######################################################################## # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 ######################################################################## AWSTemplateFormatVersion: 2010-09-09 Description: This template enables an AWS Organizations GuardDuty in the Control Tower Audit or another delegated admin account with a customer managed KMS key created in the Audit account sending the encrypted findings to an S3 bucket created within the Log Archive account. - 'guardduty_org' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse4k) Metadata: SRA: Version: 1.2 Entry: Parameters for deploying solution resolving SSM parameters Order: 1 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: General Properties Parameters: - pSRASolutionName - pSRASolutionVersion - pSRAStagingS3BucketName - pSRAAlarmEmail - pAuditAccountId - pLogArchiveAccountId - pRootOrganizationalUnitId - Label: default: GuardDuty Delivery Properties Parameters: - pGuardDutyOrgDeliveryBucketPrefix - pGuardDutyOrgDeliveryKeyAlias - Label: default: GuardDuty Configuration Properties Parameters: - pDisableGuardDuty - pAutoEnableS3Logs - pAutoEnableKubernetesAuditLogs - pAutoEnableMalwareProtection - pEnableRdsLoginEvents - pEnableEksRuntimeMonitoring - pEnableEksAddonManagement - pEnableLambdaNetworkLogs - pControlTowerRegionsOnly - pEnabledRegions - pFindingPublishingFrequency - pOrganizationId - Label: default: General Lambda Function Properties Parameters: - pCreateLambdaLogGroup - pLambdaLogGroupRetention - pLambdaLogGroupKmsKey - pLambdaLogLevel ParameterLabels: pAuditAccountId: default: Audit Account ID pAutoEnableS3Logs: default: Auto Enable S3 Logs pAutoEnableKubernetesAuditLogs: default: Auto Enable Kubernetes Audit Logs pAutoEnableMalwareProtection: default: Auto Enable Malware Protection pEnableRdsLoginEvents: default: Auto enable RDS Login Events pEnableEksRuntimeMonitoring: default: Auto enable EKS Runtime Monitoring pEnableEksAddonManagement: default: Auto enable EKS Add-on Management pEnableLambdaNetworkLogs: default: Auto enable Lambda Network Logs pControlTowerRegionsOnly: default: Control Tower Regions Only pCreateLambdaLogGroup: default: Create Lambda Log Group pDisableGuardDuty: default: Disable GuardDuty in All Accounts pEnabledRegions: default: (Optional) Enabled Regions pFindingPublishingFrequency: default: Finding Publishing Frequency pGuardDutyOrgDeliveryBucketPrefix: default: GuardDuty Delivery Bucket Prefix pGuardDutyOrgDeliveryKeyAlias: default: GuardDuty Delivery KMS Key Alias pLambdaLogGroupKmsKey: default: (Optional) Lambda Logs KMS Key pLambdaLogGroupRetention: default: Lambda Log Group Retention pLambdaLogLevel: default: Lambda Log Level pLogArchiveAccountId: default: Log Archive Account ID pOrganizationId: default: Organization ID pRootOrganizationalUnitId: default: Root Organizational Unit ID pSRAAlarmEmail: default: (Optional) SRA Alarm Email pSRASolutionName: default: SRA Solution Name pSRASolutionVersion: default: SRA Solution Version pSRAStagingS3BucketName: default: SRA Staging S3 Bucket Name Parameters: pAuditAccountId: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/control-tower/audit-account-id Description: SSM Parameter for AWS Account ID of the Control Tower account to delegate administration. Type: AWS::SSM::Parameter::Value pAutoEnableS3Logs: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable S3 logs Type: String pAutoEnableKubernetesAuditLogs: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable Kubernetes Audit Logs Type: String pAutoEnableMalwareProtection: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable Malware Protection Type: String pEnableRdsLoginEvents: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable RDS Login Events Type: String pEnableEksRuntimeMonitoring: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable EKS Runtime Monitoring Type: String pEnableEksAddonManagement: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable EKS Add-on Management Type: String pEnableLambdaNetworkLogs: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable Lambda Network Logs Type: String pControlTowerRegionsOnly: Type: String Description: Only enable in the Control Tower governed regions Default: 'true' AllowedValues: ['true', 'false'] pCreateLambdaLogGroup: AllowedValues: ['true', 'false'] Default: 'false' Description: Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS Key for encryption. Type: String pDisableGuardDuty: AllowedValues: ['true', 'false'] Default: 'false' Description: Update to 'true' to disable GuardDuty in all accounts and regions before deleting the stack. Type: String pEnabledRegions: AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$' ConstraintDescription: Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g. us-east-1,ap-southeast-2) Default: '' Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions. Type: String pFindingPublishingFrequency: AllowedValues: [FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS] Default: FIFTEEN_MINUTES Description: Finding publishing frequency Type: String pGuardDutyOrgDeliveryBucketPrefix: AllowedPattern: '^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' ConstraintDescription: S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: sra-guardduty-org-delivery Description: GuardDuty Delivery S3 bucket prefix. The account and region will get added to the end. e.g. sra-guardduty-delivery-123456789012-us-east-1 Type: String pGuardDutyOrgDeliveryKeyAlias: Default: sra-guardduty-org-delivery-key Description: GuardDuty Delivery KMS Key Alias Type: String pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. Type: String pLambdaLogGroupRetention: AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] Default: 14 Description: Specifies the number of days you want to retain log events Type: String pLambdaLogLevel: AllowedValues: [INFO, ERROR, DEBUG] Default: INFO Description: Lambda Function Logging Level Type: String pLogArchiveAccountId: AllowedPattern: ^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$ ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/control-tower/log-archive-account-id Description: SSM Parameter for AWS Account ID of the Control Tower Log Archive account. Type: AWS::SSM::Parameter::Value pOrganizationId: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/control-tower/organization-id Description: SSM Parameter for AWS Organizations ID Type: AWS::SSM::Parameter::Value pRootOrganizationalUnitId: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/control-tower/root-organizational-unit-id Description: SSM Parameter for Root Organizational Unit ID Type: AWS::SSM::Parameter::Value pSRAAlarmEmail: AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' ConstraintDescription: Must be a valid email address. Default: '' Description: (Optional) Email address for receiving SRA alarms Type: String pSRASolutionName: AllowedValues: [sra-guardduty-org] Default: sra-guardduty-org Description: The SRA solution name. The default value is the folder name of the solution Type: String pSRAStagingS3BucketName: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Default: /sra/staging-s3-bucket-name Description: SSM Parameter for SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: AWS::SSM::Parameter::Value pSRASolutionVersion: AllowedValues: [v1.2] Default: v1.2 Description: The SRA solution version. Used to trigger updates on the nested StackSets. Type: String Resources: rGuardDutyDeleteDetectorIAMRoleStackSet: Type: AWS::CloudFormation::StackSet Properties: StackSetName: sra-guardduty-org-delete-detector-role AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: false CallAs: SELF Capabilities: - CAPABILITY_NAMED_IAM Description: !Sub ${pSRASolutionVersion} - Deploys an IAM role via ${pSRASolutionName} for deleting GuardDuty detectors. ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 100 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SERVICE_MANAGED StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: - !Ref pRootOrganizationalUnitId Regions: - !Ref AWS::Region TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-guardduty-org-delete-detector-role.yaml Parameters: - ParameterKey: pManagementAccountId ParameterValue: !Ref AWS::AccountId Tags: - Key: sra-solution Value: !Ref pSRASolutionName rGuardDutyDeleteDetectorIAMRoleStack: Type: AWS::CloudFormation::Stack DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-guardduty-org-delete-detector-role.yaml Tags: - Key: sra-solution Value: !Ref pSRASolutionName Parameters: pManagementAccountId: !Ref AWS::AccountId rGuardDutyConfigurationIAMRoleStackSet: Type: AWS::CloudFormation::StackSet Properties: StackSetName: sra-guardduty-org-configuration-role AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole CallAs: SELF Capabilities: - CAPABILITY_NAMED_IAM Description: !Sub ${pSRASolutionVersion} - Deploys an IAM role via ${pSRASolutionName} for configuring GuardDuty ExecutionRoleName: AWSControlTowerExecution ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 0 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SELF_MANAGED StackInstancesGroup: - DeploymentTargets: Accounts: - !Ref pAuditAccountId Regions: - !Ref AWS::Region TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-guardduty-org-configuration-role.yaml Parameters: - ParameterKey: pManagementAccountId ParameterValue: !Ref AWS::AccountId Tags: - Key: sra-solution Value: !Ref pSRASolutionName rGuardDutyDeliveryKMSKeyStackSet: Type: AWS::CloudFormation::StackSet Properties: StackSetName: sra-guardduty-org-delivery-kms-key AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole CallAs: SELF Description: !Sub ${pSRASolutionVersion} - Deploys a KMS Key via ${pSRASolutionName} for encrypting GuardDuty findings ExecutionRoleName: AWSControlTowerExecution ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 0 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SELF_MANAGED StackInstancesGroup: - DeploymentTargets: Accounts: - !Ref pAuditAccountId Regions: - !Ref AWS::Region TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-guardduty-org-delivery-kms-key.yaml Parameters: - ParameterKey: pGuardDutyOrgDeliveryKeyAlias ParameterValue: !Ref pGuardDutyOrgDeliveryKeyAlias - ParameterKey: pLogArchiveAccountId ParameterValue: !Ref pLogArchiveAccountId - ParameterKey: pManagementAccountId ParameterValue: !Ref AWS::AccountId - ParameterKey: pSRASecretsKeyAliasArn ParameterValue: !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${pAuditAccountId}:alias/sra-secrets-key Tags: - Key: sra-solution Value: !Ref pSRASolutionName rGuardDutyDeliveryS3BucketStackSet: Type: AWS::CloudFormation::StackSet DependsOn: rGuardDutyDeliveryKMSKeyStackSet Properties: StackSetName: sra-guardduty-org-delivery-s3-bucket AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole CallAs: SELF Description: !Sub ${pSRASolutionVersion} - Deploys an S3 bucket via ${pSRASolutionName} for storing GuardDuty findings ExecutionRoleName: AWSControlTowerExecution ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 0 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SELF_MANAGED StackInstancesGroup: - DeploymentTargets: Accounts: - !Ref pLogArchiveAccountId Regions: - !Ref AWS::Region TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-guardduty-org-delivery-s3-bucket.yaml Parameters: - ParameterKey: pGuardDutyOrgDeliveryBucketPrefix ParameterValue: !Ref pGuardDutyOrgDeliveryBucketPrefix - ParameterKey: pGuardDutyOrgDeliveryKMSKeyArn ParameterValue: !Sub '{{resolve:secretsmanager:arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${pAuditAccountId}:secret:sra/guardduty_org_delivery_key_arn:SecretString:GuardDutyDeliveryKeyArn:AWSCURRENT}}' Tags: - Key: sra-solution Value: !Ref pSRASolutionName rGuardDutyConfigurationStack: Type: AWS::CloudFormation::Stack DeletionPolicy: Delete DependsOn: - rGuardDutyDeleteDetectorIAMRoleStackSet - rGuardDutyDeleteDetectorIAMRoleStack - rGuardDutyDeliveryS3BucketStackSet - rGuardDutyConfigurationIAMRoleStackSet UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-guardduty-org-configuration.yaml Parameters: pAutoEnableS3Logs: !Ref pAutoEnableS3Logs pAutoEnableKubernetesAuditLogs: !Ref pAutoEnableKubernetesAuditLogs pAutoEnableMalwareProtection: !Ref pAutoEnableMalwareProtection pEnableRdsLoginEvents: !Ref pEnableRdsLoginEvents pEnableEksRuntimeMonitoring: !Ref pEnableEksRuntimeMonitoring pEnableEksAddonManagement: !Ref pEnableEksAddonManagement pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly pCreateLambdaLogGroup: !Ref pCreateLambdaLogGroup pDelegatedAdminAccountId: !Ref pAuditAccountId pDisableGuardDuty: !Ref pDisableGuardDuty pEnabledRegions: !Ref pEnabledRegions pFindingPublishingFrequency: !Ref pFindingPublishingFrequency pKMSKeyArn: !Sub '{{resolve:secretsmanager:arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${pAuditAccountId}:secret:sra/guardduty_org_delivery_key_arn:SecretString:GuardDutyDeliveryKeyArn:AWSCURRENT}}' pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel pOrganizationId: !Ref pOrganizationId pPublishingDestinationBucketName: !Sub ${pGuardDutyOrgDeliveryBucketPrefix}-${pLogArchiveAccountId}-${AWS::Region} pSRAAlarmEmail: !Ref pSRAAlarmEmail pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName Tags: - Key: sra-solution Value: !Ref pSRASolutionName