guard_duty

AWS SRA GuardDuty Organization Solution with Terraform

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0

---

⚠️Influence the future of the AWS Security Reference Architecture (AWS SRA) code library by taking a short survey.

Table of Contents

• Introduction
• Deployed Resource Details
• Implementation Instructions
• Requirements
• Providers
• Modules
• Resources
• Inputs
• Outputs

---

Introduction

This Terraform module deploys GuardDuty Organization AWS SRA solution.

The common pre-requisite solution must be installed, in the management account, prior to installing this solution.

Information on the resources deployed as well as terraform requirements, providers, modules, resources, and inputs of this module are documented below.

Please navigate to the installing the AWS SRA Solutions section of the documentation for more information and installation instructions.

For the CloudFormation version of this AWS SRA solution as well as more information please navigate to the AWS SRA GuardDuty solution documentation page.

---

Deployed Resource Details

1.0 Organization Management Account

1.1 AWS Lambda Function

• See 1.2 AWS Lambda Function

1.2 Lambda Execution IAM Role

• See 1.3 Lambda Execution IAM Role

1.3 Lambda CloudWatch Log Group

• See 1.4 Lambda CloudWatch Log Group

1.4 Configuration SNS Topic

• See 1.5 Configuration SNS Topic

1.5 Dead Letter Queue (DLQ)

• See 1.6 Dead Letter Queue (DLQ)

1.6 Alarm SNS Topic

• See 1.7 Alarm SNS Topic

1.7 GuardDuty

• See 1.8 GuardDuty

1.8 Lambda Layer

• See 1.9 Lambda Layer

---

2.0 Log Archive Account

2.1 GuardDuty Delivery S3 Bucket

• See 2.2 GuardDuty Delivery S3 Bucket

2.2 GuardDuty

• See 2.3 GuardDuty

---

3.0 Audit (Security Tooling) Account

3.1 GuardDuty Delivery KMS Key

• See 3.2 GuardDuty Delivery KMS Key

3.2 Configuration IAM Role

• See 3.3 Configuration IAM Role

3.3 GuardDuty

• See 3.4 GuardDuty

---

4.0 All Existing and Future Organization Member Accounts

4.1 GuardDuty

• See 4.1 GuardDuty

4.2 Delete Detector Role

• See 4.2 Delete Detector Role

---

Implementation Instructions

Please navigate to the installing the AWS SRA Solutions section of the documentation for installation instructions.

---

Requirements

Name	Version
aws	>= 5.1.0

Providers

Name	Version
aws.main	>= 5.1.0

Modules

Name	Source	Version
guardduty_configuration	./gd_configuration	n/a
guardduty_configuration_role	./configuration_role	n/a
guardduty_delete_role	./delete_detector	n/a
guardduty_delivery_key	./kms_key	n/a
guardduty_s3_bucket	./s3	n/a

Resources

Name	Type
aws_caller_identity.current	data source
aws_partition.current	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
account_id	Current Account ID	string	n/a	yes
audit_account_id	AWS Account ID of the Control Tower Audit account.	string	n/a	yes
disable_guard_duty	Update to 'true' to disable GuardDuty in all accounts and regions before deleting the TF.	string	n/a	yes
enable_eks_addon_management	Auto enable EKS Add-on Management	string	n/a	yes
enable_eks_runtime_monitoring	Auto enable EKS Runtime Monitoring	string	n/a	yes
enable_kubernetes_audit_logs	Auto enable Kubernetes Audit Logs	string	n/a	yes
enable_lambda_network_logs	Auto enable Lambda Network Logs	string	n/a	yes
enable_malware_protection	Auto enable Malware Protection	string	n/a	yes
enable_rds_login_events	Auto enable RDS Login Events	string	n/a	yes
enable_s3_logs	Auto enable S3 logs	string	n/a	yes
finding_publishing_frequency	Finding publishing frequency	string	n/a	yes
guardduty_control_tower_regions_only	Only enable in the Control Tower governed regions	string	n/a	yes
home_region	Name of the Control Tower home region	string	n/a	yes
log_archive_account_id	AWS Account ID of the Control Tower Log Archive account.	string	n/a	yes
management_account_id	Organization Management Account ID	string	n/a	yes
organization_id	AWS Organization ID	string	n/a	yes

Outputs

Name	Description
guard_duty_results	n/a

---