Introducing Amazon GuardDuty Detector Checker: Verify Enablement and Finding Publishing Configurations
Dustin Whited
Posted on October 22, 2024
I am excited to release my latest open-source project: Amazon GuardDuty Detector Checker. This Python-based tool addresses the challenge of validating the configuration of Amazon GuardDuty across multiple regions in your AWS environment. It can also aid in gathering information to import GuardDuty resources to Terraform.
The Problem
Manually checking each region for GuardDuty status, detector IDs, and publishing destinations is time-consuming and prone to oversight. Importing this all to Terraform helps wrangle GuardDuty as well as allow organizations to quickly roll out new features, such as the recently released malware protection for S3 https://aws.amazon.com/blogs/aws/introducing-amazon-guardduty-malware-protection-for-amazon-s3/
How Amazon GuardDuty Detector Checker Helps
Our tool simplifies this process by automatically:
- Listing all enabled regions in your AWS account
- Checking GuardDuty status in each enabled region
- Retrieving GuardDuty detector IDs where available
- Fetching publishing destinations and IDs for enabled detectors
This overview allows security teams to quickly identify gaps in GuardDuty coverage and ensure proper configuration across all regions.
Using the Tool
The Amazon GuardDuty Detector Checker is easy to use and requires minimal setup:
- Install via PyPi with pip
pip install guardduty-detector-checker
- Run the script with an optional AWS profile name
guardduty-detector-checker [-p PROFILE]
The tool outputs a JSON-formatted list of GuardDuty status across all enabled regions in the AWS account.
[
{
"us-east-1": {
"abc123ABC123abc123ABC123abc123AB": [
{
"DestinationId": "abcABCdefDEFghiGHIjklJKLmnoMNO12",
"DestinationType": "S3",
"Status": "PUBLISHING"
}
]
}
},
{
"us-west-2": {}
}
]
These IDs can then be used in Terraform import blocks:
resource "aws_guardduty_detector" "this" {
enable = true
finding_publishing_frequency = "FIFTEEN MINUTES"
datasources {
kubernetes {
audit_logs {
enable = var.enable_kubernetes_audit_logs
}
}
malware_protection {
scan_ec2_instance_with_findings {
ebs_volumes {
enable = var.enable_malware_protection
}
}
}
s3_logs {
enable = var.enable_s3_logs
}
}
}
import {
to = aws_guardduty_detector.this
id = "abc123ABC123abc123ABC123abc123AB"
}
resource "aws_guardduty_publishing_destination" "this" {
detector_id = aws_guardduty_detector.this.id
destination_arn = var.my_bucket
kms_key_arn = var.my_kms_key
}
import {
to = aws_guardduty_publishing_destination.this
id = "abc123ABC123abc123ABC123abc123AB:abcABCdefDEFghiGHIjklJKLmnoMNO12"
}
The Amazon GuardDuty Detector Checker is available on my Github, where you can find documentation, contribute to the project, or adapt it to your specific needs.
Posted on October 22, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.