Skip to content

Resource: awsGuarddutyFilter

Provides a resource to manage a GuardDuty filter.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.guarddutyFilter.GuarddutyFilter(this, "MyFilter", {
  action: "ARCHIVE",
  detectorId: "${aws_guardduty_detector.example.id}",
  findingCriteria: {
    criterion: [
      {
        equalTo: ["eu-west-1"],
        field: "region",
      },
      {
        field: "service.additionalInfo.threatListName",
        notEquals: ["some-threat", "another-threat"],
      },
      {
        field: "updatedAt",
        greaterThan: "2020-01-01T00:00:00Z",
        lessThan: "2020-02-01T00:00:00Z",
      },
      {
        field: "severity",
        greaterThanOrEqual: "4",
      },
    ],
  },
  name: "MyFilter",
  rank: 1,
});

Argument Reference

The following arguments are supported:

  • detectorId - (Required) ID of a GuardDuty detector, attached to your account.
  • name - (Required) The name of your filter.
  • description - (Optional) Description of the filter.
  • rank - (Required) Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
  • action - (Required) Specifies the action that is to be applied to the findings that match the filter. Can be one of archive or noop.
  • tags (Optional) - The tags that you want to add to the Filter resource. A tag consists of a key and a value. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • findingCriteria (Required) - Represents the criteria to be used in the filter for querying findings. Contains one or more criterion blocks, documented below.

criterion

The criterion block suports the following:

  • field - (Required) The name of the field to be evaluated. The full list of field names can be found in AWS documentation.
  • equals - (Optional) List of string values to be evaluated.
  • notEquals - (Optional) List of string values to be evaluated.
  • greaterThan - (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.
  • greaterThanOrEqual - (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.
  • lessThan - (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.
  • lessThanOrEqual - (Optional) A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - The ARN of the GuardDuty filter.
  • id - A compound field, consisting of the ID of the GuardDuty detector and the name of the filter.
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

GuardDuty filters can be imported using the detector ID and filter's name separated by a colon, e.g.,

$ terraform import aws_guardduty_filter.MyFilter 00b00fd5aecc0ab60a708659477e9617:MyFilter