diff --git a/src/deployments/cdk/src/deployments/guardduty/guardduty.ts b/src/deployments/cdk/src/deployments/guardduty/guardduty.ts index 06240effb..32d49f667 100644 --- a/src/deployments/cdk/src/deployments/guardduty/guardduty.ts +++ b/src/deployments/cdk/src/deployments/guardduty/guardduty.ts @@ -182,11 +182,34 @@ export async function step3(props: GuardDutyStep3Props) { export async function enableGuardDutyPolicy(props: GuardDutyStep3Props) { const { logBucket } = props; + const servicePrincipals = [new iam.ServicePrincipal('guardduty.amazonaws.com')]; + const optinRegions = [ + 'af-south-1', + 'ap-east-1', + 'ap-south-2', + 'ap-southeast-3', + 'ap-southeast-4', + 'ca-west-1', + 'eu-central-2', + 'eu-south-1', + 'eu-south-2', + 'il-central-1', + 'me-central-1', + 'me-south-1', + ]; + + optinRegions.map(optinRegion => { + if (props.config['global-options']['supported-regions'].includes(optinRegion)) { + // Ideally want to query aws account list-regions --region-opt-status-contains ENABLED, and intersect with what is configured + servicePrincipals.push(new iam.ServicePrincipal(`guardduty.${optinRegion}.amazonaws.com`)); + } + }); + // Grant GuardDuty permission to logBucket: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html logBucket.addToResourcePolicy( new iam.PolicyStatement({ actions: ['s3:GetBucketLocation', 's3:PutObject'], - principals: [new iam.ServicePrincipal('guardduty.amazonaws.com')], + principals: servicePrincipals, resources: [logBucket.bucketArn, logBucket.arnForObjects('*')], }), ); @@ -194,7 +217,7 @@ export async function enableGuardDutyPolicy(props: GuardDutyStep3Props) { logBucket.encryptionKey?.addToResourcePolicy( new iam.PolicyStatement({ sid: 'Allow Guardduty to use the key', - principals: [new iam.ServicePrincipal('guardduty.amazonaws.com')], + principals: servicePrincipals, actions: ['kms:GenerateDataKey', 'kms:Encrypt'], resources: ['*'], }),