AWS GuardDuty Multi Region Module
This module wraps the guardduty core module to configure AWS GuardDuty in all enabled regions for the AWS Account.
Features
-
Uses the guardduty module to enable AWS GuardDuty across all regions (recommended best practice) on your AWS account
-
Continuously monitor your AWS account for malicious activity and unauthorized behavior
-
Analyze events across multiple AWS data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs and use machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats
-
Allows publishing threat findings to S3 and SNS topics through CloudWatch Events
Learn
Note
This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!
Core concepts
-
Learn more about GuardDuty in the guardduty core module.
Repo organization
-
modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.
-
codegen: Code generation utilities that help generate modules in this repo.
-
examples: This folder contains working examples of how to use the submodules.
-
test: Automated tests for the modules and examples.
Deploy
Note
This module depends on Python being available on your system. Python 2.7, 3.5+ are supported.
-
Coming soon. We have not yet added this module to the Acme example Reference Architecture.
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S GUARDDUTY-MULTI-REGION MODULE
# ------------------------------------------------------------------------------------------------------
module "guardduty_multi_region" {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/guardduty-multi-region?ref=v0.75.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The AWS Account ID the template should be operated on. This avoids
# misconfiguration errors caused by environment variables.
aws_account_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# Whether to accept an invite from the master account if the detector is not
# created automatically
accept_invite = false
# The AWS account ID of the GuardDuty delegated admin/master account
admin_account_id = null
# Indicates the auto-enablement configuration of GuardDuty for the member
# accounts in the organization. Valid values are ALL, NEW, NONE.
auto_enable_organization_members = null
# Name of the Cloudwatch event rules.
cloudwatch_event_rule_name = "guardduty-finding-events"
# Create the GuardDuty Member Detector resource
create_detector = true
# Set to 'true' to create GuardDuty Organization Admin Account. Only usable in
# Organizations primary account.
create_organization_admin_account = false
# The S3 bucket ARN under which the findings get exported.
default_findings_s3_bucket_arn = null
# The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty
# enforces this to be encrypted. Only used if publish_findings_to_s3 is true.
default_findings_s3_kms_key_arn = null
# The ID of the default customer master key (CMK) to use to encrypt the SNS
# topic for any region that isn't defined in var.sns_kms_master_key_ids. This
# could be an AWS managed CMK (e.g., aws/sns) or customer managed CMK (e.g.,
# alias/example-key). For example, you might set this variable to 'aws/sns' to
# use the AWS managed CMK for encryption in all regions. Only used if
# publish_findings_to_sns is true.
default_sns_kms_master_key_id = null
# The type of GuardDuty event to match. Setting this to anything other than
# the default will generate noise. This usually only needs to be adjusted for
# automated testing purposes.
detail_type = "GuardDuty Finding"
# Map of detector features to enable, where the key is the name of the feature
# the value is the feature configuration. When AWS Organizations delegated
# admin account is used, use var.organization_configuration_features instead.
# See
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector_feature
detector_features = {}
# If set to false, suspends GuardDuty (does not destroy data).
enable = true
# Specifies the frequency of notifications sent for subsequent finding
# occurrences. If the detector is a GuardDuty member account, the value is
# determined by the GuardDuty administrator account and cannot be modified,
# otherwise defaults to SIX_HOURS. For standalone and GuardDuty administrator
# accounts, it must be configured in Terraform to enable drift detection.
# Valid values for standalone and administrator accounts: FIFTEEN_MINUTES,
# ONE_HOUR, SIX_HOURS.
finding_publishing_frequency = null
# A map from AWS region to the ARN of an S3 bucket under which the findings
# get exported. If there's no S3 bucket set for a region, the value in
# var.default_findings_s3_bucket_arn will be used instead. Only used if
# publish_findings_to_s3 is true.
findings_s3_bucket_arns = {}
# A map from AWS region to the ARN of a customer master key (CMK) to use to
# encrypt GuardDuty findings in that region. If there's no ARN set for a
# region, the value in var.default_findings_s3_kms_key_arn will be used
# instead. Only used if publish_findings_to_s3 is true.
findings_s3_kms_key_arns = {}
# The bucket prefix without trailing '/' under which the findings get
# exported. The prefix is optional and will be
# AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided.
findings_s3_prefix = null
# Specifies a name for the created SNS topics where findings are published.
# publish_findings_to_sns must be set to true.
findings_sns_topic_name = "guardduty-findings"
# The invitation message to send to the member accounts.
invitation_message = "Please accept GuardDuty invitation."
# Map of member accounts to add to GuardDuty where key is the AWS account
# number. Use to add Organization accounts to delegated admin account or
# invite member accounts by invite.
member_accounts = {}
# Map of organization configuration features to enable, where key is the
# feature name and value is feature configuration. See
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature
organization_configuration_features = {}
# Publish GuardDuty findings to an S3 bucket. The bucket arn and prefix are
# specified by findings_s3_bucket_arn and findings_s3_bucket_prefix.
publish_findings_to_s3 = false
# Send GuardDuty findings to SNS topics specified by findings_sns_topic_name.
publish_findings_to_sns = false
# A map from AWS region to the ID of a customer master key (CMK) to use to
# encrypt the SNS topic in that region. This could be an AWS managed CMK
# (e.g., aws/sns) or customer managed CMK (e.g., alias/example-key). If
# there's no CMK set for a region, the value in
# var.default_sns_kms_master_key_id will be used instead. Only used if
# publish_findings_to_sns is true.
sns_kms_master_key_ids = {}
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S GUARDDUTY-MULTI-REGION MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/guardduty-multi-region?ref=v0.75.0"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The AWS Account ID the template should be operated on. This avoids
# misconfiguration errors caused by environment variables.
aws_account_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# Whether to accept an invite from the master account if the detector is not
# created automatically
accept_invite = false
# The AWS account ID of the GuardDuty delegated admin/master account
admin_account_id = null
# Indicates the auto-enablement configuration of GuardDuty for the member
# accounts in the organization. Valid values are ALL, NEW, NONE.
auto_enable_organization_members = null
# Name of the Cloudwatch event rules.
cloudwatch_event_rule_name = "guardduty-finding-events"
# Create the GuardDuty Member Detector resource
create_detector = true
# Set to 'true' to create GuardDuty Organization Admin Account. Only usable in
# Organizations primary account.
create_organization_admin_account = false
# The S3 bucket ARN under which the findings get exported.
default_findings_s3_bucket_arn = null
# The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty
# enforces this to be encrypted. Only used if publish_findings_to_s3 is true.
default_findings_s3_kms_key_arn = null
# The ID of the default customer master key (CMK) to use to encrypt the SNS
# topic for any region that isn't defined in var.sns_kms_master_key_ids. This
# could be an AWS managed CMK (e.g., aws/sns) or customer managed CMK (e.g.,
# alias/example-key). For example, you might set this variable to 'aws/sns' to
# use the AWS managed CMK for encryption in all regions. Only used if
# publish_findings_to_sns is true.
default_sns_kms_master_key_id = null
# The type of GuardDuty event to match. Setting this to anything other than
# the default will generate noise. This usually only needs to be adjusted for
# automated testing purposes.
detail_type = "GuardDuty Finding"
# Map of detector features to enable, where the key is the name of the feature
# the value is the feature configuration. When AWS Organizations delegated
# admin account is used, use var.organization_configuration_features instead.
# See
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector_feature
detector_features = {}
# If set to false, suspends GuardDuty (does not destroy data).
enable = true
# Specifies the frequency of notifications sent for subsequent finding
# occurrences. If the detector is a GuardDuty member account, the value is
# determined by the GuardDuty administrator account and cannot be modified,
# otherwise defaults to SIX_HOURS. For standalone and GuardDuty administrator
# accounts, it must be configured in Terraform to enable drift detection.
# Valid values for standalone and administrator accounts: FIFTEEN_MINUTES,
# ONE_HOUR, SIX_HOURS.
finding_publishing_frequency = null
# A map from AWS region to the ARN of an S3 bucket under which the findings
# get exported. If there's no S3 bucket set for a region, the value in
# var.default_findings_s3_bucket_arn will be used instead. Only used if
# publish_findings_to_s3 is true.
findings_s3_bucket_arns = {}
# A map from AWS region to the ARN of a customer master key (CMK) to use to
# encrypt GuardDuty findings in that region. If there's no ARN set for a
# region, the value in var.default_findings_s3_kms_key_arn will be used
# instead. Only used if publish_findings_to_s3 is true.
findings_s3_kms_key_arns = {}
# The bucket prefix without trailing '/' under which the findings get
# exported. The prefix is optional and will be
# AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided.
findings_s3_prefix = null
# Specifies a name for the created SNS topics where findings are published.
# publish_findings_to_sns must be set to true.
findings_sns_topic_name = "guardduty-findings"
# The invitation message to send to the member accounts.
invitation_message = "Please accept GuardDuty invitation."
# Map of member accounts to add to GuardDuty where key is the AWS account
# number. Use to add Organization accounts to delegated admin account or
# invite member accounts by invite.
member_accounts = {}
# Map of organization configuration features to enable, where key is the
# feature name and value is feature configuration. See
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature
organization_configuration_features = {}
# Publish GuardDuty findings to an S3 bucket. The bucket arn and prefix are
# specified by findings_s3_bucket_arn and findings_s3_bucket_prefix.
publish_findings_to_s3 = false
# Send GuardDuty findings to SNS topics specified by findings_sns_topic_name.
publish_findings_to_sns = false
# A map from AWS region to the ID of a customer master key (CMK) to use to
# encrypt the SNS topic in that region. This could be an AWS managed CMK
# (e.g., aws/sns) or customer managed CMK (e.g., alias/example-key). If
# there's no CMK set for a region, the value in
# var.default_sns_kms_master_key_id will be used instead. Only used if
# publish_findings_to_sns is true.
sns_kms_master_key_ids = {}
}
Reference
- Inputs
- Outputs
Required
aws_account_id
stringThe AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables.
Optional
accept_invite
boolWhether to accept an invite from the master account if the detector is not created automatically
false
admin_account_id
stringThe AWS account ID of the GuardDuty delegated admin/master account
null
Indicates the auto-enablement configuration of GuardDuty for the member accounts in the organization. Valid values are ALL, NEW, NONE.
null
Name of the Cloudwatch event rules.
"guardduty-finding-events"
create_detector
boolCreate the GuardDuty Member Detector resource
true
Set to 'true' to create GuardDuty Organization Admin Account. Only usable in Organizations primary account.
false
The S3 bucket ARN under which the findings get exported.
null
The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty enforces this to be encrypted. Only used if publish_findings_to_s3 is true.
null
The ID of the default customer master key (CMK) to use to encrypt the SNS topic for any region that isn't defined in sns_kms_master_key_ids
. This could be an AWS managed CMK (e.g., aws/sns) or customer managed CMK (e.g., alias/example-key). For example, you might set this variable to 'aws/sns' to use the AWS managed CMK for encryption in all regions. Only used if publish_findings_to_sns is true.
null
detail_type
stringThe type of GuardDuty event to match. Setting this to anything other than the default will generate noise. This usually only needs to be adjusted for automated testing purposes.
"GuardDuty Finding"
detector_features
map(object(…))Map of detector features to enable, where the key is the name of the feature the value is the feature configuration. When AWS Organizations delegated admin account is used, use organization_configuration_features
instead. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector_feature
map(object({
status = string
additional_configuration = list(object({
name = string
status = string
}))
}))
{}
enable
boolIf set to false, suspends GuardDuty (does not destroy data).
true
Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty administrator account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty administrator accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and administrator accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS.
null
findings_s3_bucket_arns
map(string)A map from AWS region to the ARN of an S3 bucket under which the findings get exported. If there's no S3 bucket set for a region, the value in default_findings_s3_bucket_arn
will be used instead. Only used if publish_findings_to_s3 is true.
{}
findings_s3_kms_key_arns
map(string)A map from AWS region to the ARN of a customer master key (CMK) to use to encrypt GuardDuty findings in that region. If there's no ARN set for a region, the value in default_findings_s3_kms_key_arn
will be used instead. Only used if publish_findings_to_s3 is true.
{}
findings_s3_prefix
stringThe bucket prefix without trailing '/' under which the findings get exported. The prefix is optional and will be AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided.
null
findings_sns_topic_name
stringSpecifies a name for the created SNS topics where findings are published. publish_findings_to_sns must be set to true.
"guardduty-findings"
invitation_message
stringThe invitation message to send to the member accounts.
"Please accept GuardDuty invitation."
member_accounts
map(object(…))Map of member accounts to add to GuardDuty where key is the AWS account number. Use to add Organization accounts to delegated admin account or invite member accounts by invite.
map(object({
email = string
}))
{}
organization_configuration_features
map(object(…))Map of organization configuration features to enable, where key is the feature name and value is feature configuration. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature
map(object({
auto_enable = string
additional_configuration = list(object({
name = string
auto_enable = string
}))
}))
{}
Publish GuardDuty findings to an S3 bucket. The bucket arn and prefix are specified by findings_s3_bucket_arn and findings_s3_bucket_prefix.
false
Send GuardDuty findings to SNS topics specified by findings_sns_topic_name.
false
sns_kms_master_key_ids
map(string)A map from AWS region to the ID of a customer master key (CMK) to use to encrypt the SNS topic in that region. This could be an AWS managed CMK (e.g., aws/sns) or customer managed CMK (e.g., alias/example-key). If there's no CMK set for a region, the value in default_sns_kms_master_key_id
will be used instead. Only used if publish_findings_to_sns is true.
{}
The ARNs of the cloudwatch event rules used to publish findings to sns if publish_findings_to_sns
is set to true.
The ARNs of the cloudwatch event targets used to publish findings to sns if publish_findings_to_sns
is set to true.
The ARNs of the SNS topics where findings are published if publish_findings_to_sns
is set to true.
The names of the SNS topic where findings are published if publish_findings_to_sns
is set to true.
The IDs of the GuardDuty detectors.