final updates for opt-in regions to work

cyphronix · cyphronix · commit 06c7a41e91d0 · 2024-06-18T10:00:31.000-06:00
diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py
@@ -201,40 +201,6 @@ def process_create_update_event(params: dict, regions: list) -> None:
         detectors_exist = False
         run_count = 0
 
-        # temp move while loop around to configure GD first 061324
-        # else:
-        auto_enable_s3_logs = (params.get("AUTO_ENABLE_S3_LOGS", "false")).lower() in "true"
-        enable_eks_audit_logs = (params.get("ENABLE_EKS_AUDIT_LOGS", "false")).lower() in "true"
-        auto_enable_malware_protection = (params.get("AUTO_ENABLE_MALWARE_PROTECTION", "false")).lower() in "true"
-        enable_rds_login_events = (params.get("ENABLE_RDS_LOGIN_EVENTS", "false")).lower() in "true"
-        enable_eks_addon_management = (params.get("ENABLE_EKS_ADDON_MANAGEMENT", "false")).lower() in "true"
-        enable_lambda_network_logs = (params.get("ENABLE_LAMBDA_NETWORK_LOGS", "false")).lower() in "true"
-        enable_runtime_monitoring = (params.get("ENABLE_RUNTIME_MONITORING", "false")).lower() in "true"
-        enable_ecs_fargate_agent_management = (params.get("ENABLE_ECS_FARGATE_AGENT_MANAGEMENT", "false")).lower() in "true"
-        enable_ec2_agent_management = (params.get("ENABLE_EC2_AGENT_MANAGEMENT", "false")).lower() in "true"
-
-        gd_features = {
-            "S3_DATA_EVENTS": auto_enable_s3_logs,
-            "EKS_AUDIT_LOGS": enable_eks_audit_logs,
-            "EBS_MALWARE_PROTECTION": auto_enable_malware_protection,
-            "RDS_LOGIN_EVENTS": enable_rds_login_events,
-            "LAMBDA_NETWORK_LOGS": enable_lambda_network_logs,
-            "RUNTIME_MONITORING": enable_runtime_monitoring,
-            "EKS_ADDON_MANAGEMENT": enable_eks_addon_management,
-            "ECS_FARGATE_AGENT_MANAGEMENT": enable_ecs_fargate_agent_management,
-            "EC2_AGENT_MANAGEMENT": enable_ec2_agent_management,
-        }
-
-        guardduty.configure_guardduty(
-            session,
-            params["DELEGATED_ADMIN_ACCOUNT_ID"],
-            gd_features,
-            regions,
-            params.get("FINDING_PUBLISHING_FREQUENCY", "FIFTEEN_MINUTES"),
-            params["KMS_KEY_ARN"],
-            params["PUBLISHING_DESTINATION_BUCKET_ARN"],
-        )
-
         while not detectors_exist and run_count < MAX_RUN_COUNT:
             run_count += 1
             detectors_exist = guardduty.check_for_detectors(session, regions)
@@ -244,6 +210,38 @@ def process_create_update_event(params: dict, regions: list) -> None:
 
         if not detectors_exist:
             raise ValueError("GuardDuty Detectors did not get created in the allowed time. Check the Org Management delegated admin setup.")
+        else:
+            auto_enable_s3_logs = (params.get("AUTO_ENABLE_S3_LOGS", "false")).lower() in "true"
+            enable_eks_audit_logs = (params.get("ENABLE_EKS_AUDIT_LOGS", "false")).lower() in "true"
+            auto_enable_malware_protection = (params.get("AUTO_ENABLE_MALWARE_PROTECTION", "false")).lower() in "true"
+            enable_rds_login_events = (params.get("ENABLE_RDS_LOGIN_EVENTS", "false")).lower() in "true"
+            enable_eks_addon_management = (params.get("ENABLE_EKS_ADDON_MANAGEMENT", "false")).lower() in "true"
+            enable_lambda_network_logs = (params.get("ENABLE_LAMBDA_NETWORK_LOGS", "false")).lower() in "true"
+            enable_runtime_monitoring = (params.get("ENABLE_RUNTIME_MONITORING", "false")).lower() in "true"
+            enable_ecs_fargate_agent_management = (params.get("ENABLE_ECS_FARGATE_AGENT_MANAGEMENT", "false")).lower() in "true"
+            enable_ec2_agent_management = (params.get("ENABLE_EC2_AGENT_MANAGEMENT", "false")).lower() in "true"
+
+            gd_features = {
+                "S3_DATA_EVENTS": auto_enable_s3_logs,
+                "EKS_AUDIT_LOGS": enable_eks_audit_logs,
+                "EBS_MALWARE_PROTECTION": auto_enable_malware_protection,
+                "RDS_LOGIN_EVENTS": enable_rds_login_events,
+                "LAMBDA_NETWORK_LOGS": enable_lambda_network_logs,
+                "RUNTIME_MONITORING": enable_runtime_monitoring,
+                "EKS_ADDON_MANAGEMENT": enable_eks_addon_management,
+                "ECS_FARGATE_AGENT_MANAGEMENT": enable_ecs_fargate_agent_management,
+                "EC2_AGENT_MANAGEMENT": enable_ec2_agent_management,
+            }
+
+            guardduty.configure_guardduty(
+                session,
+                params["DELEGATED_ADMIN_ACCOUNT_ID"],
+                gd_features,
+                regions,
+                params.get("FINDING_PUBLISHING_FREQUENCY", "FIFTEEN_MINUTES"),
+                params["KMS_KEY_ARN"],
+                params["PUBLISHING_DESTINATION_BUCKET_ARN"],
+            )
 
 
 def process_sns_records(records: list) -> None:
diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/common.py b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/common.py
@@ -53,7 +53,7 @@ def assume_role(role: str, role_session_name: str, account: str = None, session:
     Returns:
         Session object for the specified AWS account
     """
-    # TODO(liamschn): move this to correct place
+    # set regional endpoint environment variable to account for potential opt-in regions
     os.environ["AWS_STS_REGIONAL_ENDPOINTS"] = "regional"
 
     if not session:
diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py b/aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/guardduty.py
@@ -405,7 +405,6 @@ def set_org_configuration_params(detector_id: str, gd_features: dict) -> dict:
         "DetectorId": detector_id,
         "AutoEnable": True,
         "Features": features_config,
-        # "AutoEnableOrganizationMembers": "ALL",
     }
     name = ""
     auto_enable_type = ""
@@ -504,9 +503,6 @@ def configure_guardduty(  # noqa: CFQ002, CFQ001
 
     # Loop through the regions and enable GuardDuty
     for region in region_list:
-        # if region == "ap-southeast-4":
-        #     LOGGER.info(f"skipping ap-southeast-4")
-        # else:
         LOGGER.info(f"Configuring GuardDuty in {region}")
         regional_guardduty: GuardDutyClient = session.client("guardduty", region_name=region, config=BOTO3_CONFIG)
         detectors = regional_guardduty.list_detectors()
diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-kms-key.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-kms-key.yaml
@@ -70,6 +70,12 @@ Conditions:
 
 Resources:
   rGuardDutyDeliveryKey:
+    # checkov:skip=CKV_AWS_33:Ensure KMS key policy does not contain wildcard (*) principal
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: F76
+            reason: "Opt-in regions may be used and so conditional policy is required"
     Type: AWS::KMS::Key
     Properties:
       Description: SRA GuardDuty Delivery Key
@@ -92,8 +98,8 @@ Resources:
             Principal:
               Service: guardduty.amazonaws.com
 
-            # TODO(liamschn): temp fix for key permissions for opt-in region
-          - Sid: Allow ap-southeast-4 GuardDuty to encrypt logs
+            # key permissions for potential opt-in regions (conditional)
+          - Sid: Allow opt-in region GuardDuty to encrypt logs
             Effect: Allow
             Action: kms:GenerateDataKey
             Resource: '*'
diff --git a/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-s3-bucket.yaml b/aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-s3-bucket.yaml
@@ -128,7 +128,7 @@ Resources:
               Service:
                 - guardduty.amazonaws.com
 
-          # TODO(liamschn): bucket perm/location check allow for opt-in region (ap-southeast-4)
+          # Bucket perm/location check allow for potential opt-in regions
           - Sid: AWSBucketPermissionsCheck
             Effect: Allow
             Action:
@@ -152,18 +152,18 @@ Resources:
               Service:
                 - guardduty.amazonaws.com
 
-          # TODO(liamschn): bucket delivery allow for opt-in region (ap-southeast-4)
-          - Sid: AWSBucketDeliveryApSoutheast4
+          # Bucket delivery allow for potential opt-in regions
+          - Sid: AWSBucketDeliveryOptinRegions
             Effect: Allow
             Action: s3:PutObject
-            # Condition:
-            #   StringEquals:
-            #     s3:x-amz-acl: bucket-owner-full-control
+            Condition:
             Resource: !Sub arn:aws:s3:::${rGuardDutyDeliveryS3Bucket}/*
             Principal: '*'
             Condition:
               StringLike:
                 aws:PrincipalServiceName: guardduty.*.amazonaws.com
+              StringEquals:
+                s3:x-amz-acl: bucket-owner-full-control
 
           - Sid: DenyUnencryptedObjectUploads
             Effect: Deny
@@ -176,8 +176,8 @@ Resources:
               Service:
                 - guardduty.amazonaws.com
 
-          # TODO(liamschn): unencryption object upload deny for opt-in region (ap-southeast-4)
-          - Sid: DenyUnencryptedObjectUploadsApSoutheast4
+          # Unencryption object upload deny for potential opt-in regions
+          - Sid: DenyUnencryptedObjectUploadsOptinRegions
             Effect: Deny
             Action: s3:PutObject
             Condition:
@@ -200,8 +200,8 @@ Resources:
               Service:
                 - guardduty.amazonaws.com
 
-          # TODO(liamschn): incorrect encryption header deny for opt-in region (ap-southeast-4)
-          - Sid: DenyIncorrectEncryptionHeaderApSoutheast4
+          # Incorrect encryption header deny for potential opt-in regions
+          - Sid: DenyIncorrectEncryptionHeaderOptinRegions
             Effect: Deny
             Action: s3:PutObject
             Condition:
