(enhancement): Add GuardDuty Kubernetes Protection (#1058)

rjjaegeraws · rycerrat · hickeydh-aws · web-flow · commit 8d9fbc1c45e4 · 2022-10-03T22:52:52.000-04:00
* add frequency for GuardDuty * update sample config files with new config option * add guardduty eks support * fix for issue with ALB forwarder when no HOSTS defined (#1019) * Decreasing max concurrency limit to 10 (#1062) * (Fix): SM jitter (#1050) * exponential backoff fix * exponential backoff fix * Fixed backoff for lambdas * added backoff in other location * fixed lambda timeouts and added timeout aspect * fixed typo * tweak default max jitter delay to 2s from 5s Co-authored-by: hickeydh-aws <hickeydh@amazon.com> Co-authored-by: Brian969 <56414362+Brian969@users.noreply.github.com> * (docs): Eb faq doc update (#1055) * added Elastic Beanstalk entry to FAQ * Update index.md Co-authored-by: Jahnke <ejahnke@909c4acec9cf.ant.amazon.com> * (addon): OpenSearch SIEM added CW Alarms (#1056) * added CW Alarms * fix typo Co-authored-by: Brian969 <56414362+Brian969@users.noreply.github.com> * (enhancement): Frequency for updated findings for GuardDuty (#1057) * add frequency for GuardDuty * update sample config files with new config option * add guardduty eks support Co-authored-by: rycerrat <42330513+rycerrat@users.noreply.github.com> Co-authored-by: hickeydh-aws <88673813+hickeydh-aws@users.noreply.github.com> Co-authored-by: hickeydh-aws <hickeydh@amazon.com> Co-authored-by: Brian969 <56414362+Brian969@users.noreply.github.com> Co-authored-by: Elden Jahnke <94935251+ejahnke@users.noreply.github.com> Co-authored-by: Jahnke <ejahnke@909c4acec9cf.ant.amazon.com>
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.example.json b/reference-artifacts/SAMPLE_CONFIGS/config.example.json
@@ -61,6 +61,8 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-eks": true,
+      "guardduty-eks-excl-regions": [],
       "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "access-analyzer": true,
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.lite-CTNFW-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.lite-CTNFW-example.json
@@ -74,6 +74,8 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-eks": true,
+      "guardduty-eks-excl-regions": [],
       "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "access-analyzer": true,
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.lite-GWLB-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.lite-GWLB-example.json
@@ -61,6 +61,8 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-eks": true,
+      "guardduty-eks-excl-regions": [],
       "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "access-analyzer": true,
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.lite-NFW-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.lite-NFW-example.json
@@ -56,6 +56,8 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-eks": true,
+      "guardduty-eks-excl-regions": [],
       "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "access-analyzer": true,
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.lite-VPN-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.lite-VPN-example.json
@@ -61,6 +61,8 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-eks": true,
+      "guardduty-eks-excl-regions": [],
       "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "access-analyzer": true,
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.multi-region-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.multi-region-example.json
@@ -61,6 +61,8 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-eks": true,
+      "guardduty-eks-excl-regions": [],
       "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "access-analyzer": true,
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.test-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.test-example.json
@@ -73,6 +73,8 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-eks": true,
+      "guardduty-eks-excl-regions": [],
       "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "access-analyzer": true,
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.ultralite-CT-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.ultralite-CT-example.json
@@ -37,6 +37,8 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-eks": true,
+      "guardduty-eks-excl-regions": [],
       "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "cwl-access-level": "full",
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.ultralite-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.ultralite-example.json
@@ -35,6 +35,8 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-eks": true,
+      "guardduty-eks-excl-regions": [],
       "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "cwl-access-level": "full",
diff --git a/src/deployments/cdk/src/deployments/guardduty/guardduty.ts b/src/deployments/cdk/src/deployments/guardduty/guardduty.ts
@@ -116,13 +116,15 @@ export async function step2(props: GuardDutyStepProps) {
   }));
   const centralServiceConfig = props.config['global-options']['central-security-services'];
   const s3ProtectionExclRegions = centralServiceConfig['guardduty-s3-excl-regions'] || [];
+  const eksProtectionExclRegions = centralServiceConfig['guardduty-eks-excl-regions'] || [];
   const frequency = await getFrequency(props.config);
   regions?.map(region => {
     const masterAccountStack = props.accountStacks.getOrCreateAccountStack(masterAccountKey, region);
     new GuardDutyAdminSetup(masterAccountStack, 'GuardDutyAdminSetup', {
       memberAccounts: accountDetails,
       roleArn: adminSetupRoleOutput.roleArn,
       s3Protection: centralServiceConfig['guardduty-s3'] && !s3ProtectionExclRegions.includes(region),
+      eksProtection: centralServiceConfig['guardduty-eks'] && !eksProtectionExclRegions.includes(region),
       frequency,
     });
   });
diff --git a/src/lib/config-i18n/src/en.ts b/src/lib/config-i18n/src/en.ts
@@ -2807,6 +2807,15 @@ translate(c.CentralServicesConfigType, {
       title: 'GuardDuty S3 Protection Exclusion Regions',
       description: 'List of excluded regions from Guardduty S3 protection. [SECURITY]',
     },
+    'guardduty-eks': {
+      title: 'GuardDuty EKS Protection',
+      description:
+        'EKS protection enables Amazon GuardDuty to monitor control plane activity by analyzing Kubernetes audit logs. [SECURITY]',
+    },
+    'guardduty-eks-excl-regions': {
+      title: 'GuardDuty EKS Protection Exclusion Regions',
+      description: 'List of excluded regions from Guardduty EKS protection. [SECURITY]',
+    },
     'guardduty-frequency': {
       title: 'Update Frequency for Policy Findings',
       description:
diff --git a/src/lib/config-i18n/src/fr.ts b/src/lib/config-i18n/src/fr.ts
@@ -2609,6 +2609,14 @@ translate(c.CentralServicesConfigType, {
       title: '',
       description: '',
     },
+    'guardduty-eks': {
+      title: '',
+      description: '',
+    },
+    'guardduty-eks-excl-regions': {
+      title: '',
+      description: '',
+    },
     'guardduty-frequency': {
       title: '',
       description: '',
diff --git a/src/lib/config/src/config.v2.ts b/src/lib/config/src/config.v2.ts
@@ -907,6 +907,8 @@ export const CentralServicesConfigType = t.interface({
   'guardduty-excl-regions': t.optional(t.array(t.nonEmptyString)),
   'guardduty-s3': t.defaulted(t.boolean, false),
   'guardduty-s3-excl-regions': t.optional(t.array(t.nonEmptyString)),
+  'guardduty-eks': t.defaulted(t.boolean, false),
+  'guardduty-eks-excl-regions': t.optional(t.array(t.nonEmptyString)),
   'guardduty-frequency': t.optional(t.nonEmptyString),
   'access-analyzer': t.defaulted(t.boolean, false),
   cwl: t.defaulted(t.boolean, false),
diff --git a/src/lib/custom-resources/cdk-guardduty-admin-setup/cdk/index.ts b/src/lib/custom-resources/cdk-guardduty-admin-setup/cdk/index.ts
@@ -28,6 +28,7 @@ export interface GuardDutyAdminSetupProps {
   memberAccounts: AccountDetail[];
   roleArn: string;
   s3Protection: boolean;
+  eksProtection: boolean;
   frequency: GuardDutyFrequency;
 }
 
@@ -45,6 +46,7 @@ export class GuardDutyAdminSetup extends cdk.Construct {
     const handlerProperties = {
       memberAccounts: props.memberAccounts,
       s3Protection: props.s3Protection,
+      eksProtection: props.eksProtection,
       frequency: props.frequency,
     };
 
diff --git a/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/package.json b/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/package.json
@@ -5,15 +5,15 @@
   "main": "dist/index.js",
   "types": "src/index.ts",
   "scripts": {
-    "build": "pnpx esbuild --minify --bundle --platform=node --target=node14 --external:aws-sdk --outfile=./dist/index.js src/index.ts",
+    "build": "pnpx esbuild --minify --bundle --platform=node --target=node14  --outfile=./dist/index.js src/index.ts",
     "lint:typecheck": "pnpx tsc --noEmit",
     "lint:eslint": "pnpx eslint '{cdk,lib,src}/**/*.{js,ts}'"
   },
   "dependencies": {
     "@aws-accelerator/custom-resource-cfn-utils": "workspace:*",
     "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:*",
     "aws-lambda": "1.0.6",
-    "aws-sdk": "2.944.0"
+    "aws-sdk": "2.1217.0"
   },
   "devDependencies": {
     "@types/aws-lambda": "8.10.76",
diff --git a/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/src/index.ts b/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/src/index.ts
@@ -12,7 +12,7 @@
  */
 
 import * as AWS from 'aws-sdk';
-AWS.config.logger = console;
+//AWS.config.logger = console;
 import {
   CloudFormationCustomResourceEvent,
   CloudFormationCustomResourceCreateEvent,
@@ -43,6 +43,7 @@ export interface HandlerProperties {
   deligatedAdminAccountId: string;
   memberAccounts: AccountDetail[];
   s3Protection: boolean;
+  eksProtection: boolean;
   frequency: GuardDutyFrequency;
 }
 
@@ -76,13 +77,13 @@ async function onCreateOrUpdate(
     };
   }
 
-  const { memberAccounts, s3Protection, frequency } = properties;
-  await updateS3ProtectionAndFrequency(detectorId, s3Protection, frequency);
+  const { memberAccounts, s3Protection, eksProtection, frequency } = properties;
+  await updateS3ProtectionAndFrequency(detectorId, s3Protection, eksProtection, frequency);
 
-  const isAutoEnabled = await isConfigurationAutoEnabled(detectorId, s3Protection);
+  const isAutoEnabled = await isConfigurationAutoEnabled(detectorId, s3Protection, eksProtection);
   if (!isAutoEnabled) {
     // Update Config to handle new Account created under Organization
-    await updateConfig(detectorId, s3Protection);
+    await updateConfig(detectorId, s3Protection, eksProtection);
   } else {
     console.log(`GuardDuty is already enabled ORG Level`);
   }
@@ -93,9 +94,10 @@ async function onCreateOrUpdate(
   );
   if (requiredMemberAccounts.length > 0) {
     await createMembers(requiredMemberAccounts, detectorId);
-    await updateMemberDataSource(requiredMemberAccounts, detectorId, s3Protection);
   }
 
+  await updateMemberDataSource(existingMembers, detectorId, s3Protection, eksProtection);
+
   return {
     physicalResourceId,
     data: {},
@@ -142,7 +144,7 @@ async function createMembers(memberAccounts: AccountDetail[], detectorId: string
 }
 
 // Step 3 of https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html
-async function updateConfig(detectorId: string, s3Protection: boolean, autoEnable = true) {
+async function updateConfig(detectorId: string, s3Protection: boolean, eksProtection: boolean, autoEnable = true) {
   try {
     console.log(`Calling api "guardduty.updateOrganizationConfiguration()", ${detectorId}`);
     await throttlingBackOff(() =>
@@ -154,6 +156,11 @@ async function updateConfig(detectorId: string, s3Protection: boolean, autoEnabl
             S3Logs: {
               AutoEnable: s3Protection,
             },
+            Kubernetes: {
+              AuditLogs: {
+                AutoEnable: eksProtection,
+              },
+            },
           },
         })
         .promise(),
@@ -165,7 +172,11 @@ async function updateConfig(detectorId: string, s3Protection: boolean, autoEnabl
 }
 
 // describe-organization-configuration to check if security hub is already enabled in org level or not
-async function isConfigurationAutoEnabled(detectorId: string, s3Protection: boolean): Promise<boolean> {
+async function isConfigurationAutoEnabled(
+  detectorId: string,
+  s3Protection: boolean,
+  eksProtection: boolean,
+): Promise<boolean> {
   try {
     console.log(`Calling api "guardduty.describeOrganizationConfiguration()", ${detectorId}`);
     const response = await throttlingBackOff(() =>
@@ -175,7 +186,11 @@ async function isConfigurationAutoEnabled(detectorId: string, s3Protection: bool
         })
         .promise(),
     );
-    return response.AutoEnable && response.DataSources?.S3Logs.AutoEnable! === s3Protection;
+    return (
+      response.AutoEnable &&
+      response.DataSources?.S3Logs.AutoEnable! === s3Protection &&
+      response.DataSources?.Kubernetes?.AuditLogs.AutoEnable! === eksProtection
+    );
   } catch (error) {
     console.error(
       `Error Occurred while checking configuration auto enabled of GuardDuty ${error.code}: ${error.message}`,
@@ -184,16 +199,21 @@ async function isConfigurationAutoEnabled(detectorId: string, s3Protection: bool
   }
 }
 
-async function updateMemberDataSource(memberAccounts: AccountDetail[], detectorId: string, s3Protection: boolean) {
-  if (s3Protection) {
-    return;
-  }
+async function updateMemberDataSource(
+  memberAccounts: AccountDetail[],
+  detectorId: string,
+  s3Protection: boolean,
+  eksProtection: boolean,
+) {
+  // if (s3Protection && eksProtection) {
+  //   return;
+  // }
   try {
     let pageNumber = 1;
     let currentAccounts: AccountDetail[] = paginate(memberAccounts, pageNumber, pageSize);
     while (currentAccounts.length > 0) {
       console.log(
-        `Calling api "guardduty.updateMemberDetectors()", ${currentAccounts}, ${detectorId} to disable S3Protection`,
+        `Calling api "guardduty.updateMemberDetectors()", ${currentAccounts}, ${detectorId} to update S3Protection or EKSProtection`,
       );
       await throttlingBackOff(() =>
         guardduty
@@ -202,7 +222,12 @@ async function updateMemberDataSource(memberAccounts: AccountDetail[], detectorI
             DetectorId: detectorId,
             DataSources: {
               S3Logs: {
-                Enable: false,
+                Enable: s3Protection,
+              },
+              Kubernetes: {
+                AuditLogs: {
+                  Enable: eksProtection,
+                },
               },
             },
           })
@@ -219,6 +244,7 @@ async function updateMemberDataSource(memberAccounts: AccountDetail[], detectorI
 async function updateS3ProtectionAndFrequency(
   detectorId: string,
   s3Protection: boolean,
+  eksProtection: boolean,
   frequency?: GuardDutyFrequency,
 ) {
   try {
@@ -230,6 +256,11 @@ async function updateS3ProtectionAndFrequency(
             S3Logs: {
               Enable: s3Protection,
             },
+            Kubernetes: {
+              AuditLogs: {
+                Enable: eksProtection,
+              },
+            },
           },
           FindingPublishingFrequency: frequency,
         })
@@ -288,6 +319,9 @@ function getPropertiesFromEvent(event: CloudFormationCustomResourceEvent) {
   if (typeof properties.s3Protection === 'string') {
     properties.s3Protection = properties.s3Protection === 'true';
   }
+  if (typeof properties.eksProtection === 'string') {
+    properties.eksProtection = properties.eksProtection === 'true';
+  }
   return properties;
 }
 
@@ -300,9 +334,9 @@ async function onDelete(event: CloudFormationCustomResourceDeleteEvent) {
   const { memberAccounts } = properties;
   try {
     const detectorId = await getDetectorId();
-    await updateS3ProtectionAndFrequency(detectorId!, false, undefined);
-    await updateConfig(detectorId!, false, false);
-    await updateMemberDataSource(memberAccounts, detectorId!, false);
+    await updateS3ProtectionAndFrequency(detectorId!, false, false, undefined);
+    await updateConfig(detectorId!, false, false, false);
+    await updateMemberDataSource(memberAccounts, detectorId!, false, false);
     await deleteMembers(memberAccounts, detectorId!);
   } catch (error) {
     console.warn('Exception while performing Delete Action');
