feat: add GuardDuty Malware Protection for S3 module (#691)

Add a new module that enables malware scanning for objects uploaded
to the specified S3 bucket.

Author: patheard

.github/workflows/ci.yml

@@ -63,6 +63,7 @@ jobs:
           - client_vpn
           - codebuild_github_runner
           - ecs
+          - guardduty_malware_s3
           - gh_oidc_role
           - lambda_schedule
           - notify_slack

.modules

@@ -1 +1 @@
-rds S3 S3_log_bucket user_login_alarm vpc lambda gh_oidc_role attach_tf_plan_policy sentinel_forwarder aws_goc_password_policy sns guardduty guardduty_member lambda_response S3_scan_object athena_access_logs resolver_dns sentinel_alert_rule cds_conformance_pack auto_revoke_sg_rules empty_log_group_alarm simple_static_website schedule_shutdown client_vpn rds_activity_stream waf_ip_blocklist lambda_schedule codebuild_github_runner DocumentDB
+rds S3 S3_log_bucket user_login_alarm vpc lambda gh_oidc_role attach_tf_plan_policy sentinel_forwarder aws_goc_password_policy sns guardduty guardduty_member lambda_response S3_scan_object athena_access_logs resolver_dns sentinel_alert_rule cds_conformance_pack auto_revoke_sg_rules empty_log_group_alarm simple_static_website schedule_shutdown client_vpn rds_activity_stream waf_ip_blocklist lambda_schedule codebuild_github_runner DocumentDB guardduty_malware_s3

README.md

@@ -23,6 +23,7 @@
 - [ECS](ecs)
 - [Exposed IAM Credentials disabler](exposed_iam_credentials_disabler)
 - [GuardDuty](guardduty)
+- [GuardDuty Malware Protection for S3](guardduty_malware_s3)
 - [GuardDuty member](guardduty_member)
 - [Github Open ID Connect](gh_oidc_role)
 - [Lambda](lambda)

guardduty_malware_s3/Makefile

@@ -0,0 +1,12 @@
+.PHONY: fmt docs test
+
+fmt:
+	@terraform fmt -recursive
+
+docs:
+	@rm -rf .terraform
+	@rm -f .terraform.lock.hcl
+	@terraform-docs markdown -c ../.terraform-docs.yml . > README.md
+
+test:
+	terraform init &&	terraform test --var-file=./tests/globals.tfvars	

guardduty_malware_s3/README.md

@@ -0,0 +1,48 @@
+# GuardDuty Malware Protection for S3
+
+Sets up a GuardDuty Malware Protection plan for an S3 bucket.  This will asynchronously scan new objects in the specified S3 bucket for malware and tag the objects with a `GuardDutyMalwareScanStatus` scan verdict.
+
+It is expected that GuardDuty is already enabled in the region where this module is deployed.
+
+:warning: You are charged based on the number and size of the objects scanned.
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_guardduty_malware_protection_plan.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_malware_protection_plan) | resource |
+| [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.this_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_billing_tag_key"></a> [billing\_tag\_key](#input\_billing\_tag\_key) | (Optional, default 'CostCentre') The name of the billing tag | `string` | `"CostCentre"` | no |
+| <a name="input_billing_tag_value"></a> [billing\_tag\_value](#input\_billing\_tag\_value) | (Required) The value of the billing tag | `string` | n/a | yes |
+| <a name="input_s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | (Required) The name of the S3 bucket to scan objects in. | `string` | n/a | yes |
+| <a name="input_s3_object_prefixes"></a> [s3\_object\_prefixes](#input\_s3\_object\_prefixes) | (Optional) List of object prefixes to include. If empty, all objects are included. | `list(string)` | `[]` | no |
+| <a name="input_tagging_status"></a> [tagging\_status](#input\_tagging\_status) | (Optional, default 'ENABLED') Whether object tagging is enabled for malware findings. | `string` | `"ENABLED"` | no |
+
+## Outputs
+
+No outputs.

guardduty_malware_s3/examples/simple/provider.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region = "ca-central-1"
+}

guardduty_malware_s3/examples/simple/simple.tf

@@ -0,0 +1,17 @@
+
+module "guardduty_malware_s3" {
+  source = "../../"
+
+  s3_bucket_name     = module.scan_bucket.s3_bucket_id
+  s3_object_prefixes = ["only-scan-this-folder/"]
+  tagging_status     = "ENABLED"
+
+  billing_tag_value = "testing"
+}
+
+module "scan_bucket" {
+  source = "../../../S3"
+
+  bucket_name       = "a-bucket-that-will-be-scanned-for-malware"
+  billing_tag_value = "testing"
+}

guardduty_malware_s3/input.tf

@@ -0,0 +1,27 @@
+variable "billing_tag_key" {
+  description = "(Optional, default 'CostCentre') The name of the billing tag"
+  type        = string
+  default     = "CostCentre"
+}
+
+variable "billing_tag_value" {
+  description = "(Required) The value of the billing tag"
+  type        = string
+}
+
+variable "s3_bucket_name" {
+  description = "(Required) The name of the S3 bucket to scan objects in."
+  type        = string
+}
+
+variable "s3_object_prefixes" {
+  description = "(Optional) List of object prefixes to include. If empty, all objects are included."
+  type        = list(string)
+  default     = []
+}
+
+variable "tagging_status" {
+  description = "(Optional, default 'ENABLED') Whether object tagging is enabled for malware findings."
+  type        = string
+  default     = "ENABLED"
+}

guardduty_malware_s3/locals.tf

@@ -0,0 +1,13 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+locals {
+  s3_bucket_arn = "arn:aws:s3:::${var.s3_bucket_name}"
+  region        = data.aws_region.current.name
+  account_id    = data.aws_caller_identity.current.account_id
+  common_tags = {
+    (var.billing_tag_key) = var.billing_tag_value
+    Terraform             = "true"
+  }
+}
+

guardduty_malware_s3/main.tf

@@ -0,0 +1,116 @@
+/* 
+* # GuardDuty Malware Protection for S3
+*
+* Sets up a GuardDuty Malware Protection plan for an S3 bucket.  This will asynchronously scan new objects in the specified S3 bucket for malware and tag the objects with a `GuardDutyMalwareScanStatus` scan verdict.
+*
+* It is expected that GuardDuty is already enabled in the region where this module is deployed.
+*
+* :warning: You are charged based on the number and size of the objects scanned.
+*/
+
+resource "aws_guardduty_malware_protection_plan" "this" {
+  role = aws_iam_role.this.arn
+
+  protected_resource {
+    s3_bucket {
+      bucket_name     = var.s3_bucket_name
+      object_prefixes = length(var.s3_object_prefixes) > 0 ? var.s3_object_prefixes : null
+    }
+  }
+
+  actions {
+    tagging {
+      status = var.tagging_status
+    }
+  }
+
+  tags = local.common_tags
+}
+
+resource "aws_iam_role" "this" {
+  name               = "MalwareS3-${var.s3_bucket_name}"
+  assume_role_policy = data.aws_iam_policy_document.this_assume.json
+
+  tags = local.common_tags
+}
+
+data "aws_iam_policy_document" "this_assume" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["malware-protection-plan.guardduty.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+  role       = aws_iam_role.this.name
+  policy_arn = aws_iam_policy.this.arn
+}
+
+resource "aws_iam_policy" "this" {
+  name   = "MalwareS3-${var.s3_bucket_name}"
+  path   = "/"
+  policy = data.aws_iam_policy_document.this.json
+
+  tags = local.common_tags
+}
+
+data "aws_iam_policy_document" "this" {
+
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket",
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:GetObjectTagging",
+      "s3:GetObjectVersion",
+      "s3:GetObjectVersionTagging",
+      "s3:PutObjectTagging",
+      "s3:PutObjectVersionTagging",
+      "s3:PutBucketNotification",
+      "s3:GetBucketNotification",
+
+    ]
+
+    resources = [
+      local.s3_bucket_arn,
+      "${local.s3_bucket_arn}/*"
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "events:PutRule",
+      "events:DeleteRule",
+      "events:PutTargets",
+      "events:RemoveTargets"
+    ]
+    resources = [
+      "arn:aws:events:${local.region}:${local.account_id}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
+    ]
+
+    condition {
+      test     = "StringLike"
+      variable = "events:ManagedBy"
+      values   = ["malware-protection-plan.guardduty.amazonaws.com"]
+    }
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "events:DescribeRule",
+      "events:ListTargetsByRule"
+    ]
+    resources = [
+      "arn:aws:events:${local.region}:${local.account_id}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
+    ]
+  }
+}