CCM-8572: use guardduty event, update condition

Author: harrim91

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_quarantine_scan_result.tf

@@ -0,0 +1,54 @@
+resource "aws_cloudwatch_event_rule" "quarantine_scan_result" {
+  name        = "${local.csi}-quarantine-tags-added"
+  description = "Forwards quarantine 'GuardDuty Malware Protection Object Scan Result' events for enrichment"
+
+  event_pattern = jsonencode({
+    source      = ["aws.guardduty"]
+    detail-type = ["GuardDuty Malware Protection Object Scan Result"]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
+    detail = {
+      s3ObjectDetails = {
+        bucketName = [module.s3bucket_quarantine.id]
+        objectKey  = [{ prefix = "pdf-template/" }, { prefix = "test-data/" }]
+      }
+    }
+  })
+}
+
+resource "aws_cloudwatch_event_target" "quarantine_scan_to_enrichment" {
+  rule     = aws_cloudwatch_event_rule.quarantine_scan_result.name
+  arn      = module.sqs_quarantine_scan_enrichment.sqs_queue_arn
+  role_arn = aws_iam_role.quarantine_scan_to_enrichment.arn
+}
+
+resource "aws_iam_role" "quarantine_scan_to_enrichment" {
+  name               = "${local.csi}-quarantine-scan-to-enrichment"
+  assume_role_policy = data.aws_iam_policy_document.events_assume_role.json
+}
+
+resource "aws_iam_role_policy" "quarantine_scan_to_enrichment" {
+  name   = "${local.csi}-quarantine-scan-to-enrichment"
+  role   = aws_iam_role.quarantine_scan_to_enrichment.id
+  policy = data.aws_iam_policy_document.quarantine_scan_to_enrichment.json
+}
+
+data "aws_iam_policy_document" "quarantine_scan_to_enrichment" {
+  version = "2012-10-17"
+
+  statement {
+    sid       = "AllowSQSSendMessage"
+    effect    = "Allow"
+    actions   = ["sqs:SendMessage"]
+    resources = [module.sqs_quarantine_scan_enrichment.sqs_queue_arn]
+  }
+
+  statement {
+    sid    = "AllowKMS"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey"
+    ]
+    resources = [var.kms_key_arn]
+  }
+}

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_quarantine_tags_added.tf

@@ -4,15 +4,14 @@ resource "aws_cloudwatch_event_rule" "virus_scan_failed" {
 
   event_pattern = jsonencode({
     source      = ["templates.${var.environment}.${var.project}"]
-    detail-type = ["object-tags-enriched"]
+    detail-type = ["quarantine-scan-result-enriched"]
     detail = {
-      bucket = {
-        name = [module.s3bucket_quarantine.id]
+      s3ObjectDetails = {
+        bucketName = [module.s3bucket_quarantine.id]
+        objectKey  = [{ prefix = "pdf-template/" }, { prefix = "test-data/" }]
       }
-      object = {
-        tags = {
-          GuardDutyMalwareScanStatus = [{ anything-but = "NO_THREATS_FOUND" }]
-        }
+      scanResultDetails = {
+        scanResultStatus = [{ anything-but = "NO_THREATS_FOUND" }]
       }
     }
   })

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_virus_scan_failed.tf

@@ -1,18 +1,17 @@
 resource "aws_cloudwatch_event_rule" "virus_scan_passed" {
   name        = "${local.csi}-virus-scan-passed"
-  description = "Forwards enriched events to SQS from quarantine bucket where GuardDuty virus scan has passed with no threats"
+  description = "Forwards enriched events from quarantine bucket where GuardDuty virus scan has passed with no threats"
 
   event_pattern = jsonencode({
     source      = ["templates.${var.environment}.${var.project}"]
-    detail-type = ["object-tags-enriched"]
+    detail-type = ["quarantine-scan-result-enriched"]
     detail = {
-      bucket = {
-        name = [module.s3bucket_quarantine.id]
+      s3ObjectDetails = {
+        bucketName = [module.s3bucket_quarantine.id]
+        objectKey  = [{ prefix = "pdf-template/" }, { prefix = "test-data/" }]
       }
-      object = {
-        tags = {
-          GuardDutyMalwareScanStatus = ["NO_THREATS_FOUND"]
-        }
+      scanResultDetails = {
+        scanResultStatus = ["NO_THREATS_FOUND"]
       }
     }
   })

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_virus_scan_passed.tf

@@ -1,10 +1,10 @@
 resource "aws_guardduty_malware_protection_plan" "quarantine" {
-  role = aws_iam_role.guardduty.arn
+  role = aws_iam_role.guardduty_quarantine.arn
 
   protected_resource {
     s3_bucket {
       bucket_name     = module.s3bucket_quarantine.id
-      object_prefixes = []
+      object_prefixes = ["pdf-template/", "test-data/"]
     }
   }
 
@@ -14,3 +14,155 @@ resource "aws_guardduty_malware_protection_plan" "quarantine" {
     }
   }
 }
+
+resource "aws_iam_role" "guardduty_quarantine" {
+  name               = "${local.csi}-guardduty-quarantine"
+  description        = "IAM Role for GuardDuty to provide S3 malware protection"
+  assume_role_policy = data.aws_iam_policy_document.guardduty_assumerole.json
+}
+
+resource "aws_iam_role_policy_attachment" "guardduty_quarantine" {
+  role       = aws_iam_role.guardduty_quarantine.name
+  policy_arn = aws_iam_policy.guardduty_quarantine.arn
+}
+
+resource "aws_iam_policy" "guardduty_quarantine" {
+  name        = "${local.csi}-guardduty"
+  description = "Permissions for GuardDuty to provide S3 malware protection"
+  policy      = data.aws_iam_policy_document.guardduty_quarantine.json
+}
+
+data "aws_iam_policy_document" "guardduty_assumerole" {
+  statement {
+    sid    = "GuardDutyAssumeRole"
+    effect = "Allow"
+
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "malware-protection-plan.guardduty.amazonaws.com"
+      ]
+    }
+  }
+}
+
+#tfsec:ignore:aws-iam-no-policy-wildcards
+data "aws_iam_policy_document" "guardduty_quarantine" {
+  statement {
+    sid    = "AllowManagedRuleToSendS3EventsToGuardDuty"
+    effect = "Allow"
+    actions = [
+      "events:PutRule",
+      "events:DeleteRule",
+      "events:PutTargets",
+      "events:RemoveTargets"
+    ]
+    resources = [
+      "arn:aws:events:${var.region}:${var.aws_account_id}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
+    ]
+    condition {
+      test     = "StringLike"
+      variable = "events:ManagedBy"
+      values = [
+        "malware-protection-plan.guardduty.amazonaws.com"
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowGuardDutyToMonitorEventBridgeManagedRule"
+    effect = "Allow"
+    actions = [
+      "events:DescribeRule",
+      "events:ListTargetsByRule"
+    ]
+    resources = [
+      "arn:aws:events:${var.region}:${var.aws_account_id}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
+    ]
+  }
+
+  statement {
+    sid    = "AllowPostScanTag"
+    effect = "Allow"
+    actions = [
+      "S3:PutObjectTagging",
+      "S3:GetObjectTagging",
+      "S3:PutObjectVersionTagging",
+      "S3:GetObjectVersionTagging"
+    ]
+
+    resources = [
+      "${module.s3bucket_quarantine.arn}/*"
+    ]
+  }
+
+  statement {
+    sid    = "AllowEnableS3EventBridgeEvents"
+    effect = "Allow"
+    actions = [
+      "s3:PutBucketNotification",
+      "s3:GetBucketNotification"
+    ]
+    resources = [
+      module.s3bucket_quarantine.arn
+    ]
+  }
+
+  statement {
+    sid    = "AllowPutValidationObject"
+    effect = "Allow"
+    actions = [
+      "s3:PutObject"
+    ]
+    resources = [
+      "${module.s3bucket_quarantine.arn}/malware-protection-resource-validation-object"
+    ]
+  }
+
+  statement {
+    sid    = "AllowCheckBucketOwnership"
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket"
+    ]
+    resources = [
+      module.s3bucket_quarantine.arn
+    ]
+  }
+  statement {
+    sid    = "AllowMalwareScan"
+    effect = "Allow"
+    actions = [
+      "s3:GetObject",
+      "s3:GetObjectVersion"
+    ]
+
+    resources = [
+      "${module.s3bucket_quarantine.arn}/*"
+    ]
+  }
+
+  statement {
+    sid    = "AllowKMSDecrypt"
+    effect = "Allow"
+    actions = [
+      "kms:GenerateDataKey",
+      "kms:Decrypt"
+    ]
+    resources = [
+      var.kms_key_arn
+    ]
+    condition {
+      test     = "StringLike"
+      variable = "kms:ViaService"
+      values = [
+        "s3.*.amazonaws.com"
+      ]
+    }
+  }
+}