Firebreak idea: Setup GuardDuty in AWS Cloud Platform Account

[jasonBirchall]

GOAL:

• Setup GuardDuty in Cloud Platform AWS account
• All managed via terraform in the infrastructure repo.
• Docs, docs, docs
• GuardDuty > slack integration
• Runbook created for events.

SOURCE: https://aws.amazon.com/guardduty/

IDEA/INSPIRATION: https://github.com/ministryofjustice/laa-aws-infrastructure/tree/master/security

[sid-secops]

Reference - https://github.com/trussworks/terraform-aws-guardduty-notifications https://github.com/LeapBeyond/terraform-aws-guardduty

[pwyborn]

• Guardduty set up in Cloud Platform AWS account
• All managed via terraform in the infrastructure (yet to be merged)
• Guarduty > Pagerduty (in hours alerts) > to Slack (#lower-priority-alarms)

[pwyborn]

To Do:

• Documentation
• Set up sub-aws accounts (moj-cp being the master account)
• Consider - how to alert from guardduty only for higher priority alerts (currently alerting for all low/medium/high)

[pwyborn]

All done - however On suggestion of Jason - a restructure of global-resources so that guardduty state is included. Problem with the existing auth0 terraform which Jason is looking into. Once sorted I will run terraform plan/apply again in new location. Maybe terraform destroy before I re-create Please see https://github.com/ministryofjustice/cloud-platform-infrastructure/pull/117

[pwyborn]

1 master + 8 member accounts set up

[pwyborn]

Done - however there is a bug with the iplist. This will be raised as an aws issue So will need a new ticket for this + the next stage to create lambda functions to take action when findings raised (will need to pai with Sid on this)?

[pwyborn]

Reopened to fix iplist bug: https://github.com/ministryofjustice/cloud-platform-infrastructure/pull/147

[pwyborn]

Fixed (Thank you Sid)