_id]) account_ids = common.get_account_ids(accounts) @@ -544,7 +544,6 @@ def configure_guardduty( # noqa: CFQ002, CFQ001 # Verify members created for existing Organization accounts for region in region_list: - # regional_guardduty: GuardDutyClient = session.client("guardduty", region_name=region, config=BOTO3_CONFIG) detectors = regional_guardduty.list_detectors() if detectors["DetectorIds"]: detector_id = detectors["DetectorIds"][0] @@ -666,7 +665,6 @@ def delete_detectors(guardduty_client: GuardDutyClient, region: str, is_delegate region: AWS Region is_delegated_admin: True or False """ - # disable_aws_service_access(PRINCIPAL_NAME) detectors = guardduty_client.list_detectors() if detectors["DetectorIds"]: From 12d4791024f4ff4563d0549117ebc143f5ff982e Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Thu, 11 Apr 2024 13:44:24 -0400 Subject: [PATCH 5/8] more linting fixes --- .../solutions/guardduty/guardduty_org/lambda/src/guardduty.py | 1 - 1 file changed, 1 deletion(-) diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py index b023ac84..52ade847 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py @@ -492,7 +492,6 @@ def configure_guardduty( # noqa: CFQ002, CFQ001 Raises: ValueError: "Check members failure" """ - accounts = common.get_all_organization_accounts([delegated_account_id]) account_ids = common.get_account_ids(accounts) From b3000183ab3a49f0f9e781ff2e24b006b6657f46 Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Fri, 3 May 2024 12:13:43 -0400 Subject: [PATCH 6/8] updated changelog --- CHANGELOG.md | 11 +++++++++++ .../parameters/sra-guardduty-org-main-ssm.json | 4 ++++ 2 files changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 006c4dee..55c32fb1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,8 @@ ## Table of Contents - [Introduction](#introduction) +- [2024-05-03](#2024-05-03) +- [2024-04-15](#2024-04-15) - [2024-02-12](#2024-02-12) - [2024-02-09](#2024-02-09) - [2024-01-29](#2024-01-29) @@ -51,6 +53,15 @@ All notable changes to this project will be documented in this file. --- +## 2024-05-03 + +- Updated [GuardDuty Organization](aws_sra_examples/solutions/guardduty/guardduty_org) solution to add Runtime Monitoring protection. +- Updated [GuardDuty Organization](aws_sra_examples/solutions/guardduty/guardduty_org) solution default setting to deploy in all enabled regions. + +## 2024-04-15 + +- Updated [Common CFCT Setup](aws_sra_examples/solutions/common/common_cfct_setup) solution to download the latest CfCT template. + ## 2024-02-12 - Added [AMI Bakery](aws_sra_examples/solutions/ami_bakery/ami_bakery_org) solution for AMI image management. diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/parameters/sra-guardduty-org-main-ssm.json b/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/parameters/sra-guardduty-org-main-ssm.json index ce6b86c5..a82f5889 100644 --- a/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/parameters/sra-guardduty-org-main-ssm.json +++ b/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/parameters/sra-guardduty-org-main-ssm.json @@ -27,6 +27,10 @@ "ParameterKey": "pEnableEcsFargateAgentManagement", "ParameterValue": "true" }, + { + "ParameterKey": "pEnableEc2AgentManagement", + "ParameterValue": "true" + }, { "ParameterKey": "pEnableLambdaNetworkLogs", "ParameterValue": "true" From 731036b904da09f9de66417f00bdeaf4ad343b61 Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Fri, 3 May 2024 13:14:51 -0400 Subject: [PATCH 7/8] ami bakery linting fixes --- .../ami_bakery/ami_bakery_org/lambda/src/codepipeline.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py b/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py index 184f52a2..a5794847 100644 --- a/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py +++ b/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py @@ -21,11 +21,10 @@ from mypy_boto3_codecommit.type_defs import ( CreateRepositoryOutputTypeDef, DeleteRepositoryOutputTypeDef, - EmptyResponseMetadataTypeDef, PutFileOutputTypeDef, ) from mypy_boto3_codepipeline.client import CodePipelineClient - from mypy_boto3_codepipeline.type_defs import CreatePipelineOutputTypeDef, PipelineDeclarationTypeDef + from mypy_boto3_codepipeline.type_defs import CreatePipelineOutputTypeDef, PipelineDeclarationTypeDef, EmptyResponseMetadataTypeDef LOGGER = logging.getLogger("sra") From b8e923f227884467840aa1431d1866ae50d763bc Mon Sep 17 00:00:00 2001 From: ievgeniia ieromenko Date: Fri, 3 May 2024 13:21:15 -0400 Subject: [PATCH 8/8] ami bakery isort linting fixes --- .../ami_bakery/ami_bakery_org/lambda/src/codepipeline.py | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py b/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py index a5794847..c4ca779b 100644 --- a/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py +++ b/aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py @@ -18,13 +18,9 @@ if TYPE_CHECKING: from mypy_boto3_codecommit.client import CodeCommitClient - from mypy_boto3_codecommit.type_defs import ( - CreateRepositoryOutputTypeDef, - DeleteRepositoryOutputTypeDef, - PutFileOutputTypeDef, - ) + from mypy_boto3_codecommit.type_defs import CreateRepositoryOutputTypeDef, DeleteRepositoryOutputTypeDef, PutFileOutputTypeDef from mypy_boto3_codepipeline.client import CodePipelineClient - from mypy_boto3_codepipeline.type_defs import CreatePipelineOutputTypeDef, PipelineDeclarationTypeDef, EmptyResponseMetadataTypeDef + from mypy_boto3_codepipeline.type_defs import CreatePipelineOutputTypeDef, EmptyResponseMetadataTypeDef, PipelineDeclarationTypeDef LOGGER = logging.getLogger("sra")