# Terraform Module for AWS GuardDuty
Terraform module that creates AWS GuardDuty resources.
- [Terraform Module for AWS GuardDuty](#terraform-module-for-aws-guardduty)
- [Usage](#usage)
- [Standalone](#standalone)
- [Organizations](#organizations)
- [Overview Diagrams](#overview-diagrams)
- [Standalone](#standalone-1)
- [Organizations](#organizations-1)
- [Terraform Module](#terraform-module)
## Usage
### Standalone
```hcl
module "guardduty" {
source = "aws-ia/terraform-aws-guardduty/aws"
replica_region = "us-east-1"
enable_guardduty = true
enable_s3_protection = true
enable_kubernetes_protection = true
enable_malware_protection = true
enable_snapshot_retention = true
finding_publishing_frequency = "FIFTEEN_MINUTES"
filter_config = [{
name = "guardduty_filter"
description = "AWS GuardDuty example filter."
rank = 1
action = "ARCHIVE"
criterion = [
{
field = "region"
equals = ["us-west-2"]
},
{
field = "service.additionalInfo.threatListName"
not_equals = ["some-threat", "another-threat"]
},
{
field = "updatedAt"
greater_than = "2023-01-01T00:00:00Z"
less_than = "2023-12-31T23:59:59Z"
},
{
field = "severity"
greater_than_or_equal = "4"
}
] }]
ipset_config = [{
activate = false
name = "DefaultGuardDutyIPSet"
format = "TXT"
content = "10.0.0.0/8\n"
key = "DefaultGuardDutyIPSet"
}]
threatintelset_config = [{
activate = false
name = "DefaultGuardThreatIntelSet"
format = "TXT"
content = "1.10.16.0/20\n1.19.0.0/16\n"
key = "DefaultGuardThreatIntelSet"
object_acl = "public-read"
}]
publish_to_s3 = true
guardduty_bucket_acl = "private"
tags = {}
}
```
### Organizations
```hcl
module "delegated_admin" {
source = "aws-ia/terraform-aws-guardduty/aws//modules/organizations_admin"
admin_account_id = data.aws_caller_identity.current.account_id
auto_enable_organization_members = "ALL"
guardduty_detector_id = module.guardduty_detector.guardduty_detector.id
enable_s3_protection = true
enable_kubernetes_protection = true
enable_malware_protection = true
}
module "guardduty_detector" {
source = "aws-ia/terraform-aws-guardduty/aws"
enable_guardduty = true
enable_s3_protection = true
enable_kubernetes_protection = true
enable_malware_protection = true
enable_snapshot_retention = true
finding_publishing_frequency = "FIFTEEN_MINUTES"
tags = {}
}
```
## Overview Diagrams
### Standalone
### Organizations
## Terraform Module
### Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0.0 |
| [aws](#requirement\_aws) | >= 4.47 |
| [random](#requirement\_random) | >= 3.4 |
### Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >= 4.47 |
| [aws.replica](#provider\_aws.replica) | >= 4.47 |
| [random](#provider\_random) | >= 3.4 |
### Modules
| Name | Source | Version |
|------|--------|---------|
| [log\_bucket](#module\_log\_bucket) | terraform-aws-modules/s3-bucket/aws | 3.14.0 |
| [replica\_bucket](#module\_replica\_bucket) | terraform-aws-modules/s3-bucket/aws | 3.14.0 |
| [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 3.14.0 |
### Resources
| Name | Type |
|------|------|
| [aws_guardduty_detector.primary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector) | resource |
| [aws_guardduty_filter.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_filter) | resource |
| [aws_guardduty_ipset.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_ipset) | resource |
| [aws_guardduty_publishing_destination.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_publishing_destination) | resource |
| [aws_guardduty_threatintelset.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_threatintelset) | resource |
| [aws_iam_policy.bucket_replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.bucket_replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_kms_key.guardduty_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_kms_key.replica_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_s3_object.ipset_object](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
| [aws_s3_object.threatintelset_object](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
| [random_string.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.bucket_replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.bucket_replication_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.guardduty_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.guardduty_kms_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.guardduty_replica_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
### Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [enable\_guardduty](#input\_enable\_guardduty) | Enable monitoring and feedback reporting. Setting to false is equivalent to 'suspending' GuardDuty. Defaults to `true`. | `bool` | `true` | no |
| [enable\_kubernetes\_protection](#input\_enable\_kubernetes\_protection) | Configure and enable Kubernetes audit logs as a data source for Kubernetes protection. Defaults to `true`. | `bool` | `true` | no |
| [enable\_malware\_protection](#input\_enable\_malware\_protection) | Configure and enable Malware Protection as data source for EC2 instances with findings for the detector. Defaults to `true`. | `bool` | `true` | no |
| [enable\_s3\_protection](#input\_enable\_s3\_protection) | Configure and enable S3 protection. Defaults to `true`. | `bool` | `true` | no |
| [enable\_snapshot\_retention](#input\_enable\_snapshot\_retention) | Enable EBS Snaptshot retention for 30 days, if any Findings exists. Defaults to `false`. | `bool` | `false` | no |
| [filter\_config](#input\_filter\_config) | Specifies AWS GuardDuty Filter configuration.
`name` - The name of the filter
`rank` - Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
`action` - Specifies the action that is to be applied to the findings that match the filter. Can be one of ARCHIVE or NOOP.
`criterion` - Configuration block for `finding_criteria`. Composed by `field` and one or more of the following operators: `equals` \| `not_equals` \| `greater_than` \| `greater_than_or_equal` \| `less_than` \| `less_than_or_equal`. | list(object({
name = string
description = optional(string)
rank = number
action = string
criterion = list(object({
field = string
equals = optional(list(string))
not_equals = optional(list(string))
greater_than = optional(string)
greater_than_or_equal = optional(string)
less_than = optional(string)
less_than_or_equal = optional(string)
}))
})) | `null` | no |
| [finding\_publishing\_frequency](#input\_finding\_publishing\_frequency) | Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts: `FIFTEEN_MINUTES`, `ONE_HOUR`, `SIX_HOURS`. Defaults to `SIX_HOURS`. | `string` | `"FIFTEEN_MINUTES"` | no |
| [guardduty\_bucket\_acl](#input\_guardduty\_bucket\_acl) | Canned ACL to apply to the bucket. Valid values are `private` \| `public-read` \| `public-read-write` \| `aws-exec-read` \| `authenticated-read` \| `bucket-owner-read` \| `bucket-owner-full-control`. Defaults to `null`. | `string` | `null` | no |
| [guardduty\_s3\_bucket](#input\_guardduty\_s3\_bucket) | Name of the S3 Bucket for GuardDuty. Defaults to `null`. | `string` | `null` | no |
| [ipset\_config](#input\_ipset\_config) | Specifies AWS GuardDuty IPSet configuration.
`activate` - Specifies whether GuardDuty is to start using the uploaded IPSet.
`name` - The friendly name to identify the IPSet.
`format` - The format of the file that contains the IPSet. Valid values: `TXT` \| `STIX` \| `OTX_CSV` \| `ALIEN_VAULT` \| `PROOF_POINT` \| `FIRE_EYE`.
`content`- Literal string value to use as the object content, which will be uploaded as UTF-8-encoded text. Example: `10.0.0.0/8\n`.
`key` - Name of the object once it is in the bucket. | list(object({
activate = bool
name = string
format = string
content = string
key = string
})) | `null` | no |
| [publish\_to\_s3](#input\_publish\_to\_s3) | Specifies if the Amazon GuardDuty findings should be exported to S3. Defaults to `false`. | `bool` | `false` | no |
| [publishing\_config](#input\_publishing\_config) | Defines the findings publishing configuration. | list(object({
destination_arn = string
kms_key_arn = string
destination_type = optional(string)
})) | [
{
"destination_arn": null,
"destination_type": "S3",
"kms_key_arn": null
}
]
| no |
| [replica\_region](#input\_replica\_region) | Region where S3 bucket data from Amazon GuardDuty will be replicated. Defaults to `null`. | `string` | `null` | no |
| [tags](#input\_tags) | Key-value map of resource tags. If configured with a provider default\_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. Defaults to `{}`. | `map(any)` | `{}` | no |
| [threatintelset\_config](#input\_threatintelset\_config) | Specifies AWS GuardDuty ThreatIntelSet configuration.
`activate` - Specifies whether GuardDuty is to start using the uploaded ThreatIntelSet.
`name` - The friendly name to identify the ThreatIntelSet.
`format` - The format of the file that contains the ThreatIntelSet. Valid values: `TXT` \| `STIX` \| `OTX_CSV` \| `ALIEN_VAULT` \| `PROOF_POINT` \| `FIRE_EYE`.
`content`- Literal string value to use as the object content, which will be uploaded as UTF-8-encoded text. Example: `10.0.0.0/8\n`.
`key` - Name of the object once it is in the bucket.
`object_acl`- Canned ACL to apply to the object. Valid values are `private` \| `public-read` \| `public-read-write` \| `aws-exec-read` \| `authenticated-read` \| `bucket-owner-read` \| `bucket-owner-full-control`. | list(object({
activate = bool
name = string
format = string
content = string
key = string
object_acl = string
})) | `null` | no |
### Outputs
| Name | Description |
|------|-------------|
| [guardduty\_detector](#output\_guardduty\_detector) | AWS GuardDuty Detector. |
| [guardduty\_filter](#output\_guardduty\_filter) | AWS GuardDuty Findings Filters definition. |
| [guardduty\_ipset](#output\_guardduty\_ipset) | AWS GuardDuty trusted IPSet configuration. |
| [guardduty\_kms\_key](#output\_guardduty\_kms\_key) | Amazon KMS Key created to encrypt AWS GuardDuty's S3 Bucket. |
| [guardduty\_kms\_replica\_key](#output\_guardduty\_kms\_replica\_key) | Amazon KMS Key created to encrypt AWS GuardDuty's S3 Replica Bucket. |
| [guardduty\_log\_bucket](#output\_guardduty\_log\_bucket) | Amazon S3 Log Bucket created for AWS GuardDuty. |
| [guardduty\_publishing](#output\_guardduty\_publishing) | AWS GuardDuty Publishing destination to export findings. |
| [guardduty\_replica\_bucket](#output\_guardduty\_replica\_bucket) | Amazon S3 Replica Bucket created for AWS GuardDuty. |
| [guardduty\_s3\_bucket](#output\_guardduty\_s3\_bucket) | Amazon S3 Bucket created for AWS GuardDuty. |
| [guardduty\_threatintelset](#output\_guardduty\_threatintelset) | AWS GuardDuty known ThreatIntelSet configuration. |