Skip to content

Commit

Permalink
add opt-in region for guardduty
Browse files Browse the repository at this point in the history
  • Loading branch information
rjjaegeraws committed Apr 1, 2024
1 parent b31529a commit f9dc99d
Showing 1 changed file with 25 additions and 2 deletions.
27 changes: 25 additions & 2 deletions src/deployments/cdk/src/deployments/guardduty/guardduty.ts
Original file line number Diff line number Diff line change
Expand Up @@ -182,19 +182,42 @@ export async function step3(props: GuardDutyStep3Props) {
export async function enableGuardDutyPolicy(props: GuardDutyStep3Props) {
const { logBucket } = props;

let servicePrincipals = [new iam.ServicePrincipal('guardduty.amazonaws.com')];

Check failure on line 185 in src/deployments/cdk/src/deployments/guardduty/guardduty.ts

View workflow job for this annotation

GitHub Actions / Linter

'servicePrincipals' is never reassigned. Use 'const' instead
const optin_regions = [

Check failure on line 186 in src/deployments/cdk/src/deployments/guardduty/guardduty.ts

View workflow job for this annotation

GitHub Actions / Linter

Variable name `optin_regions` must match one of the following formats: camelCase, UPPER_CASE, PascalCase
'af-south-1',
'ap-east-1',
'ap-south-2',
'ap-southeast-3',
'ap-southeast-4',
'ca-west-1',
'eu-central-2',
'eu-south-1',
'eu-south-2',
'il-central-1',
'me-central-1',
'me-south-1',
];

optin_regions.map(optin_region => {
if (props.config['global-options']['supported-regions'].includes(optin_region)) {
// Ideally want to query aws account list-regions --region-opt-status-contains ENABLED, and intersect with what is configured
servicePrincipals.push(new iam.ServicePrincipal(`guardduty.${optin_region}.amazonaws.com`));
}
});

// Grant GuardDuty permission to logBucket: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html
logBucket.addToResourcePolicy(
new iam.PolicyStatement({
actions: ['s3:GetBucketLocation', 's3:PutObject'],
principals: [new iam.ServicePrincipal('guardduty.amazonaws.com')],
principals: servicePrincipals,
resources: [logBucket.bucketArn, logBucket.arnForObjects('*')],
}),
);

logBucket.encryptionKey?.addToResourcePolicy(
new iam.PolicyStatement({
sid: 'Allow Guardduty to use the key',
principals: [new iam.ServicePrincipal('guardduty.amazonaws.com')],
principals: servicePrincipals,
actions: ['kms:GenerateDataKey', 'kms:Encrypt'],
resources: ['*'],
}),
Expand Down

0 comments on commit f9dc99d

Please sign in to comment.