Adding GuardDuty Malware Protection for S3 to protect Bedrock knowledge base

CHANGELOG.md

@@ -3,6 +3,9 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2025-03-20](#2025-03-20)
+- [2025-03-04](#2025-03-04)
+- [2025-02-13](#2025-02-13)
 - [2025-02-04](#2025-02-04)
 - [2025-01-21](#2025-01-21)
 - [2025-01-08](#2025-01-08)
@@ -61,11 +64,29 @@ All notable changes to this project will be documented in this file.
 
 ---
 
+## 2025-03-20
+
+### Added<!-- omit in toc -->
+
+- Added [SRA Amazon GuardDuty Malware Protection for S3](aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3) solution for GenAI deep-dive Bedrock capability two security controls.
+
+## 2025-03-04
+
+### Updated<!-- omit in toc -->
+
+- Updated [Security Lake Organization](aws_sra_examples/solutions/security_lake/security_lake_org) solution with resource management service-linked role.
+
+## 2025-02-13
+
+### Added<!-- omit in toc -->
+
+- Added [SRA Bedrock Guardrails Solution](aws_sra_examples/solutions/genai/bedrock_guardrails) solution to deploy the sra-bedrock-org solution for GenAI deep-dive Bedrock capability one security controls.
+
 ## 2025-02-04
 
 ### Added<!-- omit in toc -->
 
-- Added [Bedrock](aws_sra_examples/solutions/genai/bedrock_org) solution to deploy the sra-bedrock-org solution for GenAI deep-dive Bedrock capability one security controls.  See https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1u3sd7f8n)
+- Added [Bedrock](aws_sra_examples/solutions/genai/bedrock_org) solution to deploy the sra-bedrock-org solution for GenAI deep-dive Bedrock capability one security controls.
 
 ### Updated<!-- omit in toc -->
 

README.md

@@ -151,6 +151,7 @@ Please follow the instructions for SRA Terraform deployments in the [SRA Terrafo
 | [EC2 Default EBS Encryption](aws_sra_examples/solutions/ec2/ec2_default_ebs_encryption)               | Configures the EC2 default EBS encryption to use the default KMS key within all provided regions.                                                                                                                                            |                                                                                                              |                                                                                                                                                                                                                                         |
 | [Firewall Manager](aws_sra_examples/solutions/firewall_manager/firewall_manager_org)                  | Demonstrates configuring a security group policy and WAF policies for all accounts within an organization.                                                                                                                                   |                                                                                                              |                                                                                                                                                                                                                                         |
 | [GuardDuty](aws_sra_examples/solutions/guardduty/guardduty_org)                                       | Configures GuardDuty within a delegated admin account for all accounts within an organization.                                                                                                                                               |                                                                                                              |                                                                                                                                                                                                                                         |
+| [Guardduty Malware Protection S3](aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3)                                    | Creates an Amazon GuardDuty Malware Protection Plan for a new or existing S3 bucket.                                                |                                               |  This solution operates independently and does not require the deployment of the [SRA Prerequisites Solution](aws_sra_examples/solutions/common/common_prerequisites).                                                                                                                                                                                                                                      |
 | [IAM Access Analyzer](aws_sra_examples/solutions/iam/iam_access_analyzer)                             | Configures an organization analyzer within a delegated admin account and account level analyzer within each account.                                                                                                                         |                                                                                                              | <ul><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li></ul>                                                                                                          |
 | [IAM Account Password Policy](aws_sra_examples/solutions/iam/iam_password_policy)                     | Sets the account password policy for users to align with common compliance standards.                                                                                                                                                        |                                                                                                              |                                                                                                                                                                                                                                         |
 | [Inspector](aws_sra_examples/solutions/inspector/inspector_org)                                       | Configure Inspector within a delegated admin account for all accounts and governed regions within the organization.                                                                                                                          |                                                                                                              |                                                                                                                                                                                                                                         |

aws_sra_examples/solutions/genai/README.md

@@ -0,0 +1,26 @@
+# Generative AI Solutions for AWS SRA
+
+## Table of Contents
+- [Introduction](#introduction)
+- [Solutions](#solutions)
+- [References](#references)
+
+---
+
+## Introduction
+
+This directory contains security solutions for implementing generative AI capabilities in alignment with AWS Security Reference Architecture (SRA) recommendations. The solutions focus on securing Amazon Bedrock implementations and related generative AI workloads.
+
+## Solutions
+
+- [SRA Bedrock Organizations Solution](./bedrock_org/)
+This solution provides an automated framework for deploying Bedrock organizational security controls.
+
+- [SRA Bedrock Guardrails Solution](./bedrock_guardrails/)
+This solution provides an automated framework for deploying Bedrock guardrails across multiple AWS accounts and regions in an organization.
+
+- [SRA Amazon GuardDuty Malware Protection for S3](./../../solutions/guardduty/guardduty_malware_protection_for_s3)
+This solution deploys Amazon GuardDuty Malware Protection for S3. A key use case for this solution is in the preparation of knowledge bases for Retrieval Augmented Generation (RAG) with Amazon Bedrock.
+
+## References
+- [AWS SRA Generative AI Deep-Dive](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/gen-ai-sra.html)

aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/README.md

@@ -0,0 +1,137 @@
+# SRA Amazon GuardDuty Malware Protection for S3
+
+## Table of Contents
+- [Introduction](#introduction)
+- [Deployed Resource Details](#deployed-resource-details)
+- [Implementation Instructions](#implementation-instructions)
+- [References](#references)
+
+---
+
+## Introduction
+
+This solution deploys Amazon GuardDuty Malware Protection for S3 using AWS CloudFormation. It creates a protection plan to enable automated scanning of new objects in S3 buckets for malware and sends notifications of scan results. GuardDuty Malware Protection for S3 can detect malicious content in files before they are processed or used by other systems, enhancing the security of data stored in S3.
+A key use case for this solution is in the preparation of knowledge bases for Retrieval Augmented Generation (RAG) with Amazon Bedrock. The malware protection capabilities help enhance the security controls for documents and files used in Amazon Bedrock knowledge base construction, contributing to the overall security posture of AI-powered applications.
+
+### Features
+
+- Creates or uses existing S3 bucket for malware protection
+- Creates a new KMS key for encrypting the S3 bucket (when creating a new bucket)
+- Creates a KMS key alias for easy management
+- Provides an option to enable S3 server access logging during bucket creation
+- Configures GuardDuty Malware Protection Plan
+- Sets up EventBridge rules for scan result notifications
+- Implements SNS notifications for alerts
+- Includes DLQ for failed event processing
+- Configures necessary IAM roles and permissions
+
+
+---
+
+## Deployed Resource Details
+
+![Architecture Diagram](./documentation/sra-guardduty-malware-protection-for-s3.png)
+
+This section provides a detailed explanation of the resources shown in the architecture diagram:
+
+### 1.0 Bedrock Account<!-- omit in toc -->
+
+#### 1.1 AWS CloudFormation<!-- omit in toc -->
+- Used to define and deploy resources in the solution.
+
+#### 1.2  Protected S3 Bucket<!-- omit in toc -->
+- GuardDuty scans each uploaded object.
+- Can be newly created or an existing bucket.
+
+#### 1.3 KMS Key<!-- omit in toc -->
+- Encrypts objects in the S3 bucket when creating a new bucket.
+
+#### 1.4 EventBridge Rule Role<!-- omit in toc -->
+- IAM role for EventBridge rule execution.
+
+#### 1.5 EventBridge Rule<!-- omit in toc -->
+- Triggers notifications based on GuardDuty Malware Protection scan results.
+
+#### 1.6 SNS Notification Topic<!-- omit in toc -->
+- Sends alerts about malware scan results.
+
+#### 1.7 Dead-Letter Queue (DLQ)<!-- omit in toc -->
+- Handles failed event processing from EventBridge.
+
+#### 1.8 GuardDuty S3 Malware Protection Role<!-- omit in toc -->
+- IAM role for GuardDuty to perform malware scans on S3 objects.
+
+#### 1.9 Amazon GuardDuty Malware Protection for S3<!-- omit in toc -->
+- Scans new S3 objects for malicious content.
+- Enables tagging for scanned S3 objects.
+
+---
+
+## Implementation Instructions
+
+### Prerequisites<!-- omit in toc -->
+
+- CloudFormation template deployment permissions in the target AWS account
+
+#### Notes:
+- This solution operates independently and does not require the deployment of the [SRA Prerequisites Solution](../../common/common_prerequisites).
+
+### Solution Deployment<!-- omit in toc -->
+
+You can deploy this solution using the AWS Console or AWS CLI.
+
+### Deploying via AWS Management Console<!-- omit in toc -->
+1. In the `target account`, open the [CloudFormation Console](https://console.aws.amazon.com/cloudformation).
+2. Create a new stack by uploading the `sra-guardduty-s3-protection-plan-main.yaml` template located in the `./templates` directory.
+3. Provide the required parameters to configure GuardDuty Malware Protection for S3.
+4. Review and confirm the stack creation.
+
+### Deploying via AWS CLI
+1. Run the following command to deploy the stack:
+#### Notes:
+- Update parameter values with your specific settings. 
+- When deploying with an existing bucket, add the following parameters to your CloudFormation deployment command:
+```bash
+ParameterKey=pExistingBucketName,ParameterValue="bucket-name" \
+ParameterKey=pExistingBucketKmsKey,ParameterValue="kms-key-arn"
+```
+- This example assumes the CloudFormation template file is saved in the templates directory. Adjust the --template-body path if necessary.
+- Ensure the --capabilities CAPABILITY_NAMED_IAM flag is included to allow CloudFormation to create the necessary IAM resources.
+
+```bash
+aws cloudformation create-stack \
+    --stack-name SraGuardDutyMalwareProtectionForS3 \
+    --template-body file://aws_sra_examples/solutions/guardduty/guardduty_malware_protection_for_s3/templates/sra-guardduty-malware-protection-for-s3-main.yaml \
+    --region us-east-2 \
+    --parameters \
+        ParameterKey=pCreateNewBucket,ParameterValue="true" \
+        ParameterKey=pUseExistingBucket,ParameterValue="false" \
+        ParameterKey=pSRASolutionName,ParameterValue=sra-guardduty-malware-protection-for-s3 \
+        ParameterKey=pKmsKeyAlias,ParameterValue=sra-guardduty-malware-protection-for-s3-key \
+        ParameterKey=pS3MalwareProtectedBucketNamePrefix,ParameterValue=sra-protected-bucket \
+        ParameterKey=pEventRuleRoleName,ParameterValue=sra-guardduty-malware-protection-for-s3-events \
+        ParameterKey=pSRAAlarmEmail,ParameterValue=your-email@example.com \
+    --capabilities CAPABILITY_NAMED_IAM
+```
+
+2. Monitor the stack creation progress in the AWS CloudFormation Console or via CLI commands.
+
+### Post-Deployment
+Once the stack is deployed successfully:
+- Verify Resource Creation
+```bash
+aws guardduty list-malware-protection-plans
+```
+
+- An email will be sent to confirm the SNS topic subscription. Click the confirmation link to receive malware detection alerts.
+- To verify the alerting functionality of GuardDuty Malware Protection for S3 solution, the European Institute for Computer Anti-Virus Research (EICAR) test file can be used. This standardized test file triggers antivirus detection without being actual malware. The EICAR test file should be uploaded to the protected S3 bucket. After upload, verify that the object has been tagged with the scan results, and confirm that an email alert about the detected threat was received. This process provides a safe way to validate that the malware protection setup is functioning as expected.
+
+---
+
+## References
+- [AWS SRA Generative AI Deep-Dive](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/gen-ai-sra.html)
+- [Capability 2. Providing secure access, usage, and implementation to generative AI RAG techniques](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/gen-ai-rag.html)
+- [GuardDuty Malware Protection for S3](https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malware-protection-s3.html)
+- [AWS CloudFormation Documentation](https://docs.aws.amazon.com/cloudformation/index.html)
+- [AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html)
+