(enhancement): Frequency for updated findings for GuardDuty (#1057)

rjjaegeraws · web-flow · commit b8de5774aafe · 2022-10-03T19:59:01.000-04:00
* add frequency for GuardDuty

* update sample config files with new config option
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.example.json b/reference-artifacts/SAMPLE_CONFIGS/config.example.json
@@ -61,6 +61,7 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "access-analyzer": true,
       "config-excl-regions": [],
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.lite-CTNFW-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.lite-CTNFW-example.json
@@ -74,6 +74,7 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "access-analyzer": true,
       "config-excl-regions": [],
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.lite-GWLB-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.lite-GWLB-example.json
@@ -61,6 +61,7 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "access-analyzer": true,
       "config-excl-regions": [],
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.lite-NFW-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.lite-NFW-example.json
@@ -56,6 +56,7 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "access-analyzer": true,
       "config-excl-regions": [],
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.lite-VPN-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.lite-VPN-example.json
@@ -61,6 +61,7 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "access-analyzer": true,
       "config-excl-regions": [],
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.multi-region-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.multi-region-example.json
@@ -61,6 +61,7 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "access-analyzer": true,
       "config-excl-regions": [],
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.test-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.test-example.json
@@ -73,6 +73,7 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "access-analyzer": true,
       "config-excl-regions": [
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.ultralite-CT-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.ultralite-CT-example.json
@@ -37,6 +37,7 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "cwl-access-level": "full",
       "access-analyzer": true,
diff --git a/reference-artifacts/SAMPLE_CONFIGS/config.ultralite-example.json b/reference-artifacts/SAMPLE_CONFIGS/config.ultralite-example.json
@@ -35,6 +35,7 @@
       "guardduty-excl-regions": [],
       "guardduty-s3": true,
       "guardduty-s3-excl-regions": [],
+      "guardduty-frequency": "FIFTEEN_MINUTES",
       "cwl": true,
       "cwl-access-level": "full",
       "access-analyzer": true,
diff --git a/src/deployments/cdk/src/deployments/guardduty/guardduty.ts b/src/deployments/cdk/src/deployments/guardduty/guardduty.ts
@@ -23,6 +23,12 @@ import { GuardDutyAdminSetup } from '@aws-accelerator/custom-resource-guardduty-
 import { IamRoleOutputFinder } from '@aws-accelerator/common-outputs/src/iam-role';
 import { StackOutput } from '@aws-accelerator/common-outputs/src/stack-output';
 
+export enum GuardDutyFrequency {
+  FIFTEEN_MINUTES = 'FIFTEEN_MINUTES',
+  ONE_HOUR = 'ONE_HOUR',
+  SIX_HOURS = 'SIX_HOURS',
+}
+
 export interface GuardDutyStepProps {
   accountStacks: AccountStacks;
   config: AcceleratorConfig;
@@ -110,12 +116,14 @@ export async function step2(props: GuardDutyStepProps) {
   }));
   const centralServiceConfig = props.config['global-options']['central-security-services'];
   const s3ProtectionExclRegions = centralServiceConfig['guardduty-s3-excl-regions'] || [];
+  const frequency = await getFrequency(props.config);
   regions?.map(region => {
     const masterAccountStack = props.accountStacks.getOrCreateAccountStack(masterAccountKey, region);
     new GuardDutyAdminSetup(masterAccountStack, 'GuardDutyAdminSetup', {
       memberAccounts: accountDetails,
       roleArn: adminSetupRoleOutput.roleArn,
       s3Protection: centralServiceConfig['guardduty-s3'] && !s3ProtectionExclRegions.includes(region),
+      frequency,
     });
   });
 }
@@ -197,3 +205,16 @@ export async function getValidRegions(config: AcceleratorConfig) {
   const validRegions = regions.filter(x => !excl?.includes(x));
   return validRegions;
 }
+
+export async function getFrequency(config: AcceleratorConfig) {
+  const frequency = config['global-options']['central-security-services']['guardduty-frequency'];
+  if (frequency === GuardDutyFrequency.SIX_HOURS) {
+    return GuardDutyFrequency.SIX_HOURS;
+  } else if (frequency === GuardDutyFrequency.ONE_HOUR) {
+    return GuardDutyFrequency.ONE_HOUR;
+  } else if (frequency === GuardDutyFrequency.FIFTEEN_MINUTES) {
+    return GuardDutyFrequency.FIFTEEN_MINUTES;
+  } else {
+    return GuardDutyFrequency.SIX_HOURS;
+  }
+}
diff --git a/src/lib/config-i18n/src/en.ts b/src/lib/config-i18n/src/en.ts
@@ -2807,6 +2807,11 @@ translate(c.CentralServicesConfigType, {
       title: 'GuardDuty S3 Protection Exclusion Regions',
       description: 'List of excluded regions from Guardduty S3 protection. [SECURITY]',
     },
+    'guardduty-frequency': {
+      title: 'Update Frequency for Policy Findings',
+      description:
+        'The schedule GuardDuty uses to publish updates to policy findings. Supported values are: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS. [SECURITY]',
+    },
     'access-analyzer': {
       title: '',
       description:
diff --git a/src/lib/config-i18n/src/fr.ts b/src/lib/config-i18n/src/fr.ts
@@ -2609,6 +2609,10 @@ translate(c.CentralServicesConfigType, {
       title: '',
       description: '',
     },
+    'guardduty-frequency': {
+      title: '',
+      description: '',
+    },
     'access-analyzer': {
       title: '',
       description: '',
diff --git a/src/lib/config/src/config.v2.ts b/src/lib/config/src/config.v2.ts
@@ -907,6 +907,7 @@ export const CentralServicesConfigType = t.interface({
   'guardduty-excl-regions': t.optional(t.array(t.nonEmptyString)),
   'guardduty-s3': t.defaulted(t.boolean, false),
   'guardduty-s3-excl-regions': t.optional(t.array(t.nonEmptyString)),
+  'guardduty-frequency': t.optional(t.nonEmptyString),
   'access-analyzer': t.defaulted(t.boolean, false),
   cwl: t.defaulted(t.boolean, false),
   'cwl-access-level': t.optional(t.nonEmptyString),
diff --git a/src/lib/custom-resources/cdk-guardduty-admin-setup/cdk/index.ts b/src/lib/custom-resources/cdk-guardduty-admin-setup/cdk/index.ts
@@ -15,6 +15,7 @@ import * as path from 'path';
 import * as cdk from '@aws-cdk/core';
 import * as iam from '@aws-cdk/aws-iam';
 import * as lambda from '@aws-cdk/aws-lambda';
+import { GuardDutyFrequency } from '@aws-accelerator/custom-resource-guardduty-admin-setup-runtime';
 
 const resourceType = 'Custom::GuardDutyAdminSetup';
 
@@ -27,6 +28,7 @@ export interface GuardDutyAdminSetupProps {
   memberAccounts: AccountDetail[];
   roleArn: string;
   s3Protection: boolean;
+  frequency: GuardDutyFrequency;
 }
 
 /**
@@ -43,6 +45,7 @@ export class GuardDutyAdminSetup extends cdk.Construct {
     const handlerProperties = {
       memberAccounts: props.memberAccounts,
       s3Protection: props.s3Protection,
+      frequency: props.frequency,
     };
 
     const adminSetup = this.lambdaFunction(props.roleArn);
diff --git a/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/src/index.ts b/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/src/index.ts
@@ -28,6 +28,12 @@ const guardduty = new AWS.GuardDuty();
 // Guardduty CreateMembers, UpdateMembers and DeleteMembers apis only supports max 50 accounts per request
 const pageSize = 50;
 
+export enum GuardDutyFrequency {
+  FIFTEEN_MINUTES = 'FIFTEEN_MINUTES',
+  ONE_HOUR = 'ONE_HOUR',
+  SIX_HOURS = 'SIX_HOURS',
+}
+
 export interface AccountDetail {
   AccountId: string;
   Email: string;
@@ -37,6 +43,7 @@ export interface HandlerProperties {
   deligatedAdminAccountId: string;
   memberAccounts: AccountDetail[];
   s3Protection: boolean;
+  frequency: GuardDutyFrequency;
 }
 
 export const handler = errorHandler(onEvent);
@@ -69,8 +76,8 @@ async function onCreateOrUpdate(
     };
   }
 
-  const { memberAccounts, s3Protection } = properties;
-  await updateS3Protection(detectorId, s3Protection);
+  const { memberAccounts, s3Protection, frequency } = properties;
+  await updateS3ProtectionAndFrequency(detectorId, s3Protection, frequency);
 
   const isAutoEnabled = await isConfigurationAutoEnabled(detectorId, s3Protection);
   if (!isAutoEnabled) {
@@ -209,7 +216,11 @@ async function updateMemberDataSource(memberAccounts: AccountDetail[], detectorI
   }
 }
 
-async function updateS3Protection(detectorId: string, s3Protection: boolean) {
+async function updateS3ProtectionAndFrequency(
+  detectorId: string,
+  s3Protection: boolean,
+  frequency?: GuardDutyFrequency,
+) {
   try {
     await throttlingBackOff(() =>
       guardduty
@@ -220,6 +231,7 @@ async function updateS3Protection(detectorId: string, s3Protection: boolean) {
               Enable: s3Protection,
             },
           },
+          FindingPublishingFrequency: frequency,
         })
         .promise(),
     );
@@ -288,7 +300,7 @@ async function onDelete(event: CloudFormationCustomResourceDeleteEvent) {
   const { memberAccounts } = properties;
   try {
     const detectorId = await getDetectorId();
-    await updateS3Protection(detectorId!, false);
+    await updateS3ProtectionAndFrequency(detectorId!, false, undefined);
     await updateConfig(detectorId!, false, false);
     await updateMemberDataSource(memberAccounts, detectorId!, false);
     await deleteMembers(memberAccounts, detectorId!);
