diff --git a/CHANGELOG.md b/CHANGELOG.md index e66182b08..7c63edfc2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,9 @@ ## Table of Contents - [Introduction](#introduction) +- [2025-03-20](#2025-03-20) +- [2025-03-04](#2025-03-04) +- [2025-02-13](#2025-02-13) - [2025-02-04](#2025-02-04) - [2025-01-21](#2025-01-21) - [2025-01-08](#2025-01-08) @@ -61,11 +64,29 @@ All notable changes to this project will be documented in this file. --- +## 2025-03-20 + +### Added + +- Added [SRA Amazon GuardDuty Malware Protection for S3](aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3) solution for GenAI deep-dive Bedrock capability two security controls. + +## 2025-03-04 + +### Updated + +- Updated [Security Lake Organization](aws_sra_examples/solutions/security_lake/security_lake_org) solution with resource management service-linked role. + +## 2025-02-13 + +### Added + +- Added [SRA Bedrock Guardrails Solution](aws_sra_examples/solutions/genai/bedrock_guardrails) solution to deploy the sra-bedrock-org solution for GenAI deep-dive Bedrock capability one security controls. + ## 2025-02-04 ### Added -- Added [Bedrock](aws_sra_examples/solutions/genai/bedrock_org) solution to deploy the sra-bedrock-org solution for GenAI deep-dive Bedrock capability one security controls. See https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1u3sd7f8n) +- Added [Bedrock](aws_sra_examples/solutions/genai/bedrock_org) solution to deploy the sra-bedrock-org solution for GenAI deep-dive Bedrock capability one security controls. ### Updated diff --git a/README.md b/README.md index 332717d14..aa982c49b 100644 --- a/README.md +++ b/README.md @@ -151,6 +151,7 @@ Please follow the instructions for SRA Terraform deployments in the [SRA Terrafo | [EC2 Default EBS Encryption](aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption) | Configures the EC2 default EBS encryption to use the default KMS key within all provided regions. | | | | [Firewall Manager](aws_sra_examples/solutions/firewall_manager/firewall_manager_org) | Demonstrates configuring a security group policy and WAF policies for all accounts within an organization. | | | | [GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org) | Configures GuardDuty within a delegated admin account for all accounts within an organization. | | | +| [Guardduty Malware Protection S3](aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3) | Creates an Amazon GuardDuty Malware Protection Plan for a new or existing S3 bucket. | | This solution operates independently and does not require the deployment of the [SRA Prerequisites Solution](aws_sra_examples/solutions/common/common_prerequisites). | | [IAM Access Analyzer](aws_sra_examples/solutions/iam/iam_access_analyzer) | Configures an organization analyzer within a delegated admin account and account level analyzer within each account. | | | | [IAM Account Password Policy](aws_sra_examples/solutions/iam/iam_password_policy) | Sets the account password policy for users to align with common compliance standards. | | | | [Inspector](aws_sra_examples/solutions/inspector/inspector_org) | Configure Inspector within a delegated admin account for all accounts and governed regions within the organization. | | | diff --git a/aws_sra_examples/solutions/genai/README.md b/aws_sra_examples/solutions/genai/README.md new file mode 100644 index 000000000..6d9d5b3c6 --- /dev/null +++ b/aws_sra_examples/solutions/genai/README.md @@ -0,0 +1,26 @@ +# Generative AI Solutions for AWS SRA + +## Table of Contents +- [Introduction](#introduction) +- [Solutions](#solutions) +- [References](#references) + +--- + +## Introduction + +This directory contains security solutions for implementing generative AI capabilities in alignment with AWS Security Reference Architecture (SRA) recommendations. The solutions focus on securing Amazon Bedrock implementations and related generative AI workloads. + +## Solutions + +- [SRA Bedrock Organizations Solution](./bedrock_org/) +This solution provides an automated framework for deploying Bedrock organizational security controls. + +- [SRA Bedrock Guardrails Solution](./bedrock_guardrails/) +This solution provides an automated framework for deploying Bedrock guardrails across multiple AWS accounts and regions in an organization. + +- [SRA Amazon GuardDuty Malware Protection for S3](./../../solutions/guardduty/guardduty_malware_protection_for_s3) +This solution deploys Amazon GuardDuty Malware Protection for S3. A key use case for this solution is in the preparation of knowledge bases for Retrieval Augmented Generation (RAG) with Amazon Bedrock. + +## References +- [AWS SRA Generative AI Deep-Dive](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/gen-ai-sra.html) \ No newline at end of file diff --git a/aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/README.md b/aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/README.md new file mode 100644 index 000000000..db6121394 --- /dev/null +++ b/aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/README.md @@ -0,0 +1,137 @@ +# SRA Amazon GuardDuty Malware Protection for S3 + +## Table of Contents +- [Introduction](#introduction) +- [Deployed Resource Details](#deployed-resource-details) +- [Implementation Instructions](#implementation-instructions) +- [References](#references) + +--- + +## Introduction + +This solution deploys Amazon GuardDuty Malware Protection for S3 using AWS CloudFormation. It creates a protection plan to enable automated scanning of new objects in S3 buckets for malware and sends notifications of scan results. GuardDuty Malware Protection for S3 can detect malicious content in files before they are processed or used by other systems, enhancing the security of data stored in S3. +A key use case for this solution is in the preparation of knowledge bases for Retrieval Augmented Generation (RAG) with Amazon Bedrock. The malware protection capabilities help enhance the security controls for documents and files used in Amazon Bedrock knowledge base construction, contributing to the overall security posture of AI-powered applications. + +### Features + +- Creates or uses existing S3 bucket for malware protection +- Creates a new KMS key for encrypting the S3 bucket (when creating a new bucket) +- Creates a KMS key alias for easy management +- Provides an option to enable S3 server access logging during bucket creation +- Configures GuardDuty Malware Protection Plan +- Sets up EventBridge rules for scan result notifications +- Implements SNS notifications for alerts +- Includes DLQ for failed event processing +- Configures necessary IAM roles and permissions + + +--- + +## Deployed Resource Details + +![Architecture Diagram](./documentation/sra-guardduty-malware-protection-for-s3.png) + +This section provides a detailed explanation of the resources shown in the architecture diagram: + +### 1.0 Bedrock Account + +#### 1.1 AWS CloudFormation +- Used to define and deploy resources in the solution. + +#### 1.2 Protected S3 Bucket +- GuardDuty scans each uploaded object. +- Can be newly created or an existing bucket. + +#### 1.3 KMS Key +- Encrypts objects in the S3 bucket when creating a new bucket. + +#### 1.4 EventBridge Rule Role +- IAM role for EventBridge rule execution. + +#### 1.5 EventBridge Rule +- Triggers notifications based on GuardDuty Malware Protection scan results. + +#### 1.6 SNS Notification Topic +- Sends alerts about malware scan results. + +#### 1.7 Dead-Letter Queue (DLQ) +- Handles failed event processing from EventBridge. + +#### 1.8 GuardDuty S3 Malware Protection Role +- IAM role for GuardDuty to perform malware scans on S3 objects. + +#### 1.9 Amazon GuardDuty Malware Protection for S3 +- Scans new S3 objects for malicious content. +- Enables tagging for scanned S3 objects. + +--- + +## Implementation Instructions + +### Prerequisites + +- CloudFormation template deployment permissions in the target AWS account + +#### Notes: +- This solution operates independently and does not require the deployment of the [SRA Prerequisites Solution](../../common/common_prerequisites). + +### Solution Deployment + +You can deploy this solution using the AWS Console or AWS CLI. + +### Deploying via AWS Management Console +1. In the `target account`, open the [CloudFormation Console](https://console.aws.amazon.com/cloudformation). +2. Create a new stack by uploading the `sra-guardduty-s3-protection-plan-main.yaml` template located in the `./templates` directory. +3. Provide the required parameters to configure GuardDuty Malware Protection for S3. +4. Review and confirm the stack creation. + +### Deploying via AWS CLI +1. Run the following command to deploy the stack: +#### Notes: +- Update parameter values with your specific settings. +- When deploying with an existing bucket, add the following parameters to your CloudFormation deployment command: +```bash +ParameterKey=pExistingBucketName,ParameterValue="bucket-name" \ +ParameterKey=pExistingBucketKmsKey,ParameterValue="kms-key-arn" +``` +- This example assumes the CloudFormation template file is saved in the templates directory. Adjust the --template-body path if necessary. +- Ensure the --capabilities CAPABILITY_NAMED_IAM flag is included to allow CloudFormation to create the necessary IAM resources. + +```bash +aws cloudformation create-stack \ + --stack-name SraGuardDutyMalwareProtectionForS3 \ + --template-body file://aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/templates/sra-guardduty-malware-protection-for-s3-main.yaml \ + --region us-east-2 \ + --parameters \ + ParameterKey=pCreateNewBucket,ParameterValue="true" \ + ParameterKey=pUseExistingBucket,ParameterValue="false" \ + ParameterKey=pSRASolutionName,ParameterValue=sra-guardduty-malware-protection-for-s3 \ + ParameterKey=pKmsKeyAlias,ParameterValue=sra-guardduty-malware-protection-for-s3-key \ + ParameterKey=pS3MalwareProtectedBucketNamePrefix,ParameterValue=sra-protected-bucket \ + ParameterKey=pEventRuleRoleName,ParameterValue=sra-guardduty-malware-protection-for-s3-events \ + ParameterKey=pSRAAlarmEmail,ParameterValue=your-email@example.com \ + --capabilities CAPABILITY_NAMED_IAM +``` + +2. Monitor the stack creation progress in the AWS CloudFormation Console or via CLI commands. + +### Post-Deployment +Once the stack is deployed successfully: +- Verify Resource Creation +```bash +aws guardduty list-malware-protection-plans +``` + +- An email will be sent to confirm the SNS topic subscription. Click the confirmation link to receive malware detection alerts. +- To verify the alerting functionality of GuardDuty Malware Protection for S3 solution, the European Institute for Computer Anti-Virus Research (EICAR) test file can be used. This standardized test file triggers antivirus detection without being actual malware. The EICAR test file should be uploaded to the protected S3 bucket. After upload, verify that the object has been tagged with the scan results, and confirm that an email alert about the detected threat was received. This process provides a safe way to validate that the malware protection setup is functioning as expected. + +--- + +## References +- [AWS SRA Generative AI Deep-Dive](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/gen-ai-sra.html) +- [Capability 2. Providing secure access, usage, and implementation to generative AI RAG techniques](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/gen-ai-rag.html) +- [GuardDuty Malware Protection for S3](https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malware-protection-s3.html) +- [AWS CloudFormation Documentation](https://docs.aws.amazon.com/cloudformation/index.html) +- [AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) + diff --git a/aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/documentation/sra-guardduty-malware-protection-for-s3.png b/aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/documentation/sra-guardduty-malware-protection-for-s3.png new file mode 100644 index 000000000..9be472e57 Binary files /dev/null and b/aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/documentation/sra-guardduty-malware-protection-for-s3.png differ diff --git a/aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/documentation/sra-guardduty-malware-protection-for-s3.pptx b/aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/documentation/sra-guardduty-malware-protection-for-s3.pptx new file mode 100644 index 000000000..bd8563f31 Binary files /dev/null and b/aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/documentation/sra-guardduty-malware-protection-for-s3.pptx differ diff --git a/aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/documentation/~$sra-guardduty-malware-protection-for-s3.pptx b/aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/documentation/~$sra-guardduty-malware-protection-for-s3.pptx new file mode 100644 index 000000000..138f1a0b2 Binary files /dev/null and b/aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/documentation/~$sra-guardduty-malware-protection-for-s3.pptx differ diff --git a/aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/templates/sra-guardduty-malware-protection-for-s3-main.yaml b/aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/templates/sra-guardduty-malware-protection-for-s3-main.yaml new file mode 100644 index 000000000..467f660e7 --- /dev/null +++ b/aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/templates/sra-guardduty-malware-protection-for-s3-main.yaml @@ -0,0 +1,482 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: This template creates IAM PassRole and Policy for GuardDuty Malware + Protection for S3 - 's3_malware_protection' solution in the repo, + https://github.com/aws-samples/aws-security-reference-architecture-examples + (sra-1u3sd7f8o) +Metadata: + SRA: + Version: 1 + Entry: Parameters for deploying the solution + Order: 1 + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: General Properties + Parameters: + - pSRASolutionName + - Label: + default: Existing S3 Malware Protected Bucket Properties + Parameters: + - pUseExistingBucket + - pExistingBucketName + - pExistingBucketKmsKey + - Label: + default: New S3 Malware Protected Bucket Properties + Parameters: + - pCreateNewBucket + - pS3MalwareProtectedBucketNamePrefix + - pS3AccessLogsBucket + - pKmsKeyAlias + - Label: + default: EventBridge Properties + Parameters: + - pEventRuleRoleName + - Label: + default: Notification Properties + Parameters: + - pSRAAlarmEmail + ParameterLabels: + pEventRuleRoleName: + default: Event Rule Role Name + pExistingBucketKmsKey: + default: Existing S3 KMS Key ARN + pExistingBucketName: + default: Existing S3 Bucket Name + pKmsKeyAlias: + default: KMS Key Alias + pS3AccessLogsBucket: + default: S3 Access Logs Bucket Name + pS3MalwareProtectedBucketNamePrefix: + default: S3 Malware Protected Bucket Name Prefix + pSRAAlarmEmail: + default: (Optional) SRA Alarm Email + pSRASolutionName: + default: SRA Solution Name + pUseExistingBucket: + default: Use Existing S3 Bucket + +Parameters: + pCreateNewBucket: + AllowedValues: ['true', 'false'] + Default: 'true' + Description: Create a new S3 bucket + Type: String + pEventRuleRoleName: + AllowedPattern: ^[\w+=,.@-]{1,64}$ + ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]. + Default: sra-guardduty-malware-protection-for-s3-events + Description: Event rule role name + Type: String + pExistingBucketKmsKey: + AllowedPattern: ^$|^arn:(aws[a-zA-Z-]*){1}:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$ + ConstraintDescription: "Key ARN example: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + Default: '' + Description: (Optional) Existing S3 KMS key ARN for existing S3 bucket + Type: String + pExistingBucketName: + AllowedPattern: ^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ + ConstraintDescription: Bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Default: '' + Description: (Optional) Existing S3 bucket name for malware protection. + Type: String + pKmsKeyAlias: + AllowedPattern: ^[a-zA-Z0-9/_-]+$ + ConstraintDescription: The alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). + Default: sra-guardduty-malware-protection-for-s3-key + Description: KMS Key Alias + Type: String + pS3AccessLogsBucket: + AllowedPattern: ^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ + ConstraintDescription: Bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Default: '' + Description: (Optional) S3 bucket name for the S3 Server Access Logs + Type: String + pS3MalwareProtectedBucketNamePrefix: + AllowedPattern: ^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ + ConstraintDescription: S3 bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). + Default: sra-protected-bucket + Description: S3 Malware Protected Bucket Name Prefix + Type: String + pSRAAlarmEmail: + AllowedPattern: ^$|^([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)$ + ConstraintDescription: Must be a valid email address. + Default: '' + Description: Email address for receiving SRA alarms + Type: String + pSRASolutionName: + AllowedValues: + - sra-guardduty-malware-protection-for-s3 + Default: sra-guardduty-malware-protection-for-s3 + Description: The SRA solution name. The default value is the folder name of the solution + Type: String + pUseExistingBucket: + AllowedValues: ['true', 'false'] + Default: 'false' + Description: Use an existing S3 bucket for malware protection + Type: String + +Rules: + MutuallyExclusiveNewBucketSelection: + RuleCondition: !Equals [!Ref pCreateNewBucket, 'true'] + Assertions: + - Assert: !Not [!Equals [!Ref pUseExistingBucket, 'true']] + AssertDescription: Cannot select both new bucket and existing bucket creation options + MutuallyExclusiveExistingBucketSelection: + RuleCondition: !Equals [!Ref pCreateNewBucket, 'false'] + Assertions: + - Assert: !Not [!Equals [!Ref pUseExistingBucket, 'false']] + AssertDescription: Must select either new bucket or existing bucket creation option + ExistingBucketNameValidation: + RuleCondition: !Equals [!Ref pUseExistingBucket, 'true'] + Assertions: + - Assert: !Not [!Equals [!Ref pExistingBucketName, '']] + AssertDescription: Existing bucket name is required when using an existing bucket + EmailAddressValidation: + RuleCondition: !Equals [!Ref pSRAAlarmEmail, ''] + Assertions: + - Assert: !Not [!Equals [!Ref pSRAAlarmEmail, '']] + AssertDescription: Must provide a valid email address + +Conditions: + cCreateNewBucket: !Equals + - !Ref pCreateNewBucket + - 'true' + cExistingBucket: !Not [!Equals [!Ref pExistingBucketName, '']] + cExistingKmsKey: !Not [!Equals [!Ref pExistingBucketKmsKey, '']] + cEnableAccessLogging: !Not [!Equals [!Ref pS3AccessLogsBucket, '']] + +Resources: + rKMSKeyForBucket: + Type: AWS::KMS::Key + Condition: cCreateNewBucket + DeletionPolicy: Delete + UpdateReplacePolicy: Retain + Properties: + EnableKeyRotation: true + KeyPolicy: + Version: '2012-10-17' + Statement: + Effect: Allow + Principal: + AWS: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root + Action: + - kms:* + Resource: '*' + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + + rKeyAlias: + Type: AWS::KMS::Alias + Condition: cCreateNewBucket + Properties: + AliasName: !Sub alias/${pKmsKeyAlias}-${AWS::AccountId}-${AWS::Region} + TargetKeyId: !Ref rKMSKeyForBucket + + rGuardDutyMalwareProtectedBucket: + Type: AWS::S3::Bucket + Condition: cCreateNewBucket + DeletionPolicy: Retain + UpdateReplacePolicy: Retain + Metadata: + cfn_nag: + rules_to_suppress: + - id: W35 + reason: S3 access logging is not enabled. + checkov: + skip: + - id: CKV_AWS_18 + comment: S3 access logging is not enabled. + Properties: + BucketName: !Sub ${pS3MalwareProtectedBucketNamePrefix}-${AWS::AccountId}-${AWS::Region} + LoggingConfiguration: + !If + - cEnableAccessLogging + - DestinationBucketName: !Ref pS3AccessLogsBucket + LogFilePrefix: !Sub ${pSRASolutionName}-logs/ + - !Ref AWS::NoValue + VersioningConfiguration: + Status: Enabled + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + KMSMasterKeyID: !GetAtt rKMSKeyForBucket.Arn + SSEAlgorithm: aws:kms + BucketKeyEnabled: true + PublicAccessBlockConfiguration: + BlockPublicAcls: true + BlockPublicPolicy: true + IgnorePublicAcls: true + RestrictPublicBuckets: true + OwnershipControls: + Rules: + - ObjectOwnership: BucketOwnerPreferred + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + + rEventRuleRole: + Type: AWS::IAM::Role + Metadata: + cfn_nag: + rules_to_suppress: + - id: W28 + reason: Specific role name provided + Properties: + RoleName: !Sub ${pEventRuleRoleName}-${AWS::Region} + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: sts:AssumeRole + Principal: + Service: + - events.amazonaws.com + Condition: + StringEquals: + aws:SourceAccount: !Ref AWS::AccountId + Policies: + - PolicyName: sra-guardduty-malware-protection-for-s3-events + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: sns:Publish + Resource: !GetAtt rGuardDutyMalwareProtectionForS3AlarmTopic.TopicArn + - Effect: Allow + Action: sqs:SendMessage + Resource: !GetAtt rGuardDutyMalwareProtectionForS3RuleDLQ.Arn + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + + rGuardDutyMalwareProtectionForS3RuleDLQ: + Type: AWS::SQS::Queue + Properties: + KmsMasterKeyId: alias/aws/sqs + QueueName: !Sub ${pSRASolutionName}-dlq + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + MessageRetentionPeriod: 345600 + DeletionPolicy: Delete + UpdateReplacePolicy: Delete + + rGuardDutyMalwareProtectionForS3RuleDLQPolicy: + Type: AWS::SQS::QueuePolicy + Properties: + Queues: + - !Ref rGuardDutyMalwareProtectionForS3RuleDLQ + PolicyDocument: + Statement: + - Action: SQS:SendMessage + Condition: + ArnEquals: + aws:SourceArn: + - !GetAtt rGuardDutyMalwareProtectionForS3EventRule.Arn + Effect: Allow + Principal: + Service: events.amazonaws.com + Resource: + - !GetAtt rGuardDutyMalwareProtectionForS3EventRule.Arn + + rGuardDutyMalwareProtectionForS3EventRule: + Type: AWS::Events::Rule + Properties: + Description: GuardDuty Copy S3 Object Rule for source bucket + EventBusName: default + Name: !Sub ${pSRASolutionName}-${AWS::Region}-event + EventPattern: + source: + - aws.guardduty + detail-type: + - GuardDuty Malware Protection Object Scan Result + detail: + scanStatus: + - COMPLETED + resourceType: + - S3_OBJECT + s3ObjectDetails: + bucketName: + - !If + - cExistingBucket + - !Ref pExistingBucketName + - !Sub ${pS3MalwareProtectedBucketNamePrefix}-${AWS::AccountId}-${AWS::Region} + scanResultDetails: + scanResultStatus: + - THREATS_FOUND + - FAILED + - ACCESS_DENIED + State: ENABLED + Targets: + - Arn: !GetAtt rGuardDutyMalwareProtectionForS3AlarmTopic.TopicArn + Id: !GetAtt rGuardDutyMalwareProtectionForS3AlarmTopic.DisplayName + DeadLetterConfig: + Arn: !GetAtt rGuardDutyMalwareProtectionForS3RuleDLQ.Arn + RetryPolicy: + MaximumEventAgeInSeconds: 86400 # 24 hours + MaximumRetryAttempts: 185 + RoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pEventRuleRoleName}-${AWS::Region} + + rGuardDutyMalwareProtectionForS3IamPolicy: + Type: AWS::IAM::ManagedPolicy + DeletionPolicy: Delete + Properties: + Description: Policy for allowing GuardDuty S3 malware protection to access the + required services + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: AllowManagedRuleToSendS3EventsToGuardDuty + Effect: Allow + Action: + - events:PutRule + - events:DeleteRule + - events:PutTargets + - events:RemoveTargets + Resource: !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3* + Condition: + StringLike: + events:ManagedBy: malware-protection-plan.guardduty.amazonaws.com + - Sid: AllowGuardDutyToMonitorEventBridgeManagedRule + Effect: Allow + Action: + - events:DescribeRule + - events:ListTargetsByRule + Resource: + - !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3* + - Sid: AllowPostScanTag + Effect: Allow + Action: + - S3:PutObjectTagging + - S3:GetObjectTagging + - S3:PutObjectVersionTagging + - S3:GetObjectVersionTagging + Resource: !If + - cExistingBucket + - !Sub arn:${AWS::Partition}:s3:::${pExistingBucketName}/* + - !Sub arn:${AWS::Partition}:s3:::${pS3MalwareProtectedBucketNamePrefix}-${AWS::AccountId}-${AWS::Region}/* + - Sid: AllowEnableS3EventBridgeEvents + Effect: Allow + Action: + - s3:PutBucketNotification + - s3:GetBucketNotification + Resource: !If + - cExistingBucket + - !Sub arn:${AWS::Partition}:s3:::${pExistingBucketName} + - !Sub arn:${AWS::Partition}:s3:::${pS3MalwareProtectedBucketNamePrefix}-${AWS::AccountId}-${AWS::Region} + - Sid: AllowPutValidationObject + Effect: Allow + Action: + - s3:PutObject + Resource: !If + - cExistingBucket + - !Sub arn:${AWS::Partition}:s3:::${pExistingBucketName}/malware-protection-resource-validation-object + - !Sub arn:${AWS::Partition}:s3:::${pS3MalwareProtectedBucketNamePrefix}-${AWS::AccountId}-${AWS::Region}/malware-protection-resource-validation-object + - Sid: AllowCheckBucketOwnership + Effect: Allow + Action: + - s3:ListBucket + Resource: !If + - cExistingBucket + - !Sub arn:${AWS::Partition}:s3:::${pExistingBucketName} + - !Sub arn:${AWS::Partition}:s3:::${pS3MalwareProtectedBucketNamePrefix}-${AWS::AccountId}-${AWS::Region} + - Sid: AllowMalwareScan + Effect: Allow + Action: + - s3:GetObject + - s3:GetObjectVersion + Resource: !If + - cExistingBucket + - !Sub arn:${AWS::Partition}:s3:::${pExistingBucketName}/* + - !Sub arn:${AWS::Partition}:s3:::${pS3MalwareProtectedBucketNamePrefix}-${AWS::AccountId}-${AWS::Region}/* + - !If + - cExistingKmsKey + - Sid: AllowDecryptForExistingBucket + Effect: Allow + Action: + - kms:Decrypt + - kms:GenerateDataKey + Resource: !Ref pExistingBucketKmsKey + Condition: + StringLike: + kms:ViaService: s3.*.amazonaws.com + - !Ref AWS::NoValue + - !If + - cCreateNewBucket + - Sid: AllowDecryptForMalwareScan + Effect: Allow + Action: + - kms:GenerateDataKey + - kms:Decrypt + Resource: + - !GetAtt rKMSKeyForBucket.Arn + Condition: + StringLike: + kms:ViaService: s3.*.amazonaws.com + - !Ref AWS::NoValue + + rGuardDutyMalwareProtectionForS3IamRole: + Type: AWS::IAM::Role + Properties: + RoleName: !Sub ${pSRASolutionName}-${AWS::Region} + AssumeRolePolicyDocument: + Statement: + - Action: sts:AssumeRole + Effect: Allow + Principal: + Service: malware-protection-plan.guardduty.amazonaws.com + Version: '2012-10-17' + ManagedPolicyArns: + - !Sub ${rGuardDutyMalwareProtectionForS3IamPolicy.PolicyArn} + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + + rGuardDutyMalwareProtectionForS3: + Type: AWS::GuardDuty::MalwareProtectionPlan + Properties: + Actions: + Tagging: + Status: ENABLED + ProtectedResource: + S3Bucket: + BucketName: !If + - cExistingBucket + - !Ref pExistingBucketName + - !Sub ${pS3MalwareProtectedBucketNamePrefix}-${AWS::AccountId}-${AWS::Region} + Role: !GetAtt rGuardDutyMalwareProtectionForS3IamRole.Arn + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + + rGuardDutyMalwareProtectionForS3AlarmTopic: + Type: AWS::SNS::Topic + Properties: + DisplayName: !Sub ${pSRASolutionName}-alarm + KmsMasterKeyId: !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/sns + TopicName: !Sub ${pSRASolutionName}-alarm-${AWS::Region} + Subscription: + - Endpoint: !Ref pSRAAlarmEmail + Protocol: email + Tags: + - Key: sra-solution + Value: !Ref pSRASolutionName + +Outputs: + GuardDutyS3MalwareProtectionPlanArn: + Description: Amazon Resource Name (ARN) associated with this Malware Protection plan + Value: !GetAtt rGuardDutyMalwareProtectionForS3.Arn + + GuardDutyS3MalwareProtectionPlanId: + Description: A unique identifier associated with Malware Protection plan + Value: !GetAtt rGuardDutyMalwareProtectionForS3.MalwareProtectionPlanId + + S3MalwareProtectionRole: + Description: IAM role created for S3 Malware Protection + Value: !Ref rGuardDutyMalwareProtectionForS3IamRole + + SourceBucketArn: + Condition: cCreateNewBucket + Description: The bucket arn which has been created and enabled for S3 Malware protection + Value: !GetAtt rGuardDutyMalwareProtectedBucket.Arn \ No newline at end of file