Skip to content

Resource: awsGuarddutyPublishingDestination

Provides a resource to manage a GuardDuty PublishingDestination. Requires an existing GuardDuty Detector.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsGuarddutyDetectorTestGd = new aws.guarddutyDetector.GuarddutyDetector(
  this,
  "test_gd",
  {
    enable: true,
  }
);
const awsS3BucketGdBucket = new aws.s3Bucket.S3Bucket(this, "gd_bucket", {
  bucket: "example",
  forceDestroy: true,
});
new aws.s3BucketAcl.S3BucketAcl(this, "gd_bucket_acl", {
  acl: "private",
  bucket: awsS3BucketGdBucket.id,
});
const dataAwsCallerIdentityCurrent =
  new aws.dataAwsCallerIdentity.DataAwsCallerIdentity(this, "current", {});
const dataAwsIamPolicyDocumentBucketPol =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "bucket_pol",
    {
      statement: [
        {
          actions: ["s3:PutObject"],
          principals: [
            {
              identifiers: ["guardduty.amazonaws.com"],
              type: "Service",
            },
          ],
          resources: [`\${${awsS3BucketGdBucket.arn}}/*`],
          sid: "Allow PutObject",
        },
        {
          actions: ["s3:GetBucketLocation"],
          principals: [
            {
              identifiers: ["guardduty.amazonaws.com"],
              type: "Service",
            },
          ],
          resources: [awsS3BucketGdBucket.arn],
          sid: "Allow GetBucketLocation",
        },
      ],
    }
  );
const dataAwsRegionCurrent = new aws.dataAwsRegion.DataAwsRegion(
  this,
  "current_5",
  {}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsRegionCurrent.overrideLogicalId("current");
const awsS3BucketPolicyGdBucketPolicy = new aws.s3BucketPolicy.S3BucketPolicy(
  this,
  "gd_bucket_policy",
  {
    bucket: awsS3BucketGdBucket.id,
    policy: dataAwsIamPolicyDocumentBucketPol.json,
  }
);
const dataAwsIamPolicyDocumentKmsPol =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "kms_pol", {
    statement: [
      {
        actions: ["kms:GenerateDataKey"],
        principals: [
          {
            identifiers: ["guardduty.amazonaws.com"],
            type: "Service",
          },
        ],
        resources: [
          `arn:aws:kms:\${${dataAwsRegionCurrent.name}}:\${${dataAwsCallerIdentityCurrent.accountId}}:key/*`,
        ],
        sid: "Allow GuardDuty to encrypt findings",
      },
      {
        actions: ["kms:*"],
        principals: [
          {
            identifiers: [
              `arn:aws:iam::\${${dataAwsCallerIdentityCurrent.accountId}}:root`,
            ],
            type: "AWS",
          },
        ],
        resources: [
          `arn:aws:kms:\${${dataAwsRegionCurrent.name}}:\${${dataAwsCallerIdentityCurrent.accountId}}:key/*`,
        ],
        sid: "Allow all users to modify/delete key (test only)",
      },
    ],
  });
const awsKmsKeyGdKey = new aws.kmsKey.KmsKey(this, "gd_key", {
  deletionWindowInDays: 7,
  description: "Temporary key for AccTest of TF",
  policy: dataAwsIamPolicyDocumentKmsPol.json,
});
new aws.guarddutyPublishingDestination.GuarddutyPublishingDestination(
  this,
  "test",
  {
    depends_on: [`\${${awsS3BucketPolicyGdBucketPolicy.fqn}}`],
    destinationArn: awsS3BucketGdBucket.arn,
    detectorId: awsGuarddutyDetectorTestGd.id,
    kmsKeyArn: awsKmsKeyGdKey.arn,
  }
);

\~> Note: Please do not use this simple example for Bucket-Policy and KMS Key Policy in a production environment. It is much too open for such a use-case. Refer to the AWS documentation here: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html

Argument Reference

The following arguments are supported:

  • detectorId - (Required) The detector ID of the GuardDuty.
  • destinationArn - (Required) The bucket arn and prefix under which the findings get exported. Bucket-ARN is required, the prefix is optional and will be awsLogs/[accountId]/guardDuty/[region]/ if not provided
  • kmsKeyArn - (Required) The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty enforces this to be encrypted.
  • destinationType- (Optional) Currently there is only "S3" available as destination type which is also the default value

\~> Note: In case of missing permissions (S3 Bucket Policy or KMS Key permissions) the resource will fail to create. If the permissions are changed after resource creation, this can be asked from the AWS API via the "DescribePublishingDestination" call (https://docs.aws.amazon.com/cli/latest/reference/guardduty/describe-publishing-destination.html).

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The ID of the GuardDuty PublishingDestination and the detector ID. Format: <detectorId>:<publishingDestinationId>

Import

GuardDuty PublishingDestination can be imported using the master GuardDuty detector ID and PublishingDestinationID, e.g.,

$ terraform import aws_guardduty_publishing_destination.test a4b86f26fa42e7e7cf0d1c333ea77777:a4b86f27a0e464e4a7e0516d242f1234