Skip to main content
View SourceRelease Notes

AWS GuardDuty Multi Region Module

This module wraps the guardduty core module to configure AWS GuardDuty in all enabled regions for the AWS Account.

Features

  • Uses the guardduty module to enable AWS GuardDuty across all regions (recommended best practice) on your AWS account

  • Continuously monitor your AWS account for malicious activity and unauthorized behavior

  • Analyze events across multiple AWS data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs and use machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats

  • Allows publishing threat findings to SNS topics through CloudWatch Events

Learn

Note

This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!

Core concepts

Repo organization

  • modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.

  • codegen: Code generation utilities that help generate modules in this repo.

  • examples: This folder contains working examples of how to use the submodules.

  • test: Automated tests for the modules and examples.

Deploy

Note

This module depends on Python being available on your system. Python 2.7, 3.5+ are supported.

Reference

Required

aws_account_idstringrequired

The AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables.

Optional

Name of the Cloudwatch event rules.

"guardduty-finding-events"

The ID of the default customer master key (CMK) to use to encrypt the SNS topic for any region that isn't defined in sns_kms_master_key_ids. This could be an AWS managed CMK (e.g., aws/sns) or customer managed CMK (e.g., alias/example-key). For example, you might set this variable to 'aws/sns' to use the AWS managed CMK for encryption in all regions. Only used if publish_findings_to_sns is true.

null
detail_typestringoptional

The type of GuardDuty event to match. Setting this to anything other than the default will generate noise. This usually only needs to be adjusted for automated testing purposes.

"GuardDuty Finding"
enablebooloptional

If set to false, suspends GuardDuty (does not destroy data).

true

Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty administrator account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty administrator accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and administrator accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS.

null

Specifies a name for the created SNS topics where findings are published. publish_findings_to_sns must be set to true.

"guardduty-findings"

Send GuardDuty findings to SNS topics specified by findings_sns_topic_name.

false
sns_kms_master_key_idsmap(string)optional

A map from AWS region to the ID of a customer master key (CMK) to use to encrypt the SNS topic in that region. This could be an AWS managed CMK (e.g., aws/sns) or customer managed CMK (e.g., alias/example-key). If there's no CMK set for a region, the value in default_sns_kms_master_key_id will be used instead. Only used if publish_findings_to_sns is true.

{}