Skip to content

Commit

Permalink
breaking: update GuardDuty to support runtime monitoring (#210)
Browse files Browse the repository at this point in the history
breaking: update GuardDuty to support runtime monitoring
  • Loading branch information
marwinbaumannsbp authored Oct 28, 2024
1 parent 51c78b9 commit 265f3bf
Show file tree
Hide file tree
Showing 6 changed files with 238 additions and 46 deletions.
14 changes: 7 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -422,18 +422,18 @@ module "landing_zone" {

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.26.0 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.54.0 |
| <a name="requirement_datadog"></a> [datadog](#requirement\_datadog) | > 3.0.0 |
| <a name="requirement_mcaf"></a> [mcaf](#requirement\_mcaf) | >= 0.4.2 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.26.0 |
| <a name="provider_aws.audit"></a> [aws.audit](#provider\_aws.audit) | >= 5.26.0 |
| <a name="provider_aws.logging"></a> [aws.logging](#provider\_aws.logging) | >= 5.26.0 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.54.0 |
| <a name="provider_aws.audit"></a> [aws.audit](#provider\_aws.audit) | >= 5.54.0 |
| <a name="provider_aws.logging"></a> [aws.logging](#provider\_aws.logging) | >= 5.54.0 |
| <a name="provider_mcaf"></a> [mcaf](#provider\_mcaf) | >= 0.4.2 |

## Modules
Expand Down Expand Up @@ -480,9 +480,9 @@ module "landing_zone" {
| [aws_guardduty_organization_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration) | resource |
| [aws_guardduty_organization_configuration_feature.ebs_malware_protection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature) | resource |
| [aws_guardduty_organization_configuration_feature.eks_audit_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature) | resource |
| [aws_guardduty_organization_configuration_feature.eks_runtime_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature) | resource |
| [aws_guardduty_organization_configuration_feature.lambda_network_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature) | resource |
| [aws_guardduty_organization_configuration_feature.rds_login_events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature) | resource |
| [aws_guardduty_organization_configuration_feature.runtime_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature) | resource |
| [aws_guardduty_organization_configuration_feature.s3_data_events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature) | resource |
| [aws_iam_account_password_policy.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource |
| [aws_iam_account_password_policy.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource |
Expand Down Expand Up @@ -546,7 +546,7 @@ module "landing_zone" {
| <a name="input_aws_config"></a> [aws\_config](#input\_aws\_config) | AWS Config settings | <pre>object({<br> aggregator_account_ids = optional(list(string), [])<br> aggregator_regions = optional(list(string), [])<br> delivery_channel_s3_bucket_name = optional(string, null)<br> delivery_channel_s3_key_prefix = optional(string, null)<br> delivery_frequency = optional(string, "TwentyFour_Hours")<br> rule_identifiers = optional(list(string), [])<br> })</pre> | <pre>{<br> "aggregator_account_ids": [],<br> "aggregator_regions": [],<br> "delivery_channel_s3_bucket_name": null,<br> "delivery_channel_s3_key_prefix": null,<br> "delivery_frequency": "TwentyFour_Hours",<br> "rule_identifiers": []<br>}</pre> | no |
| <a name="input_aws_config_sns_subscription"></a> [aws\_config\_sns\_subscription](#input\_aws\_config\_sns\_subscription) | Subscription options for the aws-controltower-AggregateSecurityNotifications (AWS Config) SNS topic | <pre>map(object({<br> endpoint = string<br> protocol = string<br> }))</pre> | `{}` | no |
| <a name="input_aws_ebs_encryption_by_default"></a> [aws\_ebs\_encryption\_by\_default](#input\_aws\_ebs\_encryption\_by\_default) | Set to true to enable AWS Elastic Block Store encryption by default | `bool` | `true` | no |
| <a name="input_aws_guardduty"></a> [aws\_guardduty](#input\_aws\_guardduty) | AWS GuardDuty settings | <pre>object({<br> enabled = optional(bool, true)<br> finding_publishing_frequency = optional(string, "FIFTEEN_MINUTES")<br> ebs_malware_protection_status = optional(bool, true)<br> eks_addon_management_status = optional(bool, true)<br> eks_audit_logs_status = optional(bool, true)<br> eks_runtime_monitoring_status = optional(bool, true)<br> lambda_network_logs_status = optional(bool, true)<br> rds_login_events_status = optional(bool, true)<br> s3_data_events_status = optional(bool, true)<br> })</pre> | <pre>{<br> "ebs_malware_protection_status": true,<br> "eks_addon_management_status": true,<br> "eks_audit_logs_status": true,<br> "eks_runtime_monitoring_status": true,<br> "enabled": true,<br> "finding_publishing_frequency": "FIFTEEN_MINUTES",<br> "lambda_network_logs_status": true,<br> "rds_login_events_status": true,<br> "s3_data_events_status": true<br>}</pre> | no |
| <a name="input_aws_guardduty"></a> [aws\_guardduty](#input\_aws\_guardduty) | AWS GuardDuty settings | <pre>object({<br> enabled = optional(bool, true)<br> finding_publishing_frequency = optional(string, "FIFTEEN_MINUTES")<br> ebs_malware_protection_status = optional(bool, true)<br> eks_audit_logs_status = optional(bool, true)<br> lambda_network_logs_status = optional(bool, true)<br> rds_login_events_status = optional(bool, true)<br> s3_data_events_status = optional(bool, true)<br> runtime_monitoring_status = optional(object({<br> enabled = optional(bool, true)<br> eks_addon_management_status = optional(bool, true)<br> ecs_fargate_agent_management_status = optional(bool, true)<br> ec2_agent_management_status = optional(bool, true)<br> }), {})<br> })</pre> | `{}` | no |
| <a name="input_aws_inspector"></a> [aws\_inspector](#input\_aws\_inspector) | AWS Inspector settings, at least one of the scan options must be enabled | <pre>object({<br> enabled = optional(bool, false)<br> enable_scan_ec2 = optional(bool, true)<br> enable_scan_ecr = optional(bool, true)<br> enable_scan_lambda = optional(bool, true)<br> enable_scan_lambda_code = optional(bool, true)<br> resource_create_timeout = optional(string, "15m")<br> })</pre> | <pre>{<br> "enable_scan_ec2": true,<br> "enable_scan_ecr": true,<br> "enable_scan_lambda": true,<br> "enable_scan_lambda_code": true,<br> "enabled": false,<br> "resource_create_timeout": "15m"<br>}</pre> | no |
| <a name="input_aws_required_tags"></a> [aws\_required\_tags](#input\_aws\_required\_tags) | AWS Required tags settings | <pre>map(list(object({<br> name = string<br> values = optional(list(string))<br> enforced_for = optional(list(string))<br> })))</pre> | `null` | no |
| <a name="input_aws_security_hub"></a> [aws\_security\_hub](#input\_aws\_security\_hub) | AWS Security Hub settings | <pre>object({<br> enabled = optional(bool, true)<br> auto_enable_controls = optional(bool, true)<br> auto_enable_default_standards = optional(bool, false)<br> control_finding_generator = optional(string, "SECURITY_CONTROL")<br> create_cis_metric_filters = optional(bool, true)<br> product_arns = optional(list(string), [])<br> standards_arns = optional(list(string), null)<br> })</pre> | <pre>{<br> "auto_enable_controls": true,<br> "auto_enable_default_standards": false,<br> "control_finding_generator": "SECURITY_CONTROL",<br> "create_cis_metric_filters": true,<br> "enabled": true,<br> "product_arns": [],<br> "standards_arns": null<br>}</pre> | no |
Expand Down
175 changes: 175 additions & 0 deletions UPGRADING.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,181 @@

This document captures required refactoring on your part when upgrading to a module version that contains breaking changes.

## Upgrading to v4.0.0

> [!WARNING]
> **Read the diagram in [PR 210](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/pull/210) and the guide below! If you currently have EKS Runtime Monitoring enabled, you need to perform MANUAL steps after you have migrated to this version.**
### Behaviour

Using the default `aws_guardduty` values:
* `EKS_RUNTIME_MONITORING` gets removed from the state (but not disabled)
* `RUNTIME_MONITORING` is enabled including `ECS_FARGATE_AGENT_MANAGEMENT`, `EC2_AGENT_MANAGEMENT`, and `EKS_ADDON_MANAGEMENT`.
* Minimum required AWS provider has been set to `v5.54.0`, and minimum required Terraform version has been set to `v1.6`.

### Variables

The following variables have been replaced:
* `aws_guardduty.eks_runtime_monitoring_status` -> `aws_guardduty.runtime_monitoring_status.enabled`
* `aws_guardduty.eks_addon_management_status` -> `aws_guardduty.runtime_monitoring_status.eks_addon_management_status`

The following variables have been introduced:
* `aws_guardduty.runtime_monitoring_status.ecs_fargate_agent_management_status`
* `aws_guardduty.runtime_monitoring_status.ec2_agent_management_status`

### EKS Runtime Monitoring to Runtime Monitoring migration

#### The issue
After you upgraded to this version. **RUNTIME_MONITORING is enabled. But EKS_RUNTIME_MONITORING is not disabled** as is written in the [guardduty_detector_feature documentation](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/guardduty_detector_feature): _Deleting this resource does not disable the detector feature, the resource in simply removed from state instead._

To prevent duplicated costs please **disable** EKS_RUNTIME_MONITORING manually after upgrading.

> [!IMPORTANT]
> Run all the commands with valid credentials in the AWS account where guardduty is delegated administrator. By default this is the **control tower audit** account.
> It's not possible to execute these steps from the AWS Console as the EKS Runtime Monitoring protection plan has already been removed from the GUI. The only way to control this feature is via the CLI.
#### Step 1: get the GuardDuty detector id

```
aws guardduty list-detectors
```

Should display:

```
{
"DetectorIds": [
"12abc34d567e8fa901bc2d34e56789f0"
]
}
```

> [!IMPORTANT]
> Ensure you run this command in the right region! If GuardDuty is enabled in multiple regions then execute all steps for all enabled regions.
#### Step 2: update the GuardDuty detector

_Replace 12abc34d567e8fa901bc2d34e56789f0 with your own regional detector-id. Execute these commands in the audit account:_

```
aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "DISABLED"}]'
```

#### Step 3: update the GuardDuty organization settings

Replace the `<<EXISTING_VALUE>>` with your current configuration for auto-enabling GuardDuty. By default this should be set to `ALL`.

```
aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --auto-enable-organization-members <<EXISTING_VALUE>> --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NONE"}]'
```


#### Step 4: update the GuardDuty member accounts

Disable EKS Runtime Monitoring for **all** member accounts in your organization, for example:

```
aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "DISABLED"}]'
```

#### Troubleshooting

> An error occurred (BadRequestException) when calling the UpdateMemberDetectors operation: The request is rejected because a feature cannot be turned off for a member while organization has the feature flag set to 'All Accounts'.
Change these options on the AWS console by following the steps below:

1. Go to the GuardDuty Console.
2. On left navigation bar, under protection plans, select `Runtime Monitoring`.
3. Under the `Configuration` tab, in `Runtime Monitoring configuration` click `Edit` and here you need to select the option `Configure accounts manually` for `Automated agent configuration - Amazon EKS`.

Once complete, please allow a minute for the changes to update, you should now be able to execute the command from step 3. When you have executed this command for all AWS accounts, set this option back to `Enable for all accounts`.

> Even after following all steps I still see the message `Your organization has auto-enable preferences set for EKS Runtime Monitoring. This feature has been removed from console experience and can now be managed as part of the Runtime Monitoring feature. Learn more`.
We have checked in with AWS and this behaviour is expected, this is a static message that is displayed currently on the AWS Management Console. AWS could not confirm how to hide this message or how long it will be visible.

#### Verification

Review the GuardDuty organization settings:

```
aws guardduty describe-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0
```

Should display:

```
...
"Features": [
...
{
"Name": "EKS_RUNTIME_MONITORING",
"AutoEnable": "NONE",
"AdditionalConfiguration": [
{
"Name": "EKS_ADDON_MANAGEMENT",
"AutoEnable": "ALL"
}
]
},
...
```

Review the GuardDuty detector settings:

```
aws guardduty get-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0
```

Should display:

```
...
"Features": [
...
{
"Name": "EKS_RUNTIME_MONITORING",
"Status": "DISABLED",
"UpdatedAt": "2024-10-16T14:12:31+02:00",
"AdditionalConfiguration": [
{
"Name": "EKS_ADDON_MANAGEMENT",
"Status": "ENABLED",
"UpdatedAt": "2024-10-16T14:24:43+02:00"
}
]
},
...
```

> [!NOTE]
> If you want to be really sure all member accounts have the right settings you can run the `aws guardduty get-detector` for member accounts as well. Ensure you have valid credentials for the member account and replace the `detector-id` with the GuardDuty `detector-id` of the member account.
## Upgrading to v3.0.0

### Behaviour

This version add Control Tower 3.x support. Upgrade to Control Tower 3.x before upgrading to this version.

## Upgrading to v2.0.0

### Behaviour

This version sets the minimum required aws provider version from v4 to v5.

### Variables

The following variables have been replaced:
* `aws_guardduty.datasources.malware_protection` -> `aws_guardduty.ebs_malware_protection_status`
* `aws_guardduty.datasources.kubernetes` -> `aws_guardduty.eks_audit_logs_status`
* `aws_guardduty.datasources.s3_logs` -> `aws_guardduty.s3_data_events_status`

The following variables have been introduced:
* `aws_guardduty.eks_addon_management_status`
* `aws_guardduty.eks_runtime_monitoring_status`
* `aws_guardduty.lambda_network_logs_status`
* `aws_guardduty.rds_login_events_status`

## Upgrading to v1.0.0

### Behaviour
Expand Down
4 changes: 2 additions & 2 deletions examples/basic/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.40.0"
version = ">= 5.54.0"
}
datadog = {
source = "datadog/datadog"
Expand All @@ -13,5 +13,5 @@ terraform {
version = ">= 0.4.2"
}
}
required_version = ">= 1.3"
required_version = ">= 1.6"
}
67 changes: 45 additions & 22 deletions guardduty.tf
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,16 @@ resource "aws_guardduty_organization_admin_account" "audit" {
}

// AWS GuardDuty - Audit account configuration
resource "aws_guardduty_detector" "audit" {
#checkov:skip=CKV_AWS_238: "Ensure that GuardDuty detector is enabled" - False positive, GuardDuty is enabled by default.
#checkov:skip=CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region" - False positive, GuardDuty is enabled by default.
provider = aws.audit

enable = var.aws_guardduty.enabled
finding_publishing_frequency = var.aws_guardduty.finding_publishing_frequency
tags = var.tags
}

resource "aws_guardduty_organization_configuration" "default" {
count = var.aws_guardduty.enabled == true ? 1 : 0
provider = aws.audit
Expand All @@ -16,14 +26,6 @@ resource "aws_guardduty_organization_configuration" "default" {
depends_on = [aws_guardduty_organization_admin_account.audit]
}

resource "aws_guardduty_detector" "audit" {
provider = aws.audit

enable = var.aws_guardduty.enabled
finding_publishing_frequency = var.aws_guardduty.finding_publishing_frequency
tags = var.tags
}

resource "aws_guardduty_organization_configuration_feature" "ebs_malware_protection" {
provider = aws.audit

Expand All @@ -40,20 +42,6 @@ resource "aws_guardduty_organization_configuration_feature" "eks_audit_logs" {
auto_enable = var.aws_guardduty.eks_audit_logs_status == true ? "ALL" : "NONE"
}

resource "aws_guardduty_organization_configuration_feature" "eks_runtime_monitoring" {
provider = aws.audit

detector_id = aws_guardduty_detector.audit.id
name = "EKS_RUNTIME_MONITORING"
auto_enable = var.aws_guardduty.eks_runtime_monitoring_status == true ? "ALL" : "NONE"


additional_configuration {
name = "EKS_ADDON_MANAGEMENT"
auto_enable = var.aws_guardduty.eks_addon_management_status == true ? "ALL" : "NONE"
}
}

resource "aws_guardduty_organization_configuration_feature" "lambda_network_logs" {
provider = aws.audit

Expand All @@ -77,3 +65,38 @@ resource "aws_guardduty_organization_configuration_feature" "s3_data_events" {
name = "S3_DATA_EVENTS"
auto_enable = var.aws_guardduty.s3_data_events_status == true ? "ALL" : "NONE"
}

resource "aws_guardduty_organization_configuration_feature" "runtime_monitoring" {
provider = aws.audit

detector_id = aws_guardduty_detector.audit.id
name = "RUNTIME_MONITORING"
auto_enable = var.aws_guardduty.runtime_monitoring_status.enabled == true ? "ALL" : "NONE"

dynamic "additional_configuration" {
for_each = var.aws_guardduty.runtime_monitoring_status.ecs_fargate_agent_management_status == true ? ["ECS_FARGATE_AGENT_MANAGEMENT"] : []

content {
name = additional_configuration.value
auto_enable = "ALL"
}
}

dynamic "additional_configuration" {
for_each = var.aws_guardduty.runtime_monitoring_status.ec2_agent_management_status == true ? ["EC2_AGENT_MANAGEMENT"] : []

content {
name = additional_configuration.value
auto_enable = "ALL"
}
}

dynamic "additional_configuration" {
for_each = var.aws_guardduty.runtime_monitoring_status.eks_addon_management_status == true ? ["EKS_ADDON_MANAGEMENT"] : []

content {
name = additional_configuration.value
auto_enable = "ALL"
}
}
}
Loading

0 comments on commit 265f3bf

Please sign in to comment.