Support GuardDuty Protection Features

[RoseSecurity]

Why

• Upgrades the GuardDuty component to support processing a stream of events (VPC flow logs, DNS logs, AWS CloudTrail, etc.) before analyzing these events to identify potential security threats and generate findings. Historically, GuardDuty protections were called dataSources in the APIs. However, after March 2023, new GuardDuty protection types are now configured as features and not dataSources.

What

• This PR directly adds support for RDS login monitoring, but the component can now configure GuardDuty detection features such as S3 data events, EKS audit logs, RDS login events, EKS runtime monitoring, Lambda network, logs, and EC2 runtime monitoring.

• [ ] Bug fix (non-breaking change which fixes an issue)

• [X] New feature (non-breaking change which adds functionality)

• [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)

• [ ] This change requires a documentation update

Usage

components:
  terraform:
    guardduty/defaults:
      metadata:
        component: compliance/guardduty
        type: abstract
      vars:
        detector_feature:
          rds_protection:
            feature_name: "RDS_LOGIN_EVENTS"
            status: "ENABLED"

Testing

• Notable comments:

  • Deleting this resource does not disable the detector feature, the resource in simply removed from state instead
  • Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources

• [X] Validated with atmos validate stacks

• [X] Performed successful atmos terraform plan on component

References

• Terraform Docs
• Detector Feature Configuration
• Additional Configuration