hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.82k stars 9.16k forks source link

[Enhancement]: Support for delegated administrator permissions on GuardDuty Malware Protection #30475

Open stimmerman opened 1 year ago

stimmerman commented 1 year ago

Description

We're using both the aws_guardduty_organization_admin_account resource and the aws_guardduty_organization_configuration resource in a configuration like this:

// AWS GuardDuty - Management account configuration
resource "aws_guardduty_organization_admin_account" "audit" {
  count = var.aws_guardduty.enabled == true ? 1 : 0

  admin_account_id = var.control_tower_account_ids.audit
}

// AWS GuardDuty - Audit account configuration
resource "aws_guardduty_organization_configuration" "default" {
  count    = var.aws_guardduty.enabled == true ? 1 : 0
  provider = aws.audit

  auto_enable = var.aws_guardduty.enabled
  detector_id = aws_guardduty_detector.audit.id

  datasources {
    kubernetes {
      audit_logs {
        enable = var.aws_guardduty.datasources.kubernetes
      }
    }

    malware_protection {
      scan_ec2_instance_with_findings {
        ebs_volumes {
          auto_enable = var.aws_guardduty.datasources.malware_protection
        }
      }
    }

    s3_logs {
      auto_enable = var.aws_guardduty.datasources.s3_logs
    }
  }

  depends_on = [aws_guardduty_organization_admin_account.audit]
}

resource "aws_guardduty_detector" "audit" {
  provider = aws.audit

  enable                       = var.aws_guardduty.enabled
  finding_publishing_frequency = var.aws_guardduty.finding_publishing_frequency
  tags                         = var.tags

  datasources {
    s3_logs {
      enable = true
    }
  }
}

This will result in the following error:

Error: error updating GuardDuty Organization Configuration (eac3a8461df949916b3df56d9d921c76): BadRequestException: The request failed because you do not have required AWS Organization master permission. { RespMetadata: { StatusCode: 400, RequestID: "7494a43d-1a10-461f-9496-fd51f8e42fe8" }, Message_: "The request failed because you do not have required AWS Organization master permission.", Type: "InvalidInputException" }

To resolve that error you need to switch on the "Allow delegated administrator to attach relevant permissions to enable Malware Protection for member accounts." option as shown below: image

The "Learn more" links to: https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html#configure-malware-protection-multi-account

AWS CLI command for enabling this toggle is:

aws organizations enable-aws-service-access --service-principal malware-protection.guardduty.amazonaws.com

It would be great if the aws_guardduty_organization_admin_account resource could get support for managing this.

Affected Resource(s) and/or Data Source(s)

Potential Terraform Configuration

resource "aws_guardduty_organization_admin_account" "example" {
  depends_on = [aws_organizations_organization.example]

  admin_account_id             = "123456789012"
  delegate_malware_permissions = true
}

References

Would you like to implement a fix?

No

github-actions[bot] commented 1 year ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

roberth-k commented 1 year ago

@stimmerman The aws_guardduty_organizations_organization resource itself isn't responsible for enabling or disabling services at the organization level, and this should be configured with aws_organizations_organization level. For example, see the following acceptance test:

https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/guardduty/organization_configuration_test.go#L291

resource "aws_organizations_organization" "test" {
  aws_service_access_principals = [
    "guardduty.${data.aws_partition.current.dns_suffix}",
    "malware-protection.guardduty.${data.aws_partition.current.dns_suffix}",
  ]

  feature_set = "ALL"
}
schniber commented 6 months ago

@stimmerman : Hello, did you try to add this resource in the Management Account of your Organization:

resource "aws_organizations_resource_policy" "example" {
  content = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DelegatingNecessaryDescribeListActions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": [
        "organizations:DescribeOrganization",
        "organizations:DescribeOrganizationalUnit",
        "organizations:DescribeAccount",
        "organizations:DescribePolicy",
        "organizations:DescribeEffectivePolicy",
        "organizations:ListRoots",
        "organizations:ListOrganizationalUnitsForParent",
        "organizations:ListParents",
        "organizations:ListChildren",
        "organizations:ListAccounts",
        "organizations:ListAccountsForParent",
        "organizations:ListPolicies",
        "organizations:ListPoliciesForTarget",
        "organizations:ListTargetsForPolicy",
        "organizations:ListTagsForResource"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}