######################################################################## # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 ######################################################################## AWSTemplateFormatVersion: 2010-09-09 Description: This template enables an AWS Organizations GuardDuty in the Control Tower Audit or another delegated admin account with a customer managed KMS key created in the Audit account sending the encrypted findings to an S3 bucket created within the Log Archive account. - 'guardduty_org' solution in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1ssgnse4k) Metadata: SRA: Version: 1.2 Entry: Parameters for deploying solution Order: 1 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: General Properties Parameters: - pSRASolutionName - pSRASolutionVersion - pSRAStagingS3BucketName - pSRAAlarmEmail - pAuditAccountId - pLogArchiveAccountId - pRootOrganizationalUnitId - Label: default: GuardDuty Delivery Properties Parameters: - pGuardDutyOrgDeliveryBucketPrefix - pGuardDutyOrgDeliveryKeyAlias - Label: default: GuardDuty Configuration Properties Parameters: - pDisableGuardDuty - pAutoEnableS3Logs - pAutoEnableKubernetesAuditLogs - pAutoEnableMalwareProtection - pEnableRdsLoginEvents - pEnableEksRuntimeMonitoring - pEnableEksAddonManagement - pEnableLambdaNetworkLogs - pControlTowerRegionsOnly - pEnabledRegions - pFindingPublishingFrequency - pOrganizationId - Label: default: General Lambda Function Properties Parameters: - pCreateLambdaLogGroup - pLambdaLogGroupRetention - pLambdaLogGroupKmsKey - pLambdaLogLevel ParameterLabels: pAuditAccountId: default: Audit Account ID pAutoEnableS3Logs: default: Auto Enable S3 Logs pAutoEnableKubernetesAuditLogs: Default: Auto enable Kubernetes Audit Logs pAutoEnableMalwareProtection: default: Auto Enable Malware Protection pEnableRdsLoginEvents: default: Auto enable RDS Login Events pEnableEksRuntimeMonitoring: default: Auto enable EKS Runtime Monitoring pEnableEksAddonManagement: default: Auto enable EKS Add-on Management pEnableLambdaNetworkLogs: default: Auto enable Lambda Network Logs pControlTowerRegionsOnly: default: Control Tower Regions Only pCreateLambdaLogGroup: default: Create Lambda Log Group pDisableGuardDuty: default: Disable GuardDuty in All Accounts pEnabledRegions: default: (Optional) Enabled Regions pFindingPublishingFrequency: default: Finding Publishing Frequency pGuardDutyOrgDeliveryBucketPrefix: default: GuardDuty Delivery Bucket Prefix pGuardDutyOrgDeliveryKeyAlias: default: GuardDuty Delivery KMS Key Alias pLambdaLogGroupKmsKey: default: (Optional) Lambda Logs KMS Key pLambdaLogGroupRetention: default: Lambda Log Group Retention pLambdaLogLevel: default: Lambda Log Level pLogArchiveAccountId: default: Log Archive Account ID pOrganizationId: default: Organization ID pRootOrganizationalUnitId: default: Root Organizational Unit ID pSRAAlarmEmail: default: (Optional) SRA Alarm Email pSRASolutionName: default: SRA Solution Name pSRAStagingS3BucketName: default: SRA Staging S3 Bucket Name pSRASolutionVersion: default: SRA Solution Version Parameters: pAuditAccountId: AllowedPattern: ^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$ ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Description: AWS Account ID of the Control Tower Audit account. Type: String pAutoEnableS3Logs: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable S3 logs Type: String pAutoEnableKubernetesAuditLogs: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable Kubernetes Audit Logs Type: String pAutoEnableMalwareProtection: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable Malware Protection Type: String pEnableRdsLoginEvents: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable RDS Login Events Type: String pEnableEksRuntimeMonitoring: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable EKS Runtime Monitoring Type: String pEnableEksAddonManagement: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable EKS Add-on Management Type: String pEnableLambdaNetworkLogs: AllowedValues: ['true', 'false'] Default: 'true' Description: Auto enable Lambda Network Logs Type: String pControlTowerRegionsOnly: AllowedValues: ['true', 'false'] Default: 'true' Description: Only enable in the Control Tower governed regions Type: String pCreateLambdaLogGroup: AllowedValues: ['true', 'false'] Default: 'false' Description: Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS Key for encryption. Type: String pDisableGuardDuty: AllowedValues: ['true', 'false'] Default: 'false' Description: Update to 'true' to disable GuardDuty in all accounts and regions before deleting the stack. Type: String pEnabledRegions: AllowedPattern: '^$|^([a-z0-9-]{1,64})$|^(([a-z0-9-]{1,64},)*[a-z0-9-]{1,64})$' ConstraintDescription: Only lowercase letters, numbers, and hyphens ('-') allowed. (e.g. us-east-1) Additional AWS regions can be provided, separated by commas. (e.g. us-east-1,ap-southeast-2) Default: '' Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions. Type: String pFindingPublishingFrequency: AllowedValues: [FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS] Default: FIFTEEN_MINUTES Description: Finding publishing frequency Type: String pGuardDutyOrgDeliveryBucketPrefix: AllowedPattern: '^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' ConstraintDescription: S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: sra-guardduty-org-delivery Description: GuardDuty Delivery S3 bucket prefix. The account and region will get added to the end. e.g. sra-guardduty-delivery-123456789012-us-east-1 Type: String pGuardDutyOrgDeliveryKeyAlias: Default: sra-guardduty-org-delivery-key Description: GuardDuty Delivery KMS Key Alias Type: String pLambdaLogGroupKmsKey: AllowedPattern: '^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$' ConstraintDescription: 'Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' Default: '' Description: (Optional) KMS Key ARN to use for encrypting the Lambda logs data. If empty, encryption is enabled with CloudWatch Logs managing the server-side encryption keys. Type: String pLambdaLogGroupRetention: AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] Default: 14 Description: Specifies the number of days you want to retain log events Type: String pLambdaLogLevel: AllowedValues: [INFO, ERROR, DEBUG] Default: INFO Description: Lambda Function Logging Level Type: String pLogArchiveAccountId: AllowedPattern: ^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$ ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Description: AWS Account ID of the Control Tower Log Archive account. Type: String pOrganizationId: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Description: AWS Organizations ID Type: String pRootOrganizationalUnitId: AllowedPattern: '^r-[0-9a-z]{4,32}$' ConstraintDescription: Must start with 'r-' followed by from 4 to 32 lowercase letters or digits. (e.g. r-abc123) Description: Root Organizational Unit ID Type: String pSRAAlarmEmail: AllowedPattern: '^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$' ConstraintDescription: Must be a valid email address. Default: '' Description: (Optional) Email address for receiving SRA alarms Type: String pSRASolutionName: AllowedValues: [sra-guardduty-org] Default: sra-guardduty-org Description: The SRA solution name. The default value is the folder name of the solution Type: String pSRAStagingS3BucketName: AllowedPattern: '^([\w.-]{1,900})$|^(\/[\w.-]{1,900})*[\w.-]{1,900}$' ConstraintDescription: Must be alphanumeric or special characters [., _, -]. In addition, the slash character ( / ) used to delineate hierarchies in parameter names. Description: SRA Staging S3 bucket name for the artifacts relevant to solution. (e.g., lambda zips, CloudFormation templates) S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String pSRASolutionVersion: AllowedValues: [v1.2] Default: v1.2 Description: The SRA solution version. Used to trigger updates on the nested StackSets. Type: String Resources: rGuardDutyDeleteDetectorIAMRoleStackSet: Type: AWS::CloudFormation::StackSet Properties: StackSetName: sra-guardduty-org-delete-detector-role AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: false CallAs: SELF Capabilities: - CAPABILITY_NAMED_IAM Description: !Sub ${pSRASolutionVersion} - Deploys an IAM role via ${pSRASolutionName} for deleting GuardDuty detectors. ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 100 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SERVICE_MANAGED StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: - !Ref pRootOrganizationalUnitId Regions: - !Ref AWS::Region TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-guardduty-org-delete-detector-role.yaml Parameters: - ParameterKey: pManagementAccountId ParameterValue: !Ref AWS::AccountId Tags: - Key: sra-solution Value: !Ref pSRASolutionName rGuardDutyDeleteDetectorIAMRoleStack: Type: AWS::CloudFormation::Stack DeletionPolicy: Delete UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-guardduty-org-delete-detector-role.yaml Tags: - Key: sra-solution Value: !Ref pSRASolutionName Parameters: pManagementAccountId: !Ref AWS::AccountId rGuardDutyConfigurationIAMRoleStackSet: Type: AWS::CloudFormation::StackSet Properties: StackSetName: sra-guardduty-org-configuration-role AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole CallAs: SELF Capabilities: - CAPABILITY_NAMED_IAM Description: !Sub ${pSRASolutionVersion} - Deploys an IAM role via ${pSRASolutionName} for configuring GuardDuty ExecutionRoleName: AWSControlTowerExecution ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 0 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SELF_MANAGED StackInstancesGroup: - DeploymentTargets: Accounts: - !Ref pAuditAccountId Regions: - !Ref AWS::Region TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-guardduty-org-configuration-role.yaml Parameters: - ParameterKey: pManagementAccountId ParameterValue: !Ref AWS::AccountId Tags: - Key: sra-solution Value: !Ref pSRASolutionName rGuardDutyDeliveryKMSKeyStackSet: Type: AWS::CloudFormation::StackSet Properties: StackSetName: sra-guardduty-org-delivery-kms-key AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole CallAs: SELF Description: !Sub ${pSRASolutionVersion} - Deploys a KMS Key via ${pSRASolutionName} for encrypting GuardDuty findings ExecutionRoleName: AWSControlTowerExecution ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 0 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SELF_MANAGED StackInstancesGroup: - DeploymentTargets: Accounts: - !Ref pAuditAccountId Regions: - !Ref AWS::Region TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-guardduty-org-delivery-kms-key.yaml Parameters: - ParameterKey: pGuardDutyOrgDeliveryKeyAlias ParameterValue: !Ref pGuardDutyOrgDeliveryKeyAlias - ParameterKey: pLogArchiveAccountId ParameterValue: !Ref pLogArchiveAccountId - ParameterKey: pManagementAccountId ParameterValue: !Ref AWS::AccountId - ParameterKey: pSRASecretsKeyAliasArn ParameterValue: !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${pAuditAccountId}:alias/sra-secrets-key Tags: - Key: sra-solution Value: !Ref pSRASolutionName rGuardDutyDeliveryS3BucketStackSet: Type: AWS::CloudFormation::StackSet DependsOn: rGuardDutyDeliveryKMSKeyStackSet Properties: StackSetName: sra-guardduty-org-delivery-s3-bucket AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/AWSControlTowerStackSetRole CallAs: SELF Description: !Sub ${pSRASolutionVersion} - Deploys a KMS Key via ${pSRASolutionName} for encrypting GuardDuty findings ExecutionRoleName: AWSControlTowerExecution ManagedExecution: Active: true OperationPreferences: FailureTolerancePercentage: 0 MaxConcurrentPercentage: 100 RegionConcurrencyType: PARALLEL PermissionModel: SELF_MANAGED StackInstancesGroup: - DeploymentTargets: Accounts: - !Ref pLogArchiveAccountId Regions: - !Ref AWS::Region TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-guardduty-org-delivery-s3-bucket.yaml Parameters: - ParameterKey: pGuardDutyOrgDeliveryBucketPrefix ParameterValue: !Ref pGuardDutyOrgDeliveryBucketPrefix - ParameterKey: pGuardDutyOrgDeliveryKMSKeyArn ParameterValue: !Sub '{{resolve:secretsmanager:arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${pAuditAccountId}:secret:sra/guardduty_org_delivery_key_arn:SecretString:GuardDutyDeliveryKeyArn:AWSCURRENT}}' Tags: - Key: sra-solution Value: !Ref pSRASolutionName rGuardDutyConfigurationStack: Type: AWS::CloudFormation::Stack DeletionPolicy: Delete DependsOn: - rGuardDutyDeleteDetectorIAMRoleStackSet - rGuardDutyDeleteDetectorIAMRoleStack - rGuardDutyDeliveryS3BucketStackSet - rGuardDutyConfigurationIAMRoleStackSet UpdateReplacePolicy: Delete Properties: TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-guardduty-org-configuration.yaml Parameters: pAutoEnableS3Logs: !Ref pAutoEnableS3Logs pAutoEnableKubernetesAuditLogs: !Ref pAutoEnableKubernetesAuditLogs pAutoEnableMalwareProtection: !Ref pAutoEnableMalwareProtection pEnableRdsLoginEvents: !Ref pEnableRdsLoginEvents pEnableEksRuntimeMonitoring: !Ref pEnableEksRuntimeMonitoring pEnableEksAddonManagement: !Ref pEnableEksAddonManagement pEnableLambdaNetworkLogs: !Ref pEnableLambdaNetworkLogs pControlTowerRegionsOnly: !Ref pControlTowerRegionsOnly pCreateLambdaLogGroup: !Ref pCreateLambdaLogGroup pDelegatedAdminAccountId: !Ref pAuditAccountId pDisableGuardDuty: !Ref pDisableGuardDuty pEnabledRegions: !Ref pEnabledRegions pFindingPublishingFrequency: !Ref pFindingPublishingFrequency pKMSKeyArn: !Sub '{{resolve:secretsmanager:arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${pAuditAccountId}:secret:sra/guardduty_org_delivery_key_arn:SecretString:GuardDutyDeliveryKeyArn:AWSCURRENT}}' pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention pLambdaLogLevel: !Ref pLambdaLogLevel pOrganizationId: !Ref pOrganizationId pPublishingDestinationBucketName: !Sub ${pGuardDutyOrgDeliveryBucketPrefix}-${pLogArchiveAccountId}-${AWS::Region} pSRAAlarmEmail: !Ref pSRAAlarmEmail pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName Tags: - Key: sra-solution Value: !Ref pSRASolutionName