Overview

A configuration package to enable Amazon GuardDuty in an AWS account as well as email notifications for GuardDuty findings (using a CloudWatch Event Rule), and an AWS Config Rule to verify that GuardDuty is continuously enabled.

Configure & Deploy

Configuration Presets

  • Enables Amazon GuardDuty
  • Configures an SNS Topic and a CloudWatch Event Rule to send a notification on GuardDuty findings
  • Enables an AWS Config Rule to monitor GuardDuty's configuration status. The rule is NON_COMPLIANT if GuardDuty is disabled

Configuration Template

EDIT
EDIT
EDIT
EDIT
Items
5
Size
2.5 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  GuardDuty:
    Type: 'AWS::GuardDuty::Detector'
    Properties:
      Enable: true
  SnsTopic1:
    Type: 'AWS::SNS::Topic'
    Properties:
      Subscription:
        - Endpoint: email@example.com
          Protocol: email
      TopicName: sns-topic
  CwEvent1:
    Type: 'AWS::Events::Rule'
    Properties:
      Name: detect-guardduty-finding
      Description: >-
        A CloudWatch Event Rule that triggers on Amazon GuardDuty findings. The
        Event Rule can be used to trigger notifications or remediative actions
        using AWS Lambda.
      State: ENABLED
      Targets:
        - Arn:
            Ref: SnsTopic1
          Id: target-id1
      EventPattern:
        detail-type:
          - GuardDuty Finding
        source:
          - aws.guardduty
  SnsTopicPolicy:
    Type: 'AWS::SNS::TopicPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Sid: __default_statement_ID
            Effect: Allow
            Principal:
              AWS: '*'
            Action:
              - 'SNS:GetTopicAttributes'
              - 'SNS:SetTopicAttributes'
              - 'SNS:AddPermission'
              - 'SNS:RemovePermission'
              - 'SNS:DeleteTopic'
              - 'SNS:Subscribe'
              - 'SNS:ListSubscriptionsByTopic'
              - 'SNS:Publish'
              - 'SNS:Receive'
            Resource:
              Ref: SnsTopic1
            Condition:
              StringEquals:
                'AWS:SourceOwner':
                  Ref: 'AWS::AccountId'
          - Sid: TrustCWEToPublishEventsToMyTopic
            Effect: Allow
            Principal:
              Service: events.amazonaws.com
            Action: 'sns:Publish'
            Resource:
              Ref: SnsTopic1
      Topics:
        - Ref: SnsTopic1
  ConfigRule1:
    Type: 'AWS::Config::ConfigRule'
    Properties:
      ConfigRuleName: guardduty-enabled-centralized
      Description: >-
        A Config rule that checks whether Amazon GuardDuty is enabled in your
        AWS account and region. If you provide an AWS account for
        centralization, the rule evaluates the Amazon GuardDuty results in the
        centralized account. The rule is compliant when Amazo...
      Scope:
        ComplianceResourceTypes: []
      Source:
        Owner: AWS
        SourceIdentifier: GUARDDUTY_ENABLED_CENTRALIZED
      MaximumExecutionFrequency: TwentyFour_Hours
Parameters: {}
Metadata: {}
Conditions: {}