adding updated guardduty features to easy setup and quick setup deployments (#154)

Co-authored-by: ievgeniia ieromenko <ieviero@amazon.com>

Author: IevIe

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2023-06-21](#2023-06-21)
 - [2023-06-20](#2023-06-20)
 - [2023-06-01](#2023-06-01)
 - [2023-05-12](#2023-05-12)
@@ -39,6 +40,11 @@ All notable changes to this project will be documented in this file.
 
 ---
 
+## 2023-06-21
+
+- Added [GuardDuty Organization](aws_sra_examples/solutions/guardduty/guardduty_org) EKS, Malware, RDS, and Lambda protections to [Easy Setup](aws_sra_examples/easy_setup) and [Quick Setup](aws_sra_examples/quick_setup/) deployment options
+- Added [Inspector Organization](aws_sra_examples/solutions/inspector/inspector_org) solution to [Quick Setup](aws_sra_examples/quick_setup/) deployment option
+
 ## 2023-06-20
 
 ### Changed<!-- omit in toc -->

README.md

@@ -97,7 +97,7 @@ Follow the instructions within the [Quick Setup](aws_sra_examples/quick_setup) t
 | [Macie](aws_sra_examples/solutions/macie/macie_org)                                                   | Configures Macie within a delegated admin account for all accounts within the organization.                                                                                                 |                                                                                                              |                                                                                                                                                                                                                                         |
 | [S3 Block Account Public Access](aws_sra_examples/solutions/s3/s3_block_account_public_access)        | Configures the account-level S3 BPA settings for all accounts within the organization.                                                                                                      | Configures S3 BPA settings on buckets created by Control Tower only.                                         |                                                                                                                                                                                                                                         |
 | [Security Hub](aws_sra_examples/solutions/securityhub/securityhub_org)                                | Configures Security Hub within a delegated admin account for all accounts and governed regions within the organization.                                                                     |                                                                                                              | <ul><li>[Config Management Account](aws_sra_examples/solutions/config/config_management_account)</li></ul>                                                                                                                              |
-| [Inspector](aws_sra_examples/solutions/inspector/inspector_org)                  | Configure Inspector within a delegated admin account for all accounts and governed regions within the organization.  **Note:** As of 01/19/2023, this solution is not included in the quick setup (it will be in a future code release)                                                                                  |                                                                                                              |                                                                                                                                                                                                                                      |
+| [Inspector](aws_sra_examples/solutions/inspector/inspector_org)                  | Configure Inspector within a delegated admin account for all accounts and governed regions within the organization.                                                                                    |                                                                                                              |                                                                                                                                                                                                                                      |
 | [Detective](aws_sra_examples/solutions/detective/detective)                  | The Detective Organization solution will automate enabling Amazon Detective by delegating administration to an account (e.g. Audit or Security Tooling) and configuring Detective for all the existing and future AWS Organization accounts.  **Note:** As of 06/07/2023, this solution is not included in the quick setup (it will be in a future code release)                                                                                  |                                                                                                              |          <ul><li>[GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org)</li></ul>                                                                                                                                                                                                                               |
 ## Utils
 

aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml

@@ -137,6 +137,18 @@ resources:
         parameter_value: 'No'
       - parameter_key: pAutoEnableS3Logs
         parameter_value: 'true'
+      - parameter_key: pAutoEnableKubernetesAuditLogs
+        parameter_value: 'true'
+      - parameter_key: pAutoEnableMalwareProtection
+        parameter_value: 'true'
+      - parameter_key: pEnableRdsLoginEvents
+        parameter_value: 'true'
+      - parameter_key: pEnableEksRuntimeMonitoring
+        parameter_value: 'true'
+      - parameter_key: pEnableEksAddonManagement
+        parameter_value: 'true'
+      - parameter_key: pEnableLambdaNetworkLogs
+        parameter_value: 'true'
       - parameter_key: pGuardDutyFindingPublishingFrequency
         parameter_value: 'FIFTEEN_MINUTES'
       - parameter_key: pGuardDutyOrgDeliveryBucketPrefix

aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml

@@ -110,6 +110,12 @@ Metadata:
         Parameters:
           - pDisableGuardDuty
           - pAutoEnableS3Logs
+          - pAutoEnableKubernetesAuditLogs
+          - pAutoEnableMalwareProtection
+          - pEnableRdsLoginEvents
+          - pEnableEksRuntimeMonitoring
+          - pEnableEksAddonManagement
+          - pEnableLambdaNetworkLogs
           - pGuardDutyFindingPublishingFrequency
           - pGuardDutyOrgDeliveryBucketPrefix
           - pGuardDutyOrgDeliveryKeyAlias
@@ -207,6 +213,18 @@ Metadata:
         default: All Supported
       pAutoEnableS3Logs:
         default: Auto Enable S3 Logs
+      pAutoEnableKubernetesAuditLogs:
+        default: Auto Enable Kubernetes Audit Logs
+      pAutoEnableMalwareProtection:
+        default: Auto Enable Malware Protection
+      pEnableRdsLoginEvents:
+        default: Auto enable RDS Login Events
+      pEnableEksRuntimeMonitoring:
+        default: Auto enable EKS Runtime Monitoring
+      pEnableEksAddonManagement:
+        default: Auto enable EKS Add-on Management
+      pEnableLambdaNetworkLogs:
+        default: Auto enable Lambda Network Logs
       pBillingContactAction:
         default: Billing Alternate Contact Action
       pBillingEmail:
@@ -469,6 +487,36 @@ Parameters:
     Default: 'true'
     Description: Auto enable S3 logs
     Type: String
+  pAutoEnableKubernetesAuditLogs:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable Kubernetes Audit Logs
+    Type: String
+  pAutoEnableMalwareProtection:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable Malware Protection
+    Type: String
+  pEnableRdsLoginEvents:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable RDS Login Events
+    Type: String   
+  pEnableEksRuntimeMonitoring:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable EKS Runtime Monitoring
+    Type: String   
+  pEnableEksAddonManagement:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable EKS Add-on Management
+    Type: String
+  pEnableLambdaNetworkLogs:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable Lambda Network Logs
+    Type: String
   pBillingContactAction:
     AllowedValues: ['add', 'delete', 'ignore']
     Default: add
@@ -1736,6 +1784,12 @@ Resources:
       Parameters:
         # pAuditAccountId: !Ref pAuditAccountId
         pAutoEnableS3Logs: !Ref pAutoEnableS3Logs
+        pAutoEnableKubernetesAuditLogs: !Ref pAutoEnableKubernetesAuditLogs
+        pAutoEnableMalwareProtection: !Ref pAutoEnableMalwareProtection
+        pEnableRdsLoginEvents: !Ref pEnableRdsLoginEvents
+        pEnableEksRuntimeMonitoring: !Ref pEnableEksRuntimeMonitoring
+        pEnableEksAddonManagement: !Ref pEnableEksAddonManagement
+        pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs
         # pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly
         pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false]
         pDisableGuardDuty: !If [cDisableGuardDuty, true, false]

aws_sra_examples/quick_setup/customizations_for_aws_control_tower/manifest-v2.yaml

@@ -134,7 +134,6 @@ resources:
         parameter_value: 'true'
       - parameter_key: pEnableLambdaNetworkLogs
         parameter_value: 'true'
-      - parameter_key: pControlTowerRegionsOnly
       - parameter_key: pGuardDutyFindingPublishingFrequency
         parameter_value: 'FIFTEEN_MINUTES'
       - parameter_key: pGuardDutyOrgDeliveryBucketPrefix
@@ -174,6 +173,14 @@ resources:
       - parameter_key: pRequireUppercaseCharacters
         parameter_value: 'true'
 
+      # Inspector Solution
+      - parameter_key: pDeployInspectorSolution
+        parameter_value: 'Yes'
+      - parameter_key: pScanComponents
+        parameter_value: 'EC2, ECR, LAMBDA'
+      - parameter_key: pEcrRescanDuration
+        parameter_value: 'LIFETIME'
+
       # Macie Solution
       - parameter_key: pDeployMacieSolution
         parameter_value: 'Yes'

aws_sra_examples/quick_setup/templates/sra-quick-setup-ssm.yaml

@@ -84,6 +84,12 @@ Metadata:
           - pDeployGuardDutySolution
           - pDisableGuardDuty
           - pAutoEnableS3Logs
+          - pAutoEnableKubernetesAuditLogs
+          - pAutoEnableMalwareProtection
+          - pEnableRdsLoginEvents
+          - pEnableEksRuntimeMonitoring
+          - pEnableEksAddonManagement
+          - pEnableLambdaNetworkLogs
           - pGuardDutyFindingPublishingFrequency
           - pGuardDutyOrgDeliveryBucketPrefix
           - pGuardDutyOrgDeliveryKeyAlias
@@ -107,6 +113,12 @@ Metadata:
           - pRequireNumbers
           - pRequireSymbols
           - pRequireUppercaseCharacters
+      - Label:
+          default: Inspector Solution
+        Parameters:
+          - pDeployInspectorSolution
+          - pScanComponents
+          - pEcrRescanDuration
       - Label:
           default: Macie Solution
         Parameters:
@@ -159,6 +171,18 @@ Metadata:
         default: All Supported
       pAutoEnableS3Logs:
         default: Auto Enable S3 Logs
+      pAutoEnableKubernetesAuditLogs:
+        default: Auto Enable Kubernetes Audit Logs
+      pAutoEnableMalwareProtection:
+        default: Auto Enable Malware Protection
+      pEnableRdsLoginEvents:
+        default: Auto enable RDS Login Events
+      pEnableEksRuntimeMonitoring:
+        default: Auto enable EKS Runtime Monitoring
+      pEnableEksAddonManagement:
+        default: Auto enable EKS Add-on Management
+      pEnableLambdaNetworkLogs:
+        default: Auto enable Lambda Network Logs
       pBillingContactAction:
         default: Billing Alternate Contact Action
       pBillingEmail:
@@ -213,6 +237,8 @@ Metadata:
         default: Deploy the IAM Access Analyzer Solution
       pDeployIAMPasswordPolicySolution:
         default: Deploy the IAM Password Policy Solution
+      pDeployInspectorSolution:
+        default: Deploy the Inspector Solution
       pDeployMacieSolution:
         default: Deploy the Macie Solution
       pDeployS3BlockAccountPublicAccessSolution:
@@ -225,6 +251,8 @@ Metadata:
         default: Disable Macie
       pDisableSecurityHub:
         default: Disable Security Hub
+      pEcrRescanDuration:
+        default: ECR Rescan Duration
       pEnableBlockPublicAcls:
         default: S3 Enable Block Public ACLs
       pEnableBlockPublicPolicy:
@@ -317,6 +345,8 @@ Metadata:
         default: (Optional) SRA Alarm Email
       pSRAStagingS3BucketName:
         default: SRA Staging S3 Bucket Name
+      pScanComponents:
+        default: Comma separated list of scan components (EC2, ECR, LAMBDA)
       pSecurityContactAction:
         default: Security Alternate Contact Action
       pSecurityEmail:
@@ -357,6 +387,36 @@ Parameters:
     Default: 'true'
     Description: Auto enable S3 logs
     Type: String
+  pAutoEnableKubernetesAuditLogs:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable Kubernetes Audit Logs
+    Type: String
+  pAutoEnableMalwareProtection:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable Malware Protection
+    Type: String
+  pEnableRdsLoginEvents:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable RDS Login Events
+    Type: String   
+  pEnableEksRuntimeMonitoring:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable EKS Runtime Monitoring
+    Type: String   
+  pEnableEksAddonManagement:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable EKS Add-on Management
+    Type: String
+  pEnableLambdaNetworkLogs:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Auto enable Lambda Network Logs
+    Type: String
   pBillingContactAction:
     AllowedValues: ['add', 'delete', 'ignore']
     Default: add
@@ -526,6 +586,11 @@ Parameters:
     Default: 'Yes'
     Description: Deploy the IAM Password Policy solution
     Type: String
+  pDeployInspectorSolution:
+    AllowedValues: ['Yes', 'No']
+    Default: 'No'
+    Description: Deploy the Inspector solution
+    Type: String
   pDeployMacieSolution:
     AllowedValues: ['Yes', 'No']
     Default: 'Yes'
@@ -556,6 +621,11 @@ Parameters:
     Default: 'No'
     Description: Disable the Security Hub solution in all accounts and regions before deleting the stack.
     Type: String
+  pEcrRescanDuration:
+    AllowedValues: [LIFETIME, DAYS_30, DAYS_180]
+    Default: LIFETIME
+    Description: ECR Rescan Duration
+    Type: String
   pEnableBlockPublicAcls:
     AllowedValues: ['true', 'false']
     Default: 'true'
@@ -831,6 +901,11 @@ Parameters:
       SSM Parameter for SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket
       name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
     Type: AWS::SSM::Parameter::Value<String>
+  pScanComponents:
+    AllowedValues: [EC2, ECR, LAMBDA]
+    Default: EC2, ECR, LAMBDA
+    Description: Lambda Function Logging Level
+    Type: CommaDelimitedList
   pSecurityContactAction:
     AllowedValues: ['add', 'delete', 'ignore']
     Default: add
@@ -956,6 +1031,7 @@ Conditions:
   cDeployGuardDutySolution: !Equals [!Ref pDeployGuardDutySolution, 'Yes']
   cDeployIAMAccessAnalyzerSolution: !Equals [!Ref pDeployIAMAccessAnalyzerSolution, 'Yes']
   cDeployIAMPasswordPolicySolution: !Equals [!Ref pDeployIAMPasswordPolicySolution, 'Yes']
+  cDeployInspectorSolution: !Equals [!Ref pDeployInspectorSolution, 'Yes']
   cDeployMacieSolution: !Equals [!Ref pDeployMacieSolution, 'Yes']
   cDeployS3BlockAccountPublicAccessSolution: !Equals [!Ref pDeployS3BlockAccountPublicAccessSolution, 'Yes']
   cDeploySecurityHubSolution: !And
@@ -1124,6 +1200,12 @@ Resources:
       Parameters:
         # pAuditAccountId: !Ref pAuditAccountId
         pAutoEnableS3Logs: !Ref pAutoEnableS3Logs
+        pAutoEnableKubernetesAuditLogs: !Ref pAutoEnableKubernetesAuditLogs
+        pAutoEnableMalwareProtection: !Ref pAutoEnableMalwareProtection
+        pEnableRdsLoginEvents: !Ref pEnableRdsLoginEvents
+        pEnableEksRuntimeMonitoring: !Ref pEnableEksRuntimeMonitoring
+        pEnableEksAddonManagement: !Ref pEnableEksAddonManagement
+        pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs
         # pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly
         pCreateLambdaLogGroup: !If [cCreateLambdaLogGroup, true, false]
         pDisableGuardDuty: !If [cDisableGuardDuty, true, false]
@@ -1180,6 +1262,24 @@ Resources:
         # pRootOrganizationalUnitId: !Ref pRootOrganizationalUnitId
         # pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName
 
+  rInspectorSolutionStack:
+    Type: AWS::CloudFormation::Stack
+    Condition: cDeployInspectorSolution
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Delete
+    Properties:
+      TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/sra-inspector-org/templates/sra-inspector-org-main-ssm.yaml
+      Parameters:
+        pScanComponents: !Join 
+          - ','
+          - !Ref pScanComponents
+        pEcrRescanDuration: !Ref pEcrRescanDuration
+        pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey
+        pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention
+        pLambdaLogLevel: !Ref pLambdaLogLevel
+        pSRAAlarmEmail: !Ref pSRAAlarmEmail
+        pComplianceFrequency: !Ref pComplianceFrequency
+
   rMacieSolutionStack:
     Type: AWS::CloudFormation::Stack
     Condition: cDeployMacieSolution

aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-configuration.yaml

@@ -112,7 +112,7 @@ Metadata:
 Parameters:
   pAutoEnableS3Logs:
     AllowedValues: ['true', 'false']
-    Default: 'false'
+    Default: 'true'
     Description: Auto enable S3 logs
     Type: String
   pAutoEnableKubernetesAuditLogs: