Added GuardDuty EKS, Malware, RDS, and Lambda protections (#149)

* added GuardDuty protection plans

* linting fixes

* more linting fixes

---------

Co-authored-by: ievgeniia ieromenko <ieviero@amazon.com>

Author: IevIe

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2023-05-30](#2023-05-31)
 - [2023-05-12](#2023-05-12)
 - [2023-05-05](#2023-05-05)
 - [2023-04-10](#2023-04-10)
@@ -37,6 +38,12 @@ All notable changes to this project will be documented in this file.
 
 ---
 
+## 2023-06-01
+
+### Changed<!-- omit in toc -->
+
+- Added GuardDuty EKS, Malware, RDS, and Lambda protections [GuardDuty Organization](aws_sra_examples/solutions/guardduty/guardduty_org)
+
 ## 2023-05-12
 
 ### Changed<!-- omit in toc -->

aws_sra_examples/quick_setup/customizations_for_aws_control_tower/manifest-v2.yaml

@@ -122,6 +122,19 @@ resources:
         parameter_value: 'No'
       - parameter_key: pAutoEnableS3Logs
         parameter_value: 'true'
+      - parameter_key: pAutoEnableKubernetesAuditLogs
+        parameter_value: 'true'
+      - parameter_key: pAutoEnableMalwareProtection
+        parameter_value: 'true'
+      - parameter_key: pEnableRdsLoginEvents
+        parameter_value: 'true'
+      - parameter_key: pEnableEksRuntimeMonitoring
+        parameter_value: 'true'
+      - parameter_key: pEnableEksAddonManagement
+        parameter_value: 'true'
+      - parameter_key: pEnableLambdaNetworkLogs
+        parameter_value: 'true'
+      - parameter_key: pControlTowerRegionsOnly
       - parameter_key: pGuardDutyFindingPublishingFrequency
         parameter_value: 'FIFTEEN_MINUTES'
       - parameter_key: pGuardDutyOrgDeliveryBucketPrefix

aws_sra_examples/solutions/guardduty/guardduty_org/README.md

@@ -61,6 +61,13 @@ future AWS Organization accounts. GuardDuty is also configured to send the findi
 - GuardDuty is enabled for each existing active account and region during the initial setup
 - GuardDuty will automatically enable new member accounts/regions when added to the AWS Organization
 
+#### 1.9 Lambda Layer<!-- omit in toc -->
+
+- The python boto3 SDK lambda layer to enable capability for Lambda to enable protection features of the GuardDuty service.
+- This is downloaded during the deployment process and packaged into a layer that is used by the Lambda function in this solution.
+- The GuardDuty API available in the current Lambda environment (as of 05/24/2023) is boto3-1.20.32, however, enhanced functionality of the GuardDuty API used in this solution requires at least 1.26.117 (see references below).
+- Note: Future revisions to this solution will remove this layer when boto3 is updated within the Lambda environment.
+
 ---
 
 ### 2.0 Log Archive Account<!-- omit in toc -->
@@ -75,7 +82,7 @@ future AWS Organization accounts. GuardDuty is also configured to send the findi
 
 #### 2.3 GuardDuty<!-- omit in toc -->
 
-- See [1.5 GuardDuty](#15-guardduty)
+- See [1.8 GuardDuty](#18-guardduty)
 
 ---
 
@@ -98,15 +105,15 @@ populated from the `SecurityAccountId` parameter within the `AWSControlTowerBP-B
 
 #### 3.4 GuardDuty<!-- omit in toc -->
 
-- See [1.5 GuardDuty](#15-guardduty)
+- See [1.8 GuardDuty](#18-guardduty)
 
 ---
 
 ### 4.0 All Existing and Future Organization Member Accounts<!-- omit in toc -->
 
 #### 4.1 GuardDuty<!-- omit in toc -->
 
-- See [1.5 GuardDuty](#15-guardduty)
+- See [1.8 GuardDuty](#18-guardduty)
 
 #### 4.2 Delete Detector Role<!-- omit in toc -->
 
@@ -159,12 +166,16 @@ In the `management account (home region)`, launch an AWS CloudFormation **Stack*
 
 #### Solution Delete Instructions<!-- omit in toc -->
 
-1. In the `management account (home region)`, delete the AWS CloudFormation **Stack** (`sra-guardduty-org-main-ssm` or `sra-guardduty-org-main`) created above.
-2. In the `management account (home region)`, delete the AWS CloudWatch **Log Group** (e.g. /aws/lambda/<solution_name>) for the Lambda function deployed.
-3. In the `log archive acccount (home region)`, delete the S3 bucket (e.g. sra-guardduty-delivery-<account_id>-<aws_region>) created by the solution.
+1. In the `management account (home region)`, change the `Disable GuardDuty` parameter to `true` and update the AWS CloudFormation **Stack** (`sra-guardduty-org-main-ssm` or `sra-guardduty-org-main`). This will disable the solutions within each of the member accounts/regions.
+2. In the `management account (home region)`, delete the AWS CloudFormation **Stack** (`sra-guardduty-org-main-ssm` or `sra-guardduty-org-main`).
+3. In the `management account (home region)`, delete the AWS CloudWatch **Log Group** (e.g. /aws/lambda/<solution_name>) for the Lambda function deployed.
+4. In the `log archive acccount (home region)`, delete the S3 bucket (e.g. sra-guardduty-delivery-<account_id>-<aws_region>) created by the solution.
 
 ---
 
 ## References
 
 - [Managing GuardDuty Accounts with AWS Organizations](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html)
+- [Managing AWS SDKs in Lambda Functions](https://docs.aws.amazon.com/lambda/latest/operatorguide/sdks-functions.html)
+- [Lambda runtimes](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html)
+- [Python Boto3 SDK changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst)

aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/manifest-v2.yaml

@@ -13,6 +13,18 @@ resources:
     parameters:
       - parameter_key: pAutoEnableS3Logs
         parameter_value: 'true'
+      - parameter_key: pAutoEnableKubernetesAuditLogs
+        parameter_value: 'true'
+      - parameter_key: pAutoEnableMalwareProtection
+        parameter_value: 'true'
+      - parameter_key: pEnableRdsLoginEvents
+        parameter_value: 'true'
+      - parameter_key: pEnableEksRuntimeMonitoring
+        parameter_value: 'true'
+      - parameter_key: pEnableEksAddonManagement
+        parameter_value: 'true'
+      - parameter_key: pEnableLambdaNetworkLogs
+        parameter_value: 'true'
       - parameter_key: pControlTowerRegionsOnly
         parameter_value: 'true'
       - parameter_key: pCreateLambdaLogGroup
@@ -47,6 +59,18 @@ resources:
   #       parameter_value: ''
   #     - parameter_key: pAutoEnableS3Logs
   #       parameter_value: 'true'
+  #     - parameter_key: pAutoEnableKubernetesAuditLogs
+  #       parameter_value: 'true'
+  #     - parameter_key: pAutoEnableMalwareProtection
+  #       parameter_value: 'true'
+  #     - parameter_key: pEnableRdsLoginEvents
+  #       parameter_value: 'true'
+  #     - parameter_key: pEnableEksRuntimeMonitoring
+  #       parameter_value: 'true'
+  #     - parameter_key: pEnableEksAddonManagement
+  #       parameter_value: 'true'
+  #     - parameter_key: pEnableLambdaNetworkLogs
+  #       parameter_value: 'true'
   #     - parameter_key: pControlTowerRegionsOnly
   #       parameter_value: 'true'
   #     - parameter_key: pCreateLambdaLogGroup

aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/parameters/sra-guardduty-org-main-ssm.json

@@ -3,6 +3,30 @@
         "ParameterKey": "pAutoEnableS3Logs",
         "ParameterValue": "true"
     },
+    {
+        "ParameterKey": "pAutoEnableKubernetesAuditLogs",
+        "ParameterValue": "true"
+    },
+    {
+        "ParameterKey": "pAutoEnableMalwareProtection",
+        "ParameterValue": "true"
+    },
+    {
+        "ParameterKey": "pEnableRdsLoginEvents",
+        "ParameterValue": "true"
+    },
+    {
+        "ParameterKey": "pEnableEksRuntimeMonitoring",
+        "ParameterValue": "true"
+    },
+    {
+        "ParameterKey": "pEnableEksAddonManagement",
+        "ParameterValue": "true"
+    },
+    {
+        "ParameterKey": "pEnableLambdaNetworkLogs",
+        "ParameterValue": "true"
+    },
     {
         "ParameterKey": "pControlTowerRegionsOnly",
         "ParameterValue": "true"

aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower/parameters/sra-guardduty-org-main.json

@@ -7,6 +7,30 @@
         "ParameterKey": "pAutoEnableS3Logs",
         "ParameterValue": "true"
     },
+    {
+        "ParameterKey": "pAutoEnableKubernetesAuditLogs",
+        "ParameterValue": "true"
+    },
+    {
+        "ParameterKey": "pAutoEnableMalwareProtection",
+        "ParameterValue": "true"
+    },
+    {
+        "ParameterKey": "pEnableRdsLoginEvents",
+        "ParameterValue": "true"
+    },
+    {
+        "ParameterKey": "pEnableEksRuntimeMonitoring",
+        "ParameterValue": "true"
+    },
+    {
+        "ParameterKey": "pEnableEksAddonManagement",
+        "ParameterValue": "true"
+    },
+    {
+        "ParameterKey": "pEnableLambdaNetworkLogs",
+        "ParameterValue": "true"
+    },
     {
         "ParameterKey": "pControlTowerRegionsOnly",
         "ParameterValue": "true"

aws_sra_examples/solutions/guardduty/guardduty_org/documentation/guardduty-org.png

@@ -30,6 +30,7 @@
 if TYPE_CHECKING:
     from aws_lambda_typing.context import Context
     from aws_lambda_typing.events import CloudFormationCustomResourceEvent
+    from mypy_boto3_organizations import OrganizationsClient
 
 # Setup Default Logger
 LOGGER = logging.getLogger("sra")
@@ -40,13 +41,15 @@
 helper = CfnResource(json_logging=True, log_level=log_level, boto_level="CRITICAL", sleep_on_delete=120)
 
 # Global variables
+PRINCIPAL_NAME = "malware-protection.guardduty.amazonaws.com"
 UNEXPECTED = "Unexpected!"
 MAX_RUN_COUNT = 30  # 5 minute wait = 30 x 10 seconds
 SLEEP_SECONDS = 10
 BOTO3_CONFIG = Config(retries={"max_attempts": 10, "mode": "standard"})
 
 try:
     MANAGEMENT_ACCOUNT_SESSION = boto3.Session()
+    ORG_CLIENT: OrganizationsClient = MANAGEMENT_ACCOUNT_SESSION.client("organizations")
 except Exception:
     LOGGER.exception(UNEXPECTED)
     raise ValueError("Unexpected error executing Lambda function. Review CloudWatch logs for details.") from None
@@ -83,6 +86,12 @@ def get_validated_parameters(event: CloudFormationCustomResourceEvent) -> dict:
     true_false_pattern = r"(?i)^true|false$"
 
     parameter_pattern_validator("AUTO_ENABLE_S3_LOGS", params.get("AUTO_ENABLE_S3_LOGS", ""), pattern=true_false_pattern)
+    parameter_pattern_validator("ENABLE_EKS_AUDIT_LOGS", params.get("ENABLE_EKS_AUDIT_LOGS", ""), pattern=true_false_pattern)
+    parameter_pattern_validator("AUTO_ENABLE_MALWARE_PROTECTION", params.get("AUTO_ENABLE_MALWARE_PROTECTION", ""), pattern=true_false_pattern)
+    parameter_pattern_validator("ENABLE_RDS_LOGIN_EVENTS", params.get("ENABLE_RDS_LOGIN_EVENTS", ""), pattern=true_false_pattern)
+    parameter_pattern_validator("ENABLE_EKS_RUNTIME_MONITORING", params.get("ENABLE_EKS_RUNTIME_MONITORING", ""), pattern=true_false_pattern)
+    parameter_pattern_validator("ENABLE_EKS_ADDON_MANAGEMENT", params.get("ENABLE_EKS_ADDON_MANAGEMENT", ""), pattern=true_false_pattern)
+    parameter_pattern_validator("ENABLE_LAMBDA_NETWORK_LOGS", params.get("ENABLE_LAMBDA_NETWORK_LOGS", ""), pattern=true_false_pattern)
     parameter_pattern_validator("CONFIGURATION_ROLE_NAME", params.get("CONFIGURATION_ROLE_NAME", ""), pattern=r"^[\w+=,.@-]{1,64}$")
     parameter_pattern_validator("CONTROL_TOWER_REGIONS_ONLY", params.get("CONTROL_TOWER_REGIONS_ONLY", ""), pattern=true_false_pattern)
     parameter_pattern_validator("DELEGATED_ADMIN_ACCOUNT_ID", params.get("DELEGATED_ADMIN_ACCOUNT_ID", ""), pattern=r"^\d{12}$")
@@ -111,6 +120,50 @@ def get_validated_parameters(event: CloudFormationCustomResourceEvent) -> dict:
     return params
 
 
+def check_aws_service_access(service_principal: str = PRINCIPAL_NAME) -> bool:
+    """Check service access for the provided service principal within AWS Organizations.
+
+    Args:
+        service_principal: Service Principal. Defaults to SERVICE_NAME.
+
+    Returns:
+        bool: service access enabled true/false
+    """
+    aws_service_access_enabled = False
+    LOGGER.info(f"Checking service access for {service_principal}...")
+    try:
+        org_svc_response = ORG_CLIENT.list_aws_service_access_for_organization()
+        api_call_details = {
+            "API_Call": "organizations:ListAwsServiceAccessForOrganization",
+            "API_Response": org_svc_response,
+        }
+        LOGGER.info(api_call_details)
+
+        for service in org_svc_response["EnabledServicePrincipals"]:
+            if service["ServicePrincipal"] == service_principal:
+                aws_service_access_enabled = True
+                return True
+    except ORG_CLIENT.exceptions.AccessDeniedException as error:
+        LOGGER.info(f"Unable to check service access for {service_principal}: {error}")
+    return aws_service_access_enabled
+
+
+def enable_aws_service_access(service_principal: str = PRINCIPAL_NAME) -> None:
+    """Enable service access for the provided service principal within AWS Organizations.
+
+    Args:
+        service_principal: Service Principal
+    """
+    if check_aws_service_access(service_principal) is False:
+        try:
+            LOGGER.info(f"Enabling service access for {service_principal} in Management Account")
+            ORG_CLIENT.enable_aws_service_access(ServicePrincipal=service_principal)
+        except ORG_CLIENT.exceptions.AccessDeniedException as error:
+            LOGGER.info(f"Failed to enable service access for {service_principal} in organizations: {error}")
+    else:
+        LOGGER.info(f"Organizations service access for {service_principal} is already enabled")
+
+
 def process_create_update_event(params: dict, regions: list) -> None:
     """Process create update events.
 
@@ -125,11 +178,17 @@ def process_create_update_event(params: dict, regions: list) -> None:
         account_ids = common.get_account_ids([], params["DELEGATED_ADMIN_ACCOUNT_ID"])
         guardduty.process_delete_event(params, regions, account_ids, True)
     else:
+        enable_aws_service_access(PRINCIPAL_NAME)
         common.create_service_linked_role(
             "AWSServiceRoleForAmazonGuardDuty",
             "guardduty.amazonaws.com",
             "A service-linked role required for Amazon GuardDuty to access your resources.",
         )
+        common.create_service_linked_role(
+            "AWSServiceRoleForAmazonGuardDutyMalwareProtection",
+            "malware-protection.guardduty.amazonaws.com",
+            "A service-linked role required for Amazon GuardDuty to access your resources.",
+        )
         guardduty.process_organization_admin_account(params.get("DELEGATED_ADMIN_ACCOUNT_ID", ""), regions)
         sleep(60)
         session = common.assume_role(params.get("CONFIGURATION_ROLE_NAME", ""), "CreateGuardDuty", params.get("DELEGATED_ADMIN_ACCOUNT_ID", ""))
@@ -147,11 +206,23 @@ def process_create_update_event(params: dict, regions: list) -> None:
             raise ValueError("GuardDuty Detectors did not get created in the allowed time. Check the Org Management delegated admin setup.")
         else:
             auto_enable_s3_logs = (params.get("AUTO_ENABLE_S3_LOGS", "false")).lower() in "true"
+            enable_eks_audit_logs = (params.get("ENABLE_EKS_AUDIT_LOGS", "false")).lower() in "true"
+            auto_enable_malware_protection = (params.get("AUTO_ENABLE_MALWARE_PROTECTION", "false")).lower() in "true"
+            enable_rds_login_events = (params.get("ENABLE_RDS_LOGIN_EVENTS", "false")).lower() in "true"
+            enable_eks_runtime_monitoring = (params.get("ENABLE_EKS_RUNTIME_MONITORING", "false")).lower() in "true"
+            enable_eks_addon_management = (params.get("ENABLE_EKS_ADDON_MANAGEMENT", "false")).lower() in "true"
+            enable_lambda_network_logs = (params.get("ENABLE_LAMBDA_NETWORK_LOGS", "false")).lower() in "true"
 
             guardduty.configure_guardduty(
                 session,
                 params["DELEGATED_ADMIN_ACCOUNT_ID"],
                 auto_enable_s3_logs,
+                enable_eks_audit_logs,
+                auto_enable_malware_protection,
+                enable_rds_login_events,
+                enable_eks_runtime_monitoring,
+                enable_eks_addon_management,
+                enable_lambda_network_logs,
                 regions,
                 params.get("FINDING_PUBLISHING_FREQUENCY", "FIFTEEN_MINUTES"),
                 params["KMS_KEY_ARN"],
@@ -194,11 +265,12 @@ def process_cloudformation_event(event: CloudFormationCustomResourceEvent, conte
 
     if params["action"] in "Add, Update":
         process_create_update_event(params, regions)
-    elif params["action"] == "Remove":
+    else:
+        LOGGER.info("...Disable GuardDuty from (process_cloudformation_event)")
         account_ids = common.get_account_ids([], params["DELEGATED_ADMIN_ACCOUNT_ID"])
         guardduty.process_delete_event(params, regions, account_ids, False)
 
-    return f"sra-guardduty-{params['DELEGATED_ADMIN_ACCOUNT_ID']}-{(params.get('AUTO_ENABLE_S3_LOGS', 'false')).lower() in 'true'}"
+    return f"sra-guardduty-{params['DELEGATED_ADMIN_ACCOUNT_ID']}"
 
 
 def lambda_handler(event: Dict[str, Any], context: Context) -> None: