Introducing Amazon GuardDuty Detector Checker: Verify Enablement and Finding Publishing Configurations

dgwhited

Dustin Whited

Posted on October 22, 2024

Introducing Amazon GuardDuty Detector Checker: Verify Enablement and Finding Publishing Configurations

I am excited to release my latest open-source project: Amazon GuardDuty Detector Checker. This Python-based tool addresses the challenge of validating the configuration of Amazon GuardDuty across multiple regions in your AWS environment. It can also aid in gathering information to import GuardDuty resources to Terraform.

The Problem

Manually checking each region for GuardDuty status, detector IDs, and publishing destinations is time-consuming and prone to oversight. Importing this all to Terraform helps wrangle GuardDuty as well as allow organizations to quickly roll out new features, such as the recently released malware protection for S3 https://aws.amazon.com/blogs/aws/introducing-amazon-guardduty-malware-protection-for-amazon-s3/

How Amazon GuardDuty Detector Checker Helps

Our tool simplifies this process by automatically:

  1. Listing all enabled regions in your AWS account
  2. Checking GuardDuty status in each enabled region
  3. Retrieving GuardDuty detector IDs where available
  4. Fetching publishing destinations and IDs for enabled detectors

This overview allows security teams to quickly identify gaps in GuardDuty coverage and ensure proper configuration across all regions.

Using the Tool

The Amazon GuardDuty Detector Checker is easy to use and requires minimal setup:

  1. Install via PyPi with pip
    • pip install guardduty-detector-checker
  2. Run the script with an optional AWS profile name
    • guardduty-detector-checker [-p PROFILE]

The tool outputs a JSON-formatted list of GuardDuty status across all enabled regions in the AWS account.

[
  {
    "us-east-1": {
      "abc123ABC123abc123ABC123abc123AB": [
        {
          "DestinationId": "abcABCdefDEFghiGHIjklJKLmnoMNO12",
          "DestinationType": "S3",
          "Status": "PUBLISHING"
        }
      ]
    }
  },
  {
    "us-west-2": {}
  }
]
Enter fullscreen mode Exit fullscreen mode

These IDs can then be used in Terraform import blocks:

resource "aws_guardduty_detector" "this" {
  enable                       = true
  finding_publishing_frequency = "FIFTEEN MINUTES"
  datasources {
    kubernetes {
      audit_logs {
        enable = var.enable_kubernetes_audit_logs
      }
    }
    malware_protection {
      scan_ec2_instance_with_findings {
        ebs_volumes {
          enable = var.enable_malware_protection
        }
      }
    }
    s3_logs {
      enable = var.enable_s3_logs
    }
  }
}

import {
    to = aws_guardduty_detector.this
    id = "abc123ABC123abc123ABC123abc123AB"
}

resource "aws_guardduty_publishing_destination" "this" {
  detector_id     = aws_guardduty_detector.this.id
  destination_arn = var.my_bucket
  kms_key_arn     = var.my_kms_key
}

import {
    to = aws_guardduty_publishing_destination.this
    id = "abc123ABC123abc123ABC123abc123AB:abcABCdefDEFghiGHIjklJKLmnoMNO12"
}
Enter fullscreen mode Exit fullscreen mode

The Amazon GuardDuty Detector Checker is available on my Github, where you can find documentation, contribute to the project, or adapt it to your specific needs.

💖 💪 🙅 🚩
dgwhited
Dustin Whited

Posted on October 22, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related