adding guardduty-notification module

4 years ago · f2b87eb44d
parent 06506e5b9c
commit f2b87eb44d
3 changed files with 80 additions and 0 deletions
--- a/security/guardduty-notifications/README.md
+++ b/security/guardduty-notifications/README.md
@ -0,0 +1,29 @@
+# guardduty-notifications
+
+This module sets up Cloudwatch Event rules which both logs to Cloudwatch and notifies a given SNS topic to inform administrators of any Guard Duty findings.
+
+https://aws.amazon.com/guardduty/
+
+## Usage
+
+```
+module "guardduty-notifications" {
+  source = "github.com/lalanza808/tf-modules.git/security/guardduty-notifications"
+}
+```
+
+## Inputs
+
+You should provide the following input, which is the SNS Topic ARN you wish to publish messages to:
+
+* `sns_topic_arn`
+
+If you don't provide it, the results will still be emitted to a Cloudwatch Logs group.
+
+You can override the following inputs:
+
+* `prefix`
+* `tags`
+* `log_retention`
+
+See all inputs here: [variables.tf](./variables.tf)
--- a/security/guardduty-notifications/main.tf
+++ b/security/guardduty-notifications/main.tf
@ -0,0 +1,35 @@
+resource "aws_cloudwatch_event_rule" "guardduty" {
+  name        = "${var.prefix}-guardduty"
+  description = "Capture AWS Guard Duty findings and notify operations"
+
+  event_pattern = <<PATTERN
+{
+  "source": [
+    "aws.guardduty"
+  ],
+  "detail-type": [
+    "GuardDuty Finding"
+  ]
+}
+PATTERN
+
+  tags = var.tags
+}
+
+resource "aws_cloudwatch_log_group" "guardduty" {
+  name              = "/aws/events/${var.prefix}-guardduty"
+  retention_in_days = var.log_retention
+}
+
+resource "aws_cloudwatch_event_target" "guardduty-sns" {
+  count     = length(var.sns_topic_arn) > 0 ? 1 : 0
+  rule      = aws_cloudwatch_event_rule.guardduty.name
+  target_id = "send_to_sns"
+  arn       = var.sns_topic_arn
+}
+
+resource "aws_cloudwatch_event_target" "guardduty-cwlogs" {
+  rule      = aws_cloudwatch_event_rule.guardduty.name
+  target_id = "send_to_cloudwatch_logs"
+  arn       = aws_cloudwatch_log_group.guardduty.arn
+}
--- a/security/guardduty-notifications/variables.tf
+++ b/security/guardduty-notifications/variables.tf
@ -0,0 +1,16 @@
+variable "sns_topic_arn" {
+  description = "ARN of the SNS topic to recieve notifications"
+  default     = ""
+}
+variable "tags" {
+  default     = {}
+  type        = map
+  description = "Optional set of tags to apply to the infrastructure"
+}
+variable "prefix" {
+  default     = "security"
+  description = "String to prefix to all resources"
+}
+variable "log_retention" {
+  default = 90
+}