Resource: awsGuarddutyDetector
Provides a resource to manage a GuardDuty detector.
\~> NOTE: Deleting this resource is equivalent to "disabling" GuardDuty for an AWS region, which removes all existing findings. You can set the enable
attribute to false
to instead "suspend" monitoring and feedback reporting while keeping existing data. See the Suspending or Disabling Amazon GuardDuty documentation for more information.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.guarddutyDetector.GuarddutyDetector(this, "MyDetector", {
datasources: {
kubernetes: {
auditLogs: {
enable: false,
},
},
malwareProtection: {
scanEc2InstanceWithFindings: {
ebsVolumes: {
enable: true,
},
},
},
s3Logs: {
enable: true,
},
},
enable: true,
});
Argument Reference
The following arguments are supported:
enable
- (Optional) Enable monitoring and feedback reporting. Setting tofalse
is equivalent to "suspending" GuardDuty. Defaults totrue
.findingPublishingFrequency
- (Optional) Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified, otherwise defaults toSIX_HOURS
. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts:FIFTEEN_MINUTES
,ONE_HOUR
,SIX_HOURS
. See AWS Documentation for more information.datasources
- (Optional) Describes which data sources will be enabled for the detector. See Data Sources below for more details.tags
- (Optional) Key-value map of resource tags. If configured with a providerdefaultTags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
Data Sources
The datasources
block supports the following:
s3Logs
- (Optional) Configures S3 protection. See S3 Logs below for more details.kubernetes
- (Optional) Configures Kubernetes protection. See Kubernetes and Kubernetes Audit Logs below for more details.malwareProtection
- (Optional) Configures Malware Protection. See Malware Protection, Scan EC2 instance with findings and EBS volumes below for more details.
S3 Logs
The s3Logs
block supports the following:
enable
- (Required) If true, enables S3 protection. Defaults totrue
.
Kubernetes
The kubernetes
block supports the following:
auditLogs
- (Required) Configures Kubernetes audit logs as a data source for Kubernetes protection. See Kubernetes Audit Logs below for more details.
Kubernetes Audit Logs
The auditLogs
block supports the following:
enable
- (Required) If true, enables Kubernetes audit logs as a data source for Kubernetes protection. Defaults totrue
.
Malware Protection
malwareProtection
block supports the following:
scanEc2InstanceWithFindings
- (Required) Configure whether Malware Protection is enabled as data source for EC2 instances with findings for the detector. See Scan EC2 instance with findings below for more details.
Scan EC2 instance with findings
The scanEc2InstanceWithFindings
block supports the following:
ebsVolumes
- (Required) Configure whether scanning EBS volumes is enabled as data source for the detector for instances with findings. See EBS volumes below for more details.
EBS volumes
The ebsVolumes
block supports the following:
enable
- (Required) If true, enables Malware Protection as data source for the detector. Defaults totrue
.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
accountId
- The AWS account ID of the GuardDuty detectorarn
- Amazon Resource Name (ARN) of the GuardDuty detectorid
- The ID of the GuardDuty detectortagsAll
- A map of tags assigned to the resource, including those inherited from the providerdefaultTags
configuration block.
Import
GuardDuty detectors can be imported using the detector ID, e.g.,