fix(core): Fixing enabling GuardDuty S3 Protection in Security Account (#512)

* AutoEnable S3 Detection in Admin Account

* Exclude regions for s3 protection

* Exclude region based on config

* Adding delete action for guardDutyAdminSetup and createIamRole Custom resources

* Adding permissions related to clean up

* GuardDuty deployment for all environments

* Prettier

* Enavle S3 Production Security Account based on config

Author: naveenkoppula

src/deployments/cdk/src/deployments/iam/guardduty-roles.ts

@@ -75,6 +75,7 @@ export async function createAdminSetupRole(stack: AccountStack) {
         'guardduty:DescribeOrganizationConfiguration',
         'guardduty:UpdateMemberDetectors',
         'guardduty:DeleteMembers',
+        'guardduty:UpdateDetector',
       ],
       resources: ['*'],
     }),

src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/src/index.ts

@@ -54,6 +54,8 @@ async function onCreateOrUpdate(
   }
 
   const { memberAccounts, s3Protection } = properties;
+  await updateS3Protection(detectorId, s3Protection);
+
   const isAutoEnabled = await isConfigurationAutoEnabled(detectorId, s3Protection);
   if (isAutoEnabled) {
     console.log(`GuardDuty is already enabled ORG Level`);
@@ -68,7 +70,7 @@ async function onCreateOrUpdate(
 
   if (memberAccounts.length > 0) {
     await createMembers(memberAccounts, detectorId);
-    await updateDataSource(memberAccounts, detectorId, s3Protection);
+    await updateMemberDataSource(memberAccounts, detectorId, s3Protection);
   }
 
   return {
@@ -153,7 +155,7 @@ async function isConfigurationAutoEnabled(detectorId: string, s3Protection: bool
   }
 }
 
-async function updateDataSource(memberAccounts: AccountDetail[], detectorId: string, s3Protection: boolean) {
+async function updateMemberDataSource(memberAccounts: AccountDetail[], detectorId: string, s3Protection: boolean) {
   if (s3Protection) {
     return;
   }
@@ -180,6 +182,26 @@ async function updateDataSource(memberAccounts: AccountDetail[], detectorId: str
   }
 }
 
+async function updateS3Protection(detectorId: string, s3Protection: boolean) {
+  try {
+    await throttlingBackOff(() =>
+      guardduty
+        .updateDetector({
+          DetectorId: detectorId,
+          DataSources: {
+            S3Logs: {
+              Enable: s3Protection,
+            },
+          },
+        })
+        .promise(),
+    );
+  } catch (error) {
+    console.warn('Error while calling guardduty.updateDetector');
+    console.warn(error);
+  }
+}
+
 async function deleteMembers(memberAccounts: AccountDetail[], detectorId: string) {
   try {
     console.log(`Calling api "guardduty.createMembers()", ${memberAccounts}, ${detectorId}`);
@@ -216,8 +238,9 @@ async function onDelete(event: CloudFormationCustomResourceDeleteEvent) {
   const { memberAccounts } = properties;
   try {
     const detectorId = await getDetectorId();
+    await updateS3Protection(detectorId!, false);
     await updateConfig(detectorId!, false, false);
-    await updateDataSource(memberAccounts, detectorId!, false);
+    await updateMemberDataSource(memberAccounts, detectorId!, false);
     await deleteMembers(memberAccounts, detectorId!);
   } catch (error) {
     console.warn('Exception while performing Delete Action');