Resource: awsGuarddutyOrganizationConfiguration
Manages the GuardDuty Organization Configuration in the current AWS Region. The AWS account utilizing this resource must have been assigned as a delegated Organization administrator account, e.g., via the awsGuarddutyOrganizationAdminAccount
resource. More information about Organizations support in GuardDuty can be found in the GuardDuty User Guide.
\~> NOTE: This is an advanced Terraform resource. Terraform will automatically assume management of the GuardDuty Organization Configuration without import and perform no actions on removal from the Terraform configuration.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsGuarddutyDetectorExample = new aws.guarddutyDetector.GuarddutyDetector(
this,
"example",
{
enable: true,
}
);
const awsGuarddutyOrganizationConfigurationExample =
new aws.guarddutyOrganizationConfiguration.GuarddutyOrganizationConfiguration(
this,
"example_1",
{
autoEnable: true,
datasources: {
kubernetes: {
auditLogs: {
enable: true,
},
},
malwareProtection: {
scanEc2InstanceWithFindings: {
ebsVolumes: {
autoEnable: true,
},
},
},
s3Logs: {
autoEnable: true,
},
},
detectorId: awsGuarddutyDetectorExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsGuarddutyOrganizationConfigurationExample.overrideLogicalId("example");
Argument Reference
The following arguments are supported:
autoEnable
- (Required) When this setting is enabled, all new accounts that are created in, or added to, the organization are added as a member accounts of the organization’s GuardDuty delegated administrator and GuardDuty is enabled in that AWS Region.detectorId
- (Required) The detector ID of the GuardDuty account.datasources
- (Optional) Configuration for the collected datasources.
datasources
supports the following:
s3Logs
- (Optional) Enable S3 Protection automatically for new member accounts.kubernetes
- (Optional) Enable Kubernetes Audit Logs Monitoring automatically for new member accounts.malwareProtection
- (Optional) Enable Malware Protection automatically for new member accounts.
S3 Logs
s3Logs
block supports the following:
autoEnable
- (Optional) Set totrue
if you want S3 data event logs to be automatically enabled for new members of the organization. Default:false
Kubernetes
kubernetes
block supports the following:
auditLogs
- (Required) Enable Kubernetes Audit Logs Monitoring automatically for new member accounts. Kubernetes protection. See Kubernetes Audit Logs below for more details.
Kubernetes Audit Logs
The auditLogs
block supports the following:
enable
- (Required) If true, enables Kubernetes audit logs as a data source for Kubernetes protection. Defaults totrue
.
Malware Protection
malwareProtection
block supports the following:
scanEc2InstanceWithFindings
- (Required) Configure whether Malware Protection for EC2 instances with findings should be auto-enabled for new members joining the organization. See Scan EC2 instance with findings below for more details.
Scan EC2 instance with findings
The scanEc2InstanceWithFindings
block supports the following:
ebsVolumes
- (Required) Configure whether scanning EBS volumes should be auto-enabled for new members joining the organization See EBS volumes below for more details.
EBS volumes
The ebsVolumes
block supports the following:
autoEnable
- (Required) If true, enables Malware Protection for all new accounts joining the organization. Defaults totrue
.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id
- Identifier of the GuardDuty Detector.
Import
GuardDuty Organization Configurations can be imported using the GuardDuty Detector ID, e.g.,