Merge pull request #171 from aliaksei-ivanou/security-patterns-update

Security patterns update

.gitignore

@@ -22,4 +22,7 @@ yarn.lock
 # mkdocs artifact
 site
 # macOS extraneous file
-.DS_STORE
+.DS_STORE
+
+# Python virtual env directory
+*.venv*

docs/patterns/kubeflow.md

@@ -86,6 +86,3 @@ cdk destroy kubeflow-blueprint
 ## Disclaimer 
 This pattern relies on an open source NPM package eks-blueprints-cdk-kubeflow-ext. Please refer to the package npm site for more information.
 https://www.npmjs.com/package/eks-blueprints-cdk-kubeflow-ext
-
-If you have any questions about the npm package or find any defect, please post in the source repo at 
-https://github.com/season1946/eks-blueprints-cdk-kubeflow-extension

docs/patterns/security/guardduty.md

@@ -45,11 +45,7 @@ make list
 
 ### Deploying the `GuardDutySetupStack` stack
 
-The `GuardDutySetupStack` stack enables GuardDuty Detector for the account with all the features of your choice enabled. For the purposes of the Security seciton of this workshop only the GuardDuty EKS Protection features are required.
-
-![Amazon GuardDuty console](../images/2023-guardduty-2-configure.jpg)
-
-**Note:** You can only deploy this stack if you have not already enabled GuardDuty in the target account and region. If GuardDuty has been enabled already, do not attempt to deploy the stack as GuardDuty can only be enabled once per account and region. Instead, check that the [EKS Protection](https://docs.aws.amazon.com/guardduty/latest/ug/kubernetes-protection.html) features have been enabled either in the AWS GuardDuty console as shown in the image above, or using the AWS CLI, then proceed to **Deploying the blueprint workload** step.
+The `GuardDutySetupStack` stack enables GuardDuty Detector for the account with all the features of your choice enabled.
 
 To deploy the stack, run the following command:
 

lib/security/guardduty-construct/guardduty-setup.ts

@@ -5,6 +5,7 @@ import * as sns from "aws-cdk-lib/aws-sns";
 import * as subs from "aws-cdk-lib/aws-sns-subscriptions";
 import * as events from "aws-cdk-lib/aws-events";
 import * as eventTargets from "aws-cdk-lib/aws-events-targets";
+import * as AWS from "aws-sdk";
 
 const account = process.env.CDK_DEFAULT_ACCOUNT;
 const region = process.env.CDK_DEFAULT_REGION;
@@ -21,49 +22,94 @@ export class GuardDutySetupStack extends Stack {
           { name: "EKS_AUDIT_LOGS", status: "ENABLED" },
           { name: "EBS_MALWARE_PROTECTION", status: "ENABLED" },
           { name: "RDS_LOGIN_EVENTS", status: "ENABLED" },
-          {
-              name: "EKS_RUNTIME_MONITORING",
+          { name: "LAMBDA_NETWORK_LOGS", status: "ENABLED" },
+          { 
+              name: "RUNTIME_MONITORING",
               status: "ENABLED",
               additionalConfiguration: [
-                  {
-                      name: "EKS_ADDON_MANAGEMENT",
-                      status: "ENABLED",
-                  },
+                  { name: "EKS_ADDON_MANAGEMENT", status: "ENABLED" },
+                  { name: "ECS_FARGATE_AGENT_MANAGEMENT", status: "ENABLED" },
+                  { name: "EC2_AGENT_MANAGEMENT", status: "ENABLED" },
               ],
           },
       ];
 
-        // Create a GuardDuty detector
-        new aws_guardduty.CfnDetector(this, id + "GuardDutyDetector", {
-            enable: true,
-            features,
-        });
+        // check if GuardDuty is already enabled in the region
+        const guardDuty = new AWS.GuardDuty();
+        guardDuty.listDetectors({}, (err, data) => {
+            if (err) {
+                console.log(err, err.stack);
+            } else {
+                if (data.DetectorIds?.length === 0) {
+                    // Create a GuardDuty detector
+                    new aws_guardduty.CfnDetector(this, id + "GuardDutyDetector", {
+                        enable: true,
+                        features,
+                    });
+
+                    // Configure GuardDuty to email any security findings
+                    const guardDutyTopic = new sns.Topic(
+                        this,
+                        id + "GuardDutyNotificationTopic"
+                    );
+                    guardDutyTopic.addSubscription(new subs.EmailSubscription(email));
+                    const eventRule = new events.Rule(this, id + "GuardDutyEventRule", {
+                        eventPattern: {
+                            source: ["aws.guardduty"],
+                            detailType: ["GuardDuty Finding"],
+                        },
+                    });
+
+                    // Format the GuardDuty findings emails
+                    eventRule.addTarget(
+                        new eventTargets.SnsTopic(guardDutyTopic, {
+                            message: events.RuleTargetInput.fromText(
+                                `WARNING: AWS GuardDuty has discovered a ${events.EventField.fromPath(
+                                    "$.detail.type"
+                                )} security issue for ${environmentName} (${events.EventField.fromPath(
+                                    "$.region"
+                                )}). Please go to https://${events.EventField.fromPath(
+                                    "$.region"
+                                )}.console.aws.amazon.com/guardduty/ to find out more details.`
+                            ),
+                        })
+                    );
+                    return;
+                } else {
+                    console.log("GuardDuty is enabled in this region.");
+                }
 
-        // Configure GuardDuty to email any security findings
-        const guardDutyTopic = new sns.Topic(
-            this,
-            id + "GuardDutyNotificationTopic"
-        );
-        guardDutyTopic.addSubscription(new subs.EmailSubscription(email));
-        const eventRule = new events.Rule(this, id + "GuardDutyEventRule", {
-            eventPattern: {
-                source: ["aws.guardduty"],
-                detailType: ["GuardDuty Finding"],
-            },
+                // Update the existing detector to use the EKS features
+                console.log("Updating the detector to make sure EKS features are enabled.");
+                const detectorId = data.DetectorIds[0];
+                console.log("Detector ID: " + detectorId);
+                const params: AWS.GuardDuty.UpdateDetectorRequest = {
+                    DetectorId: detectorId,
+                    Features: [
+                        {
+                            AdditionalConfiguration: [
+                                {
+                                    Name: "EKS_ADDON_MANAGEMENT",
+                                    Status: "ENABLED",
+                                },
+                            ],
+                            Name: "RUNTIME_MONITORING",
+                            Status: "ENABLED",
+                        },
+                        {
+                            Name: "EKS_AUDIT_LOGS",
+                            Status: "ENABLED",
+                        },
+                    ]
+                };
+                guardDuty.updateDetector(params, (err, data) => {
+                    if (err) {
+                        console.log(err, err.stack);
+                    } else {
+                        console.log("Updated GuardDuty detector with EKS features.");
+                    }
+                });
+            }
         });
-        // Format the GuardDuty findings emails
-        eventRule.addTarget(
-            new eventTargets.SnsTopic(guardDutyTopic, {
-                message: events.RuleTargetInput.fromText(
-                    `WARNING: AWS GuardDuty has discovered a ${events.EventField.fromPath(
-                        "$.detail.type"
-                    )} security issue for ${environmentName} (${events.EventField.fromPath(
-                        "$.region"
-                    )}). Please go to https://${events.EventField.fromPath(
-                        "$.region"
-                    )}.console.aws.amazon.com/guardduty/ to find out more details.`
-                ),
-            })
-        );
     }
 }