-
Notifications
You must be signed in to change notification settings - Fork 22
/
Copy pathguardduty.tf
102 lines (78 loc) · 3.55 KB
/
guardduty.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
// AWS GuardDuty - Management account configuration
resource "aws_guardduty_organization_admin_account" "audit" {
count = var.aws_guardduty.enabled == true ? 1 : 0
admin_account_id = var.control_tower_account_ids.audit
}
// AWS GuardDuty - Audit account configuration
resource "aws_guardduty_detector" "audit" {
#checkov:skip=CKV_AWS_238: "Ensure that GuardDuty detector is enabled" - False positive, GuardDuty is enabled by default.
#checkov:skip=CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region" - False positive, GuardDuty is enabled by default.
provider = aws.audit
enable = var.aws_guardduty.enabled
finding_publishing_frequency = var.aws_guardduty.finding_publishing_frequency
tags = var.tags
}
resource "aws_guardduty_organization_configuration" "default" {
count = var.aws_guardduty.enabled == true ? 1 : 0
provider = aws.audit
auto_enable_organization_members = var.aws_guardduty.enabled ? "ALL" : "NONE"
detector_id = aws_guardduty_detector.audit.id
depends_on = [aws_guardduty_organization_admin_account.audit]
}
resource "aws_guardduty_organization_configuration_feature" "ebs_malware_protection" {
provider = aws.audit
detector_id = aws_guardduty_detector.audit.id
name = "EBS_MALWARE_PROTECTION"
auto_enable = var.aws_guardduty.ebs_malware_protection_status == true ? "ALL" : "NONE"
}
resource "aws_guardduty_organization_configuration_feature" "eks_audit_logs" {
provider = aws.audit
detector_id = aws_guardduty_detector.audit.id
name = "EKS_AUDIT_LOGS"
auto_enable = var.aws_guardduty.eks_audit_logs_status == true ? "ALL" : "NONE"
}
resource "aws_guardduty_organization_configuration_feature" "lambda_network_logs" {
provider = aws.audit
detector_id = aws_guardduty_detector.audit.id
name = "LAMBDA_NETWORK_LOGS"
auto_enable = var.aws_guardduty.lambda_network_logs_status == true ? "ALL" : "NONE"
}
resource "aws_guardduty_organization_configuration_feature" "rds_login_events" {
provider = aws.audit
detector_id = aws_guardduty_detector.audit.id
name = "RDS_LOGIN_EVENTS"
auto_enable = var.aws_guardduty.rds_login_events_status == true ? "ALL" : "NONE"
}
resource "aws_guardduty_organization_configuration_feature" "s3_data_events" {
provider = aws.audit
detector_id = aws_guardduty_detector.audit.id
name = "S3_DATA_EVENTS"
auto_enable = var.aws_guardduty.s3_data_events_status == true ? "ALL" : "NONE"
}
resource "aws_guardduty_organization_configuration_feature" "runtime_monitoring" {
provider = aws.audit
detector_id = aws_guardduty_detector.audit.id
name = "RUNTIME_MONITORING"
auto_enable = var.aws_guardduty.runtime_monitoring_status.enabled == true ? "ALL" : "NONE"
dynamic "additional_configuration" {
for_each = var.aws_guardduty.runtime_monitoring_status.ecs_fargate_agent_management_status == true ? ["ECS_FARGATE_AGENT_MANAGEMENT"] : []
content {
name = additional_configuration.value
auto_enable = "ALL"
}
}
dynamic "additional_configuration" {
for_each = var.aws_guardduty.runtime_monitoring_status.ec2_agent_management_status == true ? ["EC2_AGENT_MANAGEMENT"] : []
content {
name = additional_configuration.value
auto_enable = "ALL"
}
}
dynamic "additional_configuration" {
for_each = var.aws_guardduty.runtime_monitoring_status.eks_addon_management_status == true ? ["EKS_ADDON_MANAGEMENT"] : []
content {
name = additional_configuration.value
auto_enable = "ALL"
}
}
}