GuardDuty is not enabled at organization level
ID |
guard_duty_not_enabled_org_level |
Severity |
low |
Vendor |
AWS |
Resource |
GuardDuty |
Tags |
reachable |
Description
Amazon GuardDuty is a threat detection service that monitors certain events in audit and management logs, and analyzes EBS volume data for malware protection. This is a regional service, and it is recommended to have GuardDuty enabled in all supported AWS regions.
This detector checks if the GuardDuty detector is enabled and its organization configuration has auto_enable set. It also checks if the configuration for the organization is set as given in the configuration.
For more information, please read Getting started with GuardDuty, as well as the aws_guardduty_detector and guardduty_organization_configuration Terraform resources.
Examples
resource "aws_guardduty_detector" "guard_duty" {
enable = false (1)
}
resource "aws_guardduty_organization_configuration" "org_conf" {
auto_enable = false (2)
detector_id = aws_guardduty_detector.guard_duty.id
datasources {
s3_logs {
auto_enable = false (3)
}
kubernetes {
audit_logs {
enable = true
}
}
malware_protection {
scan_ec2_instance_with_findings {
ebs_volumes {
auto_enable = true
}
}
}
}
}| 1 | GuardDuty is "suspended", no monitoring / reporting. |
| 2 | GuardDuty is not enabled in the current AWS Region. |
| 3 | The detector configuration requireds this to be true, so S3 date event logs are enabled for new members of the organization. |
Mitigation / Fix
Buildtime
Terraform
resource "aws_guardduty_detector" "guard_duty" {
enable = true // FIXED
}
resource "aws_guardduty_organization_configuration" "org_conf" {
auto_enable = true // FIXED
detector_id = aws_guardduty_detector.guard_duty.id
datasources {
s3_logs {
auto_enable = true // FIXED
}
kubernetes {
audit_logs {
enable = true
}
}
malware_protection {
scan_ec2_instance_with_findings {
ebs_volumes {
auto_enable = true
}
}
}
}
}