breaking: update GuardDuty to support runtime monitoring (#210)

breaking: update GuardDuty to support runtime monitoring
schubergphilis · Oct 28, 2024 · 265f3bf · 265f3bf
1 parent 51c78b9
commit 265f3bf
Show file tree

Hide file tree

Showing 6 changed files with 238 additions and 46 deletions.
diff --git a/README.md b/README.md
@@ -422,18 +422,18 @@ module "landing_zone" {
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.26.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.54.0 |
 | <a name="requirement_datadog"></a> [datadog](#requirement\_datadog) | > 3.0.0 |
 | <a name="requirement_mcaf"></a> [mcaf](#requirement\_mcaf) | >= 0.4.2 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.26.0 |
-| <a name="provider_aws.audit"></a> [aws.audit](#provider\_aws.audit) | >= 5.26.0 |
-| <a name="provider_aws.logging"></a> [aws.logging](#provider\_aws.logging) | >= 5.26.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.54.0 |
+| <a name="provider_aws.audit"></a> [aws.audit](#provider\_aws.audit) | >= 5.54.0 |
+| <a name="provider_aws.logging"></a> [aws.logging](#provider\_aws.logging) | >= 5.54.0 |
 | <a name="provider_mcaf"></a> [mcaf](#provider\_mcaf) | >= 0.4.2 |
 
 ## Modules
@@ -480,9 +480,9 @@ module "landing_zone" {
 | [aws_guardduty_organization_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration) | resource |
 | [aws_guardduty_organization_configuration_feature.ebs_malware_protection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature) | resource |
 | [aws_guardduty_organization_configuration_feature.eks_audit_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature) | resource |
-| [aws_guardduty_organization_configuration_feature.eks_runtime_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature) | resource |
 | [aws_guardduty_organization_configuration_feature.lambda_network_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature) | resource |
 | [aws_guardduty_organization_configuration_feature.rds_login_events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature) | resource |
+| [aws_guardduty_organization_configuration_feature.runtime_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature) | resource |
 | [aws_guardduty_organization_configuration_feature.s3_data_events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration_feature) | resource |
 | [aws_iam_account_password_policy.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource |
 | [aws_iam_account_password_policy.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource |
@@ -546,7 +546,7 @@ module "landing_zone" {
 | <a name="input_aws_config"></a> [aws\_config](#input\_aws\_config) | AWS Config settings | <pre>object({<br>    aggregator_account_ids          = optional(list(string), [])<br>    aggregator_regions              = optional(list(string), [])<br>    delivery_channel_s3_bucket_name = optional(string, null)<br>    delivery_channel_s3_key_prefix  = optional(string, null)<br>    delivery_frequency              = optional(string, "TwentyFour_Hours")<br>    rule_identifiers                = optional(list(string), [])<br>  })</pre> | <pre>{<br>  "aggregator_account_ids": [],<br>  "aggregator_regions": [],<br>  "delivery_channel_s3_bucket_name": null,<br>  "delivery_channel_s3_key_prefix": null,<br>  "delivery_frequency": "TwentyFour_Hours",<br>  "rule_identifiers": []<br>}</pre> | no |
 | <a name="input_aws_config_sns_subscription"></a> [aws\_config\_sns\_subscription](#input\_aws\_config\_sns\_subscription) | Subscription options for the aws-controltower-AggregateSecurityNotifications (AWS Config) SNS topic | <pre>map(object({<br>    endpoint = string<br>    protocol = string<br>  }))</pre> | `{}` | no |
 | <a name="input_aws_ebs_encryption_by_default"></a> [aws\_ebs\_encryption\_by\_default](#input\_aws\_ebs\_encryption\_by\_default) | Set to true to enable AWS Elastic Block Store encryption by default | `bool` | `true` | no |
-| <a name="input_aws_guardduty"></a> [aws\_guardduty](#input\_aws\_guardduty) | AWS GuardDuty settings | <pre>object({<br>    enabled                       = optional(bool, true)<br>    finding_publishing_frequency  = optional(string, "FIFTEEN_MINUTES")<br>    ebs_malware_protection_status = optional(bool, true)<br>    eks_addon_management_status   = optional(bool, true)<br>    eks_audit_logs_status         = optional(bool, true)<br>    eks_runtime_monitoring_status = optional(bool, true)<br>    lambda_network_logs_status    = optional(bool, true)<br>    rds_login_events_status       = optional(bool, true)<br>    s3_data_events_status         = optional(bool, true)<br>  })</pre> | <pre>{<br>  "ebs_malware_protection_status": true,<br>  "eks_addon_management_status": true,<br>  "eks_audit_logs_status": true,<br>  "eks_runtime_monitoring_status": true,<br>  "enabled": true,<br>  "finding_publishing_frequency": "FIFTEEN_MINUTES",<br>  "lambda_network_logs_status": true,<br>  "rds_login_events_status": true,<br>  "s3_data_events_status": true<br>}</pre> | no |
+| <a name="input_aws_guardduty"></a> [aws\_guardduty](#input\_aws\_guardduty) | AWS GuardDuty settings | <pre>object({<br>    enabled                       = optional(bool, true)<br>    finding_publishing_frequency  = optional(string, "FIFTEEN_MINUTES")<br>    ebs_malware_protection_status = optional(bool, true)<br>    eks_audit_logs_status         = optional(bool, true)<br>    lambda_network_logs_status    = optional(bool, true)<br>    rds_login_events_status       = optional(bool, true)<br>    s3_data_events_status         = optional(bool, true)<br>    runtime_monitoring_status = optional(object({<br>      enabled                             = optional(bool, true)<br>      eks_addon_management_status         = optional(bool, true)<br>      ecs_fargate_agent_management_status = optional(bool, true)<br>      ec2_agent_management_status         = optional(bool, true)<br>    }), {})<br>  })</pre> | `{}` | no |
 | <a name="input_aws_inspector"></a> [aws\_inspector](#input\_aws\_inspector) | AWS Inspector settings, at least one of the scan options must be enabled | <pre>object({<br>    enabled                 = optional(bool, false)<br>    enable_scan_ec2         = optional(bool, true)<br>    enable_scan_ecr         = optional(bool, true)<br>    enable_scan_lambda      = optional(bool, true)<br>    enable_scan_lambda_code = optional(bool, true)<br>    resource_create_timeout = optional(string, "15m")<br>  })</pre> | <pre>{<br>  "enable_scan_ec2": true,<br>  "enable_scan_ecr": true,<br>  "enable_scan_lambda": true,<br>  "enable_scan_lambda_code": true,<br>  "enabled": false,<br>  "resource_create_timeout": "15m"<br>}</pre> | no |
 | <a name="input_aws_required_tags"></a> [aws\_required\_tags](#input\_aws\_required\_tags) | AWS Required tags settings | <pre>map(list(object({<br>    name         = string<br>    values       = optional(list(string))<br>    enforced_for = optional(list(string))<br>  })))</pre> | `null` | no |
 | <a name="input_aws_security_hub"></a> [aws\_security\_hub](#input\_aws\_security\_hub) | AWS Security Hub settings | <pre>object({<br>    enabled                       = optional(bool, true)<br>    auto_enable_controls          = optional(bool, true)<br>    auto_enable_default_standards = optional(bool, false)<br>    control_finding_generator     = optional(string, "SECURITY_CONTROL")<br>    create_cis_metric_filters     = optional(bool, true)<br>    product_arns                  = optional(list(string), [])<br>    standards_arns                = optional(list(string), null)<br>  })</pre> | <pre>{<br>  "auto_enable_controls": true,<br>  "auto_enable_default_standards": false,<br>  "control_finding_generator": "SECURITY_CONTROL",<br>  "create_cis_metric_filters": true,<br>  "enabled": true,<br>  "product_arns": [],<br>  "standards_arns": null<br>}</pre> | no |

diff --git a/UPGRADING.md b/UPGRADING.md
@@ -2,6 +2,181 @@
 
 This document captures required refactoring on your part when upgrading to a module version that contains breaking changes.
 
+## Upgrading to v4.0.0
+
+> [!WARNING]
+> **Read the diagram in [PR 210](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/pull/210) and the guide below! If you currently have EKS Runtime Monitoring enabled, you need to perform MANUAL steps after you have migrated to this version.** 
+
+### Behaviour
+
+Using the default `aws_guardduty` values:
+* `EKS_RUNTIME_MONITORING` gets removed from the state (but not disabled)
+* `RUNTIME_MONITORING` is enabled including `ECS_FARGATE_AGENT_MANAGEMENT`, `EC2_AGENT_MANAGEMENT`, and `EKS_ADDON_MANAGEMENT`.
+* Minimum required AWS provider has been set to `v5.54.0`, and minimum required Terraform version has been set to `v1.6`.
+
+### Variables
+
+The following variables have been replaced:
+* `aws_guardduty.eks_runtime_monitoring_status` -> `aws_guardduty.runtime_monitoring_status.enabled`
+* `aws_guardduty.eks_addon_management_status` -> `aws_guardduty.runtime_monitoring_status.eks_addon_management_status`
+
+The following variables have been introduced:
+* `aws_guardduty.runtime_monitoring_status.ecs_fargate_agent_management_status`
+* `aws_guardduty.runtime_monitoring_status.ec2_agent_management_status`
+
+### EKS Runtime Monitoring to Runtime Monitoring migration
+
+#### The issue
+After you upgraded to this version. **RUNTIME_MONITORING is enabled. But  EKS_RUNTIME_MONITORING is not disabled** as is written in the [guardduty_detector_feature documentation](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/guardduty_detector_feature): _Deleting this resource does not disable the detector feature, the resource in simply removed from state instead._
+
+To prevent duplicated costs please **disable** EKS_RUNTIME_MONITORING manually after upgrading.
+
+> [!IMPORTANT]
+> Run all the commands with valid credentials in the AWS account where guardduty is delegated administrator. By default this is the **control tower audit** account. 
+> It's not possible to execute these steps from the AWS Console as the EKS Runtime Monitoring protection plan has already been removed from the GUI. The only way to control this feature is via the CLI.
+
+#### Step 1: get the GuardDuty detector id
+
+```
+aws guardduty list-detectors
+```
+
+Should display:
+
+```
+{
+    "DetectorIds": [
+        "12abc34d567e8fa901bc2d34e56789f0"
+    ]
+}
+```
+
+> [!IMPORTANT]
+> Ensure you run this command in the right region! If GuardDuty is enabled in multiple regions then execute all steps for all enabled regions. 
+
+#### Step 2: update the GuardDuty detector 
+
+_Replace 12abc34d567e8fa901bc2d34e56789f0 with your own regional detector-id. Execute these commands in the audit account:_
+
+```
+aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "DISABLED"}]'
+```
+
+#### Step 3: update the GuardDuty organization settings
+
+Replace the `<<EXISTING_VALUE>>` with your current configuration for auto-enabling GuardDuty. By default this should be set to `ALL`.
+
+```
+aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --auto-enable-organization-members <<EXISTING_VALUE>>  --features '[{"Name" : "EKS_RUNTIME_MONITORING", "AutoEnable": "NONE"}]'
+```
+
+
+#### Step 4: update the GuardDuty member accounts
+
+Disable EKS Runtime Monitoring for **all** member accounts in your organization, for example:
+
+```
+aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name" : "EKS_RUNTIME_MONITORING", "Status" : "DISABLED"}]'
+```
+
+#### Troubleshooting
+
+> An error occurred (BadRequestException) when calling the UpdateMemberDetectors operation: The request is rejected because a feature cannot be turned off for a member while organization has the feature flag set to 'All Accounts'.
+
+Change these options on the AWS console by following the steps below: 
+
+1. Go to the GuardDuty Console.
+2. On left navigation bar, under protection plans, select `Runtime Monitoring`.
+3. Under the `Configuration` tab, in `Runtime Monitoring configuration` click `Edit` and here you need to select the option `Configure accounts manually` for `Automated agent configuration - Amazon EKS`.
+
+Once complete, please allow a minute for the changes to update, you should now be able to execute the command from step 3. When you have executed this command for all AWS accounts, set this option back to `Enable for all accounts`.
+
+> Even after following all steps I still see the message `Your organization has auto-enable preferences set for EKS Runtime Monitoring. This feature has been removed from console experience and can now be managed as part of the Runtime Monitoring feature. Learn more`.
+
+We have checked in with AWS and this behaviour is expected, this is a static message that is displayed currently on the AWS Management Console. AWS could not confirm how to hide this message or how long it will be visible.
+
+#### Verification
+
+Review the GuardDuty organization settings:
+
+```
+aws guardduty describe-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0
+```
+
+Should display:
+
+```
+...
+    "Features": [
+...
+        {
+            "Name": "EKS_RUNTIME_MONITORING",
+            "AutoEnable": "NONE",
+            "AdditionalConfiguration": [
+                {
+                    "Name": "EKS_ADDON_MANAGEMENT",
+                    "AutoEnable": "ALL"
+                }
+            ]
+        },
+...
+```
+
+Review the GuardDuty detector settings:
+
+```
+aws guardduty get-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0
+```
+
+Should display:
+
+```
+...
+ "Features": [
+...
+        {
+            "Name": "EKS_RUNTIME_MONITORING",
+            "Status": "DISABLED",
+            "UpdatedAt": "2024-10-16T14:12:31+02:00",
+            "AdditionalConfiguration": [
+                {
+                    "Name": "EKS_ADDON_MANAGEMENT",
+                    "Status": "ENABLED",
+                    "UpdatedAt": "2024-10-16T14:24:43+02:00"
+                }
+            ]
+        },
+...
+```
+
+> [!NOTE]
+> If you want to be really sure all member accounts have the right settings you can run the `aws guardduty get-detector` for member accounts as well. Ensure you have valid credentials for the member account and replace the `detector-id` with the GuardDuty `detector-id` of the member account.
+
+## Upgrading to v3.0.0
+
+### Behaviour
+
+This version add Control Tower 3.x support. Upgrade to Control Tower 3.x before upgrading to this version.
+
+## Upgrading to v2.0.0
+
+### Behaviour
+
+This version sets the minimum required aws provider version from v4 to v5.
+
+### Variables
+
+The following variables have been replaced:
+* `aws_guardduty.datasources.malware_protection` -> `aws_guardduty.ebs_malware_protection_status`
+* `aws_guardduty.datasources.kubernetes` -> `aws_guardduty.eks_audit_logs_status`
+* `aws_guardduty.datasources.s3_logs` -> `aws_guardduty.s3_data_events_status`
+
+The following variables have been introduced:
+* `aws_guardduty.eks_addon_management_status`
+* `aws_guardduty.eks_runtime_monitoring_status`
+* `aws_guardduty.lambda_network_logs_status`
+* `aws_guardduty.rds_login_events_status`
+
 ## Upgrading to v1.0.0
 
 ### Behaviour

diff --git a/examples/basic/versions.tf b/examples/basic/versions.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.40.0"
+      version = ">= 5.54.0"
     }
     datadog = {
       source  = "datadog/datadog"
@@ -13,5 +13,5 @@ terraform {
       version = ">= 0.4.2"
     }
   }
-  required_version = ">= 1.3"
+  required_version = ">= 1.6"
 }
diff --git a/guardduty.tf b/guardduty.tf
@@ -6,6 +6,16 @@ resource "aws_guardduty_organization_admin_account" "audit" {
 }
 
 // AWS GuardDuty - Audit account configuration
+resource "aws_guardduty_detector" "audit" {
+  #checkov:skip=CKV_AWS_238: "Ensure that GuardDuty detector is enabled" - False positive, GuardDuty is enabled by default.
+  #checkov:skip=CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region" - False positive, GuardDuty is enabled by default.
+  provider = aws.audit
+
+  enable                       = var.aws_guardduty.enabled
+  finding_publishing_frequency = var.aws_guardduty.finding_publishing_frequency
+  tags                         = var.tags
+}
+
 resource "aws_guardduty_organization_configuration" "default" {
   count    = var.aws_guardduty.enabled == true ? 1 : 0
   provider = aws.audit
@@ -16,14 +26,6 @@ resource "aws_guardduty_organization_configuration" "default" {
   depends_on = [aws_guardduty_organization_admin_account.audit]
 }
 
-resource "aws_guardduty_detector" "audit" {
-  provider = aws.audit
-
-  enable                       = var.aws_guardduty.enabled
-  finding_publishing_frequency = var.aws_guardduty.finding_publishing_frequency
-  tags                         = var.tags
-}
-
 resource "aws_guardduty_organization_configuration_feature" "ebs_malware_protection" {
   provider = aws.audit
 
@@ -40,20 +42,6 @@ resource "aws_guardduty_organization_configuration_feature" "eks_audit_logs" {
   auto_enable = var.aws_guardduty.eks_audit_logs_status == true ? "ALL" : "NONE"
 }
 
-resource "aws_guardduty_organization_configuration_feature" "eks_runtime_monitoring" {
-  provider = aws.audit
-
-  detector_id = aws_guardduty_detector.audit.id
-  name        = "EKS_RUNTIME_MONITORING"
-  auto_enable = var.aws_guardduty.eks_runtime_monitoring_status == true ? "ALL" : "NONE"
-
-
-  additional_configuration {
-    name        = "EKS_ADDON_MANAGEMENT"
-    auto_enable = var.aws_guardduty.eks_addon_management_status == true ? "ALL" : "NONE"
-  }
-}
-
 resource "aws_guardduty_organization_configuration_feature" "lambda_network_logs" {
   provider = aws.audit
 
@@ -77,3 +65,38 @@ resource "aws_guardduty_organization_configuration_feature" "s3_data_events" {
   name        = "S3_DATA_EVENTS"
   auto_enable = var.aws_guardduty.s3_data_events_status == true ? "ALL" : "NONE"
 }
+
+resource "aws_guardduty_organization_configuration_feature" "runtime_monitoring" {
+  provider = aws.audit
+
+  detector_id = aws_guardduty_detector.audit.id
+  name        = "RUNTIME_MONITORING"
+  auto_enable = var.aws_guardduty.runtime_monitoring_status.enabled == true ? "ALL" : "NONE"
+
+  dynamic "additional_configuration" {
+    for_each = var.aws_guardduty.runtime_monitoring_status.ecs_fargate_agent_management_status == true ? ["ECS_FARGATE_AGENT_MANAGEMENT"] : []
+
+    content {
+      name        = additional_configuration.value
+      auto_enable = "ALL"
+    }
+  }
+
+  dynamic "additional_configuration" {
+    for_each = var.aws_guardduty.runtime_monitoring_status.ec2_agent_management_status == true ? ["EC2_AGENT_MANAGEMENT"] : []
+
+    content {
+      name        = additional_configuration.value
+      auto_enable = "ALL"
+    }
+  }
+
+  dynamic "additional_configuration" {
+    for_each = var.aws_guardduty.runtime_monitoring_status.eks_addon_management_status == true ? ["EKS_ADDON_MANAGEMENT"] : []
+
+    content {
+      name        = additional_configuration.value
+      auto_enable = "ALL"
+    }
+  }
+}