AWS GuardDuty
This Terraform Module configures AWS GuardDuty, a service for detecting threats and continuously monitoring your AWS accounts and workloads against malicious activity and unauthorized behavior.
Features
Continuously monitor your AWS account for malicious activity and unauthorized behavior
Analyze events across multiple AWS data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs and use machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats
Uses the [guardduty-single-region module](../guardduty-single-region) to enable AWS GuardDuty across all regions (recommended best practice) on your AWS account
Allows publishing threat findings to SNS topics through CloudWatch Events
Learn
Note
This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!
Core concepts
Repo organization
modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.
codegen: Code generation utilities that help generate modules in this repo.
examples: This folder contains working examples of how to use the submodules.
test: Automated tests for the modules and examples.
Deploy
Non-production deployment (quick start for learning)
If you just want to try this module out, check out the following resources:
Production deployment
If you want to deploy this module in production, check out the following resources:
Coming soon. We have not yet added this module to the Acme example Reference Architecture.
Terraform Module to enable GuardDuty in all enabled regions of an AWS Account.
Reference
- Inputs
- Outputs
Optional
Name of the Cloudwatch event rule
"guardduty-finding-events"create_resourcesboolEnable or disable creation of the resources of this module. Necessary workaround when it is desired to set count = 0 for modules, which is not yet possible as of terraform 0.12.17
truedetail_typestringThe type of GuardDuty event to match. Setting this to anything other than the default will generate noise. This usually only needs to be adjusted for automated testing purposes.
"GuardDuty Finding"enableboolEnable monitoring and feedback reporting. Setting to false is equivalent to suspending GuardDuty. Defaults to true
trueSpecifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty administrator account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty administrator accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and administrator accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS.
nullfindings_sns_topic_namestringSpecifies a name for the created SNS topic where findings are published. publish_findings_to_sns must be set to true.
"guardduty-findings"Send GuardDuty findings to a SNS topic specified by findings_sns_topic_name.
falsesns_kms_master_key_idstringThe ID of a customer master key (CMK) to use to encrypt the SNS topic. This could be an AWS managed CMK (e.g., aws/sns) or customer managed CMK (e.g., alias/example-key). Only used if publish_findings_to_sns is true.
nullThe ARN of the cloudwatch event rule used to publish findings to sns if publish_findings_to_sns is set to true.
The id of the cloudwatch event rule used to publish findings to sns if publish_findings_to_sns is set to true.
The ARN of the cloudwatch event target used to publish findings to sns if publish_findings_to_sns is set to true.
The ARN of the SNS topic where findings are published if publish_findings_to_sns is set to true.
The name of the SNS topic where findings are published if publish_findings_to_sns is set to true.
The AWS account ID of the GuardDuty detector.
The ID of the GuardDuty detector.