Example solutions demonstrating how to implement patterns within the AWS Security Reference Architecture guide using CloudFormation (including Customizations for AWS Control Tower) and Terraform.
Other
965
stars
235
forks
source link
[BUG] GuardDuty cannot be enabled for opt-in regions like ap-southeast-4 #214
Opt-in regions such as ap-southeast-4 cannot have GuardDuty deployed because they have different S3 and KMS endpoints. Attempting to deploy the SRA GuardDuty solution through the CfCT with an opt-in region enabled results in a timeout on the rollout of the StackSet, but no information is given on why it has failed.
To Reproduce
Steps to reproduce the behavior:
Enable an opt-in region (e.g. ap-southeast-4)
Deploy the SRA GuardDuty solution via CfCT. The guardduty Python Lambda will attempt to create detectors in each enabled region in the Control Tower.
After the MAX_RUN_COUNT (5 minutes) has been exceeded, the Lambda will fail with an error saying "GuardDuty Detectors did not get created in the allowed time. Check the Org Management delegated admin setup."
Expected behavior
The guardduty Lambda will create detectors in all enabled regions, whether opt-in or not. If errors do occur, then clear concise log messages will be produced to indicate why the failure occurred.
Deployment Environment (please complete the following information)
Deployment Framework: Customizations for Control Tower and CloudFormation StackSets
Deployment Framework Version [e.g. 1.0, 2.0]: sra-guardduty-org-main-ssm version 1.1
Additional context
Once additional logging was added to log ClientErrors in the region_detectors function in the Lambda, it became apparent that specific endpoints were needed for GuardDuty in the rGuardDutyDeliveryS3BucketPolicy and rGuardDutyDeliveryKey policy statements. Adding guardduty.ap-southeast-4.amazonaws.com in addition to guardduty.amazonaws.com allowed the guardduty Lambda to complete successfully and create detectors in each enabled region.
liamschn
commented
1 month ago
Describe the bug
Opt-in regions such as ap-southeast-4 cannot have GuardDuty deployed because they have different S3 and KMS endpoints. Attempting to deploy the SRA GuardDuty solution through the CfCT with an opt-in region enabled results in a timeout on the rollout of the StackSet, but no information is given on why it has failed.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The guardduty Lambda will create detectors in all enabled regions, whether opt-in or not. If errors do occur, then clear concise log messages will be produced to indicate why the failure occurred.
Deployment Environment (please complete the following information)
Additional context
Once additional logging was added to log ClientErrors in the region_detectors function in the Lambda, it became apparent that specific endpoints were needed for GuardDuty in the rGuardDutyDeliveryS3BucketPolicy and rGuardDutyDeliveryKey policy statements. Adding
guardduty.ap-southeast-4.amazonaws.comin addition toguardduty.amazonaws.comallowed the guardduty Lambda to complete successfully and create detectors in each enabled region.