Terraform Module for AWS GuardDuty

Terraform module that creates AWS GuardDuty resources.

• Terraform Module for AWS GuardDuty
  • Usage
    • Standalone
    • Organizations
  • Overview Diagrams
    • Standalone
    • Organizations
  • Terraform Module

Usage

Standalone

module "guardduty" {
  source = "aws-ia/terraform-aws-guardduty/aws"

  replica_region               = "us-east-1"
  enable_guardduty             = true
  enable_s3_protection         = true
  enable_kubernetes_protection = true
  enable_malware_protection    = true
  enable_snapshot_retention    = true
  finding_publishing_frequency = "FIFTEEN_MINUTES"
  filter_config = [{
    name        = "guardduty_filter"
    description = "AWS GuardDuty example filter."
    rank        = 1
    action      = "ARCHIVE"
    criterion = [

      {
        field  = "region"
        equals = ["us-west-2"]
      },
      {
        field      = "service.additionalInfo.threatListName"
        not_equals = ["some-threat", "another-threat"]
      },
      {
        field        = "updatedAt"
        greater_than = "2023-01-01T00:00:00Z"
        less_than    = "2023-12-31T23:59:59Z"
      },
      {
        field                 = "severity"
        greater_than_or_equal = "4"
      }
  ] }]

  ipset_config = [{
    activate = false
    name     = "DefaultGuardDutyIPSet"
    format   = "TXT"
    content  = "10.0.0.0/8\n"
    key      = "DefaultGuardDutyIPSet"
  }]

  threatintelset_config = [{
    activate   = false
    name       = "DefaultGuardThreatIntelSet"
    format     = "TXT"
    content    = "1.10.16.0/20\n1.19.0.0/16\n"
    key        = "DefaultGuardThreatIntelSet"
    object_acl = "public-read"

  }]
  publish_to_s3        = true
  guardduty_bucket_acl = "private"
  tags                 = {}
}

Organizations

module "delegated_admin" {
  source = "aws-ia/terraform-aws-guardduty/aws//modules/organizations_admin"

  admin_account_id                 = data.aws_caller_identity.current.account_id
  auto_enable_organization_members = "ALL"
  guardduty_detector_id            = module.guardduty_detector.guardduty_detector.id

  enable_s3_protection         = true
  enable_kubernetes_protection = true
  enable_malware_protection    = true
}

module "guardduty_detector" {
  source = "aws-ia/terraform-aws-guardduty/aws"

  enable_guardduty = true

  enable_s3_protection         = true
  enable_kubernetes_protection = true
  enable_malware_protection    = true
  enable_snapshot_retention    = true
  finding_publishing_frequency = "FIFTEEN_MINUTES"
  tags                         = {}
}

Overview Diagrams

Standalone

Organizations

Terraform Module

Requirements

Name	Version
terraform	>= 1.0.0
aws	>= 4.47
random	>= 3.4

Providers

Name	Version
aws	>= 4.47
aws.replica	>= 4.47
random	>= 3.4

Modules

Name	Source	Version
log_bucket	terraform-aws-modules/s3-bucket/aws	3.14.0
replica_bucket	terraform-aws-modules/s3-bucket/aws	3.14.0
s3_bucket	terraform-aws-modules/s3-bucket/aws	3.14.0

Resources

Name	Type
aws_guardduty_detector.primary	resource
aws_guardduty_filter.this	resource
aws_guardduty_ipset.this	resource
aws_guardduty_publishing_destination.this	resource
aws_guardduty_threatintelset.this	resource
aws_iam_policy.bucket_replication	resource
aws_iam_role.bucket_replication	resource
aws_iam_role_policy_attachment.replication	resource
aws_kms_key.guardduty_key	resource
aws_kms_key.replica_key	resource
aws_s3_object.ipset_object	resource
aws_s3_object.threatintelset_object	resource
random_string.this	resource
aws_caller_identity.current	data source
aws_iam_policy_document.bucket_replication	data source
aws_iam_policy_document.bucket_replication_assume_role	data source
aws_iam_policy_document.guardduty_bucket_policy	data source
aws_iam_policy_document.guardduty_kms_policy	data source
aws_iam_policy_document.guardduty_replica_bucket_policy	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
enable_guardduty	Enable monitoring and feedback reporting. Setting to false is equivalent to 'suspending' GuardDuty. Defaults to true.	bool	true	no
enable_kubernetes_protection	Configure and enable Kubernetes audit logs as a data source for Kubernetes protection. Defaults to true.	bool	true	no
enable_malware_protection	Configure and enable Malware Protection as data source for EC2 instances with findings for the detector. Defaults to true.	bool	true	no
enable_s3_protection	Configure and enable S3 protection. Defaults to true.	bool	true	no
enable_snapshot_retention	Enable EBS Snaptshot retention for 30 days, if any Findings exists. Defaults to false.	bool	false	no
filter_config	Specifies AWS GuardDuty Filter configuration. name - The name of the filter rank - Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings. action - Specifies the action that is to be applied to the findings that match the filter. Can be one of ARCHIVE or NOOP. criterion - Configuration block for finding_criteria. Composed by field and one or more of the following operators: equals | not_equals | greater_than | greater_than_or_equal | less_than | less_than_or_equal.	list(object({ name = string description = optional(string) rank = number action = string criterion = list(object({ field = string equals = optional(list(string)) not_equals = optional(list(string)) greater_than = optional(string) greater_than_or_equal = optional(string) less_than = optional(string) less_than_or_equal = optional(string) })) }))	null	no
finding_publishing_frequency	Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS. Defaults to SIX_HOURS.	string	"FIFTEEN_MINUTES"	no
guardduty_bucket_acl	Canned ACL to apply to the bucket. Valid values are private | public-read | public-read-write | aws-exec-read | authenticated-read | bucket-owner-read | bucket-owner-full-control. Defaults to null.	string	null	no
guardduty_s3_bucket	Name of the S3 Bucket for GuardDuty. Defaults to null.	string	null	no
ipset_config	Specifies AWS GuardDuty IPSet configuration. activate - Specifies whether GuardDuty is to start using the uploaded IPSet. name - The friendly name to identify the IPSet. format - The format of the file that contains the IPSet. Valid values: TXT | STIX | OTX_CSV | ALIEN_VAULT | PROOF_POINT | FIRE_EYE. content- Literal string value to use as the object content, which will be uploaded as UTF-8-encoded text. Example: 10.0.0.0/8\n. key - Name of the object once it is in the bucket.	list(object({ activate = bool name = string format = string content = string key = string }))	null	no
publish_to_s3	Specifies if the Amazon GuardDuty findings should be exported to S3. Defaults to false.	bool	false	no
publishing_config	Defines the findings publishing configuration.	list(object({ destination_arn = string kms_key_arn = string destination_type = optional(string) }))	[ { "destination_arn": null, "destination_type": "S3", "kms_key_arn": null } ]	no
replica_region	Region where S3 bucket data from Amazon GuardDuty will be replicated. Defaults to null.	string	null	no
tags	Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. Defaults to {}.	map(any)	{}	no
threatintelset_config	Specifies AWS GuardDuty ThreatIntelSet configuration. activate - Specifies whether GuardDuty is to start using the uploaded ThreatIntelSet. name - The friendly name to identify the ThreatIntelSet. format - The format of the file that contains the ThreatIntelSet. Valid values: TXT | STIX | OTX_CSV | ALIEN_VAULT | PROOF_POINT | FIRE_EYE. content- Literal string value to use as the object content, which will be uploaded as UTF-8-encoded text. Example: 10.0.0.0/8\n. key - Name of the object once it is in the bucket. object_acl- Canned ACL to apply to the object. Valid values are private | public-read | public-read-write | aws-exec-read | authenticated-read | bucket-owner-read | bucket-owner-full-control.	list(object({ activate = bool name = string format = string content = string key = string object_acl = string }))	null	no

Outputs

Name	Description
guardduty_detector	AWS GuardDuty Detector.
guardduty_filter	AWS GuardDuty Findings Filters definition.
guardduty_ipset	AWS GuardDuty trusted IPSet configuration.
guardduty_kms_key	Amazon KMS Key created to encrypt AWS GuardDuty's S3 Bucket.
guardduty_kms_replica_key	Amazon KMS Key created to encrypt AWS GuardDuty's S3 Replica Bucket.
guardduty_log_bucket	Amazon S3 Log Bucket created for AWS GuardDuty.
guardduty_publishing	AWS GuardDuty Publishing destination to export findings.
guardduty_replica_bucket	Amazon S3 Replica Bucket created for AWS GuardDuty.
guardduty_s3_bucket	Amazon S3 Bucket created for AWS GuardDuty.
guardduty_threatintelset	AWS GuardDuty known ThreatIntelSet configuration.