This Terraform module can be used to implement AWS GuardDuty in a multi-account setup. That is designating a GuardDuty delegated admin account and then configuring the rest of GuardDuty in such account.
This must be done from the master account of your Organization.
You must first enable GuardDuty in the master account and designate a delegated admin account.
This is so you can later on manage GuardDuty from said delegated admin.
IMPORTANT: designating a GuardDuty delegate admin account will automatically enable GuardDuty in that account.
#
# We must first enable GuardDuty in the root account so it can be enabled
# later from GuardDuty's delegated admin.
#
# Also designate Security account as GuardDuty's delegated admin
#
module "guardduty" {
source = "github.com/binbashar/terraform-aws-guardduty-multiaccount.git//guardduty-delegated-admin"
guarduty_enabled = true
guarduty_s3_protection_enabled = true
guarduty_kubernetes_protection_enabled = true
guarduty_malware_protection_enabled = true
guardduty_delegated_admin_account_id = 111111111111
}Configure GuardDuty: this is intended to be done from an account that has been designated to be a GuardDuty delegated admin.
Important: since designating a GuardDuty delegated admin account automatically enables GuardDuty in that account, you will need to import "module.guardduty.aws_guardduty_detector.this" before you can properly use this example.
In order to enable Malware Protection from the delegated Admin account, make sure you have activated at the organizational level the Service Principal: malware-protection.guardduty.amazonaws.com
- Reference document: malware-protection
- Leverage Reference Architecture: Terraform Code Reference
#
# GuardDuty is enabled in this account as a delegated admin
#
module "guardduty" {
source = "github.com/binbashar/terraform-aws-guardduty-multiaccount.git//multiaccount-setup"
# Activating Guardduty & S3 protection in this account (security-account).
guarduty_enabled = true
guarduty_s3_protection_enabled = true
guarduty_kubernetes_protection_enabled = true
guarduty_malware_protection_enabled = true
# New Org Accounts will have Guardduty & S3 Protection automatically enabled
guardduty_organization_members_auto_enable = true
guardduty_organization_members_s3_protection_auto_enable = true
guardduty_organization_members_kubernetes_protection_enable = true
guardduty_organization_members_malware_protection_auto_enable = true
guardduty_member_accounts = {
shared = {
account_id = 222222222222
email = "shared@example.com"
},
appsdevstg = {
account_id = 333333333333
email = "appsdevstg@example.com"
},
appsprd = {
account_id = 444444444444
email = "appsprd@example.com"
},
root = {
account_id = 000000000000
email = "root@example.com"
}
}
}
Important: It is correct that the account delegated as GuardDuty Admin (commonly Security) is not added in the guardduty_member_accounts list.
To import the above module, you need to know the AWS GuardDuty Detector ID was enabled in the delegation process on the selected admin account. You can use aws-cli to quickly get these attributes
-
Install aws-cli
## 1: Get AWS GuardDuty Detector ID
aws guardduty list-detectors --profile [AWS_PROFILE]
## 2: You should see a an output like this
{
"DetectorIds": [
"XXXXXXX"
]
}
## 3: Replace DETECTOR_ID and run Terraform import
terraform import module.guardduty.aws_guardduty_detector.this [DETECTOR_ID]
## Optional All-in-one Import Command
terraform import module.guardduty.aws_guardduty_detector.this $(aws guardduty list-detectors --profile [AWS_PROFILE] --query 'DetectorIds[0]')
## 1: Configure your AWS config & credentials files for your current project
export AWS_CONFIG_FILE=~/.aws/[PROJECT]/config
export AWS_SHARED_CREDENTIALS_FILE=~/.aws/[PROJECT]/credentials
## 2: Get AWS GuardDuty Detector ID
aws guardduty list-detectors --profile [AWS_PROFILE]
## 3: You should see a an output like this
{
"DetectorIds": [
"XXXXXXX"
]
}
## 4: Replace DETECTOR_ID and run Leverage Terraform import
leverage terraform import module.guardduty.aws_guardduty_detector.this [DETECTOR_ID]
## Optional All-in-one Import Command
leverage terraform import module.guardduty.aws_guardduty_detector.this $(aws guardduty list-detectors --profile [AWS_PROFILE] --query 'DetectorIds[0]')
In order to get the full automated potential of the
Binbash Leverage DevOps Automation Code Library
you should initialize all the necessary helper Makefiles.
You must execute the make init-makefiles command at the root context
╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17
╰─⠠⠵ make
Available Commands:
- init-makefiles initialize makefiles
You'll get all the necessary commands to automatically operate this module via a dockerized approach, example shown below
╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17
╰─⠠⠵ make
Available Commands:
- circleci-validate-config ## Validate A CircleCI Config (https
- format-check ## The terraform fmt is used to rewrite tf conf files to a canonical format and style.
- format ## The terraform fmt is used to rewrite tf conf files to a canonical format and style.
- tf-dir-chmod ## run chown in ./.terraform to gran that the docker mounted dir has the right permissions
- version ## Show terraform version
- init-makefiles ## initialize makefiles╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17
╰─⠠⠵ make format-check
docker run --rm -v /home/delivery/Binbash/repos/Leverage/terraform/terraform-aws-backup-by-tags:"/go/src/project/":rw -v :/config -v /common.config:/common-config/common.config -v ~/.ssh:/root/.ssh -v ~/.gitconfig:/etc/gitconfig -v ~/.aws/bb:/root/.aws/bb -e AWS_SHARED_CREDENTIALS_FILE=/root/.aws/bb/credentials -e AWS_CONFIG_FILE=/root/.aws/bb/config --entrypoint=/bin/terraform -w "/go/src/project/" -it binbash/terraform-awscli-slim:0.12.28 fmt -check
- pipeline-job (NOTE: Will only run after merged PR)
- releases
- changelog