Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 558516d

Browse files
Merge branch 'main' into terraform-stack
2 parents f816ab8 + 9e9e14e commit 558516d

File tree

9 files changed

+94
-8
lines changed

9 files changed

+94
-8
lines changed

‎aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py‎

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -314,3 +314,30 @@ def lambda_handler(event: Dict[str, Any], context: Context) -> None:
314314
except Exception:
315315
LOGGER.exception(UNEXPECTED)
316316
raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None
317+
318+
319+
def terraform_handler(event: Dict[str, Any], context: Context) -> None:
320+
"""Lambda Handler.
321+
322+
Args:
323+
event: event data
324+
context: runtime information
325+
326+
Raises:
327+
ValueError: Unexpected error executing Lambda function
328+
"""
329+
LOGGER.info("....Lambda Handler Started....")
330+
event_info = {"Event": event}
331+
LOGGER.info(event_info)
332+
try:
333+
if "Records" not in event and "RequestType" not in event and ("source" not in event and event["source"] != "aws.controltower"):
334+
raise ValueError(
335+
f"The event did not include Records or RequestType. Review CloudWatch logs '{context.log_group_name}' for details."
336+
) from None
337+
elif "Records" in event and event["Records"][0]["EventSource"] == "aws:sns":
338+
process_sns_records(event["Records"])
339+
elif "RequestType" in event:
340+
process_cloudformation_event(event, context)
341+
except Exception:
342+
LOGGER.exception(UNEXPECTED)
343+
raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None

‎aws_sra_examples/terraform/common/main.tf‎

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -132,7 +132,9 @@ resource "local_file" "config_file_creation" {
132132
enable_kubernetes_audit_logs = true
133133
enable_malware_protection = true
134134
enable_rds_login_events = true
135-
enable_eks_runtime_monitoring = true
135+
enable_runtime_monitoring = true
136+
enable_ecs_fargate_agent_management = true
137+
enable_ec2_agent_management = true
136138
enable_eks_addon_management = true
137139
enable_lambda_network_logs = true
138140
guardduty_control_tower_regions_only = true

‎aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/invoke.tf‎

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,9 @@ resource "aws_lambda_invocation" "lambda_invoke" {
2626
"ENABLE_EKS_AUDIT_LOGS" : "${var.enable_kubernetes_audit_logs}",
2727
"AUTO_ENABLE_MALWARE_PROTECTION" : "${var.enable_malware_protection}",
2828
"ENABLE_RDS_LOGIN_EVENTS" : "${var.enable_rds_login_events}",
29-
"ENABLE_EKS_RUNTIME_MONITORING" : "${var.enable_eks_runtime_monitoring}",
29+
"ENABLE_RUNTIME_MONITORING" : "${var.enable_runtime_monitoring}",
30+
"ENABLE_ECS_FARGATE_AGENT_MANAGEMENT": "${var.enable_ecs_fargate_agent_management}",
31+
"ENABLE_EC2_AGENT_MANAGEMENT": "${var.enable_ec2_agent_management}",
3032
"ENABLE_EKS_ADDON_MANAGEMENT" : "${var.enable_eks_addon_management}",
3133
"ENABLE_LAMBDA_NETWORK_LOGS" : "${var.enable_lambda_network_logs}",
3234
}

‎aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/main.tf‎

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,16 @@ data "aws_iam_policy_document" "sra_guardduty_org_policy_cloudformation" {
5858
}
5959
}
6060

61+
data "aws_iam_policy_document" "sra_guardduty_org_policy_acct" {
62+
#checkov:skip=CKV_AWS_356: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions
63+
statement {
64+
sid = "AcctListRegions"
65+
effect = "Allow"
66+
actions = ["account:ListRegions"]
67+
resources = ["*"]
68+
}
69+
}
70+
6171
data "aws_iam_policy_document" "sra_guardduty_org_policy_ssm_access" {
6272
statement {
6373
sid = "SSMAccess"
@@ -233,6 +243,11 @@ resource "aws_iam_policy" "sra_guardduty_org_policy_cloudformation" {
233243
policy = data.aws_iam_policy_document.sra_guardduty_org_policy_cloudformation.json
234244
}
235245

246+
resource "aws_iam_policy" "sra_guardduty_org_policy_acct" {
247+
name = "sra-guardduty-org-policy-acct"
248+
policy = data.aws_iam_policy_document.sra_guardduty_org_policy_acct.json
249+
}
250+
236251
resource "aws_iam_policy" "sra_guardduty_org_policy_ssm_access" {
237252
name = "ssm-access"
238253
policy = data.aws_iam_policy_document.sra_guardduty_org_policy_ssm_access.json
@@ -283,6 +298,12 @@ resource "aws_iam_policy_attachment" "sra_guardduty_org_policy_attachment_cloudf
283298
policy_arn = aws_iam_policy.sra_guardduty_org_policy_cloudformation.arn
284299
}
285300

301+
resource "aws_iam_policy_attachment" "sra_guardduty_org_policy_attachment_acct" {
302+
name = "sra-guardduty-org-policy-attachment-acct"
303+
roles = [aws_iam_role.guardduty_lambda_role.name]
304+
policy_arn = aws_iam_policy.sra_guardduty_org_policy_acct.arn
305+
}
306+
286307
resource "aws_iam_policy_attachment" "sra_guardduty_org_policy_attachment_ssm_access" {
287308
name = "sra-guardduty-org-policy-attachment-ssm-access"
288309
roles = [aws_iam_role.guardduty_lambda_role.name]
@@ -465,4 +486,4 @@ resource "aws_sns_topic_subscription" "guardduty_dlq_alarm_subscription" {
465486
topic_arn = aws_sns_topic.guardduty_dlq_alarm_topic[0].arn
466487
protocol = "email"
467488
endpoint = var.sra_alarm_email
468-
}
489+
}

‎aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/variables.tf‎

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -125,11 +125,21 @@ variable "enable_rds_login_events" {
125125
type = string
126126
}
127127

128-
variable "enable_eks_runtime_monitoring" {
128+
variable "enable_runtime_monitoring" {
129129
description = "Auto enable EKS Runtime Monitoring"
130130
type = string
131131
}
132132

133+
variable "enable_ecs_fargate_agent_management" {
134+
description = "Auto enable ECS Fargate Agent Management"
135+
type = string
136+
}
137+
138+
variable "enable_ec2_agent_management" {
139+
description = "Auto EC2 Agent Management"
140+
type = string
141+
}
142+
133143
variable "enable_eks_addon_management" {
134144
description = "Auto enable EKS Add-on Management"
135145
type = string

‎aws_sra_examples/terraform/solutions/guard_duty/main.tf‎

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,9 @@ module "guardduty_configuration" {
7777
enable_kubernetes_audit_logs = var.enable_kubernetes_audit_logs
7878
enable_malware_protection = var.enable_malware_protection
7979
enable_rds_login_events = var.enable_rds_login_events
80-
enable_eks_runtime_monitoring = var.enable_eks_runtime_monitoring
80+
enable_runtime_monitoring = var.enable_runtime_monitoring
81+
enable_ecs_fargate_agent_management = var.enable_ecs_fargate_agent_management
82+
enable_ec2_agent_management = var.enable_ec2_agent_management
8183
enable_eks_addon_management = var.enable_eks_addon_management
8284
enable_lambda_network_logs = var.enable_lambda_network_logs
8385
finding_publishing_frequency = var.finding_publishing_frequency

‎aws_sra_examples/terraform/solutions/guard_duty/variables.tf‎

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -57,11 +57,21 @@ variable "enable_rds_login_events" {
5757
type = string
5858
}
5959

60-
variable "enable_eks_runtime_monitoring" {
60+
variable "enable_runtime_monitoring" {
6161
description = "Auto enable EKS Runtime Monitoring"
6262
type = string
6363
}
6464

65+
variable "enable_ecs_fargate_agent_management" {
66+
description = "Auto enable ECS Fargate Agent Management"
67+
type = string
68+
}
69+
70+
variable "enable_ec2_agent_management" {
71+
description = "Auto EC2 Agent Management"
72+
type = string
73+
}
74+
6575
variable "enable_eks_addon_management" {
6676
description = "Auto enable EKS Add-on Management"
6777
type = string

‎aws_sra_examples/terraform/solutions/main.tf‎

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,9 @@ module "guard_duty" {
4242
enable_kubernetes_audit_logs = var.enable_kubernetes_audit_logs
4343
enable_malware_protection = var.enable_malware_protection
4444
enable_rds_login_events = var.enable_rds_login_events
45-
enable_eks_runtime_monitoring = var.enable_eks_runtime_monitoring
45+
enable_runtime_monitoring = var.enable_runtime_monitoring
46+
enable_ecs_fargate_agent_management = var.enable_ecs_fargate_agent_management
47+
enable_ec2_agent_management = var.enable_ec2_agent_management
4648
enable_eks_addon_management = var.enable_eks_addon_management
4749
enable_lambda_network_logs = var.enable_lambda_network_logs
4850
finding_publishing_frequency = var.finding_publishing_frequency

‎aws_sra_examples/terraform/solutions/variables.tf‎

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -152,11 +152,21 @@ variable "enable_rds_login_events" {
152152
type = string
153153
}
154154

155-
variable "enable_eks_runtime_monitoring" {
155+
variable "enable_runtime_monitoring" {
156156
description = "Auto enable EKS Runtime Monitoring"
157157
type = string
158158
}
159159

160+
variable "enable_ecs_fargate_agent_management" {
161+
description = "Auto enable ECS Fargate Agent Management"
162+
type = string
163+
}
164+
165+
variable "enable_ec2_agent_management" {
166+
description = "Auto EC2 Agent Management"
167+
type = string
168+
}
169+
160170
variable "enable_eks_addon_management" {
161171
description = "Auto enable EKS Add-on Management"
162172
type = string

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /