From 5fc32fd9de92e5823657cc11890f95f6c8447173 Mon Sep 17 00:00:00 2001
From: skeudy <alexandre.heleta@gmail.com>
Date: Mon, 26 Jun 2023 02:57:27 +0200
Subject: [PATCH] GuardDuty with cloudwatch event and sns topic.

---
 main.tf                         |  7 +++++++
 modules/GuardDuty/main.tf       |  5 +++++
 modules/cloudwatch/main.tf      | 33 +++++++++++++++++++++++++++++++++
 modules/cloudwatch/variables.tf |  6 +++++-
 modules/sns/main.tf             | 17 +++++++++++++++++
 modules/sns/output.tf           |  5 +++++
 modules/sns/variables.tf        |  8 ++++++++
 variables.tf                    |  8 ++++++++
 8 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100644 modules/GuardDuty/main.tf

diff --git a/main.tf b/main.tf
index d395999..d04dd13 100644
--- a/main.tf
+++ b/main.tf
@@ -81,6 +81,8 @@ module "sns" {
   source = "./modules/sns"
   sns_phone_number  = var.sns_phone_number
   sns_email_address = var.sns_email_address
+  sns_phone_number_guard = var.sns_phone_number_guard
+  sns_email_address_guard = var.sns_email_address_guard
 }
 
 # Cloudwatch monitoring
@@ -92,6 +94,7 @@ module "cloudwatch_alarm" {
   source = "./modules/cloudwatch"
   instance-id   = each.value
   sns_topic-arn = module.sns.sns_topic-arn
+  sns_topic-arn-guardduty = module.sns.sns_topic-arn-guardduty
   instance-name = each.key
 }
 
@@ -108,3 +111,7 @@ module "eks" {
   vpc_cidr_eks = var.vpc_cidr_eks
   subnet_cidr_bits_eks = var.subnet_cidr_bits_eks
 }
+
+module "GuardDuty" {
+  source = "./modules/GuardDuty"
+}
diff --git a/modules/GuardDuty/main.tf b/modules/GuardDuty/main.tf
new file mode 100644
index 0000000..97eb9b0
--- /dev/null
+++ b/modules/GuardDuty/main.tf
@@ -0,0 +1,5 @@
+# Enable GuardDuty option is 'ONE_HOUR' or 'SIX_HOURS' or 'FIFTEEN_MINUTES'
+resource "aws_guardduty_detector" "primary" {
+  enable = true
+  finding_publishing_frequency = "SIX_HOURS"
+}
\ No newline at end of file
diff --git a/modules/cloudwatch/main.tf b/modules/cloudwatch/main.tf
index 440657a..95b8f6c 100644
--- a/modules/cloudwatch/main.tf
+++ b/modules/cloudwatch/main.tf
@@ -28,4 +28,37 @@ resource "aws_cloudwatch_metric_alarm" "status_check_failed" {
     }
     statistic     = "SampleCount"
     threshold     = "0.99"
+}
+
+#Create CloudWatch Event Rule triggered by GuardDuty finding
+resource "aws_cloudwatch_event_rule" "guardduty_finding" {
+  name        = "guardduty-finding"
+  description = "GuardDuty finding"
+
+  event_pattern = <<EOF
+{
+  "source": [
+    "aws.guardduty"
+  ],
+  "detail-type": [
+    "GuardDuty Finding"
+  ]
+}
+EOF
+}
+
+# CloudWatch Event target that sends GuardDuty findings to an SNS topic
+resource "aws_cloudwatch_event_target" "send_to_sns" {
+  rule      = aws_cloudwatch_event_rule.guardduty_finding.name
+  target_id = "SendToSNS"
+  arn       = var.sns_topic-arn-guardduty
+
+  input_transformer {
+    input_paths = {
+      instance = "$.detail.resource.instanceDetails.instanceId",
+      state = "$.detail.service.action.networkConnectionAction.connectionDirection"
+    }
+
+    input_template = "\"GuardDuty finding for instance: <instance>, State: <state>\""
+  }
 }
\ No newline at end of file
diff --git a/modules/cloudwatch/variables.tf b/modules/cloudwatch/variables.tf
index ae62f0a..ecc329a 100644
--- a/modules/cloudwatch/variables.tf
+++ b/modules/cloudwatch/variables.tf
@@ -8,4 +8,8 @@ variable "instance-name" {
 
 variable "sns_topic-arn" {
   description = "ARN of the SNS topic"
-}
\ No newline at end of file
+}
+
+variable "sns_topic-arn-guardduty" {
+  description = "ARN of the SNS topic for GuardDuty alerts"
+}
diff --git a/modules/sns/main.tf b/modules/sns/main.tf
index 8b6f525..56b32c6 100644
--- a/modules/sns/main.tf
+++ b/modules/sns/main.tf
@@ -2,6 +2,11 @@ resource "aws_sns_topic" "topic_ec2" {
     name = "ec2-down-topic"
 }
 
+#create a SNS topic for GuardDuty alerts
+resource "aws_sns_topic" "guardduty_alerts" {
+  name = "guardduty-alerts"
+}
+
 resource "aws_sns_topic_subscription" "sms_subscription" {
     topic_arn = aws_sns_topic.topic_ec2.arn
     protocol  = "sms"
@@ -12,4 +17,16 @@ resource "aws_sns_topic_subscription" "email_subscription" {
     topic_arn = aws_sns_topic.topic_ec2.arn
     protocol  = "email"
     endpoint  = var.sns_email_address
+}
+
+resource "aws_sns_topic_subscription" "email_subscription_guardduty" {
+  topic_arn = aws_sns_topic.guardduty_alerts.arn
+  protocol  = "email"
+  endpoint  = var.sns_email_address_guard
+}
+
+resource "aws_sns_topic_subscription" "sms_subscription_guardduty" {
+  topic_arn = aws_sns_topic.guardduty_alerts.arn
+  protocol  = "sms"
+  endpoint  = var.sns_phone_number_guard
 }
\ No newline at end of file
diff --git a/modules/sns/output.tf b/modules/sns/output.tf
index 6f067b3..c31bef9 100644
--- a/modules/sns/output.tf
+++ b/modules/sns/output.tf
@@ -1,4 +1,9 @@
 output "sns_topic-arn" {
     description = "ARN of the SNS topic"
     value = aws_sns_topic.topic_ec2.arn
+}
+
+output "sns_topic-arn-guardduty" {
+    description = "ARN of the SNS topic for GuardDuty alerts"
+    value = aws_sns_topic.guardduty_alerts.arn
 }
\ No newline at end of file
diff --git a/modules/sns/variables.tf b/modules/sns/variables.tf
index 028acd8..569c6c9 100644
--- a/modules/sns/variables.tf
+++ b/modules/sns/variables.tf
@@ -4,4 +4,12 @@ variable "sns_phone_number" {
 
 variable "sns_email_address" {
   description = "Email address for Email Alerts"
+}
+
+variable "sns_phone_number_guard" {
+  description = "Phone number for SMS Alerts"
+}
+  
+variable "sns_email_address_guard" {
+  description = "Email address for Email Alerts"
 }
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 74fb69d..db9d600 100644
--- a/variables.tf
+++ b/variables.tf
@@ -247,6 +247,14 @@ variable "sns_email_address" {
   description = "Email address for Email Alerts"
 }
 
+variable "sns_phone_number_guard" {
+  description = "Phone number for SMS Alerts"
+}
+
+variable "sns_email_address_guard" {
+  description = "Email address for Email Alerts"
+}
+
 variable "mysql_host" {
   description = "MySQL Host"
   type        = string