Conversation
jrpbc
force-pushed
the
johan/storage-malware-scanning
branch
10 times, most recently
from
5edf672 to
cbf85a9
Compare
jrpbc
force-pushed
the
johan/storage-malware-scanning
branch
2 times, most recently
from
0093aa2 to
7515c58
Compare
- Enable configurable GuardDuty detector at account level - Add S3 malware protection with automatic object tagging - Block S3 access to objects tagged with THREATS_FOUND
jrpbc
force-pushed
the
johan/storage-malware-scanning
branch
from
7515c58 to
d0d8882
Compare
doshitan
left a comment
doshitan
left a comment
There was a problem hiding this comment.
Updated naming seems odd, I think these are separate words?
- threatdetection -> threat_detection
- malwaredetection -> malware_detection
We need docs describing capabilities and how to configure.
| allowed_actions = [for aws_service in module.project_config.aws_services : "${aws_service}:*"] | ||
| } | ||
|
|
||
| # GuardDuty module - account-wide security detector |
There was a problem hiding this comment.
This is account-wide, but region specific. template-infra only really supports project_config.default_region + us-east-1 (for things that require existing there), but in the future we will have more greater support for multi-region configs.
We could lay some ground work for that with a local var like utilized_regions = distinct([local.region, 'us-east-1']) and create instances of the module for each region? Or have the module accept a list of regions.
Thoughts?
There was a problem hiding this comment.
agree. thoughts on adding utilized_regions as a list type variable, in project-config defaulting to default_region? I just added it, and tried to use it within the threatdection module - had to revert back the threatdetection work - the current Terraform AWS Provider we are using ("5.6.0") does not support specifying region on the aws_guardduty_detector. This was added on latest version of the AWS Terraform provider. Added TODO comments on the infra/modules/threatdetection.
There was a problem hiding this comment.
Can you please create issues in template-infra (if they don't exist) for:
- AWS provider update
- Multi-region support for GuardDuty setup
Then link the latter here.
| actions = ["s3:*"] | ||
| resources = [ | ||
| aws_s3_bucket.storage.arn, | ||
| "${aws_s3_bucket.storage.arn}/*" |
There was a problem hiding this comment.
This change seems unrelated? Can you break it out into a separate PR?
There was a problem hiding this comment.
Took it out of this PR, and will be addressing it on a new PR.
doshitan
left a comment
doshitan
left a comment
There was a problem hiding this comment.
Main feedback from previous review has not been addressed: #258 (review)
| sid = "RestrictToTLSRequestsOnly" | ||
| effect = "Deny" | ||
| actions = ["s3:*"] |
There was a problem hiding this comment.
These formatting changes seem unrelated, remove?
| allowed_actions = [for aws_service in module.project_config.aws_services : "${aws_service}:*"] | ||
| } | ||
|
|
||
| # GuardDuty module - account-wide security detector |
There was a problem hiding this comment.
Can you please create issues in template-infra (if they don't exist) for:
- AWS provider update
- Multi-region support for GuardDuty setup
Then link the latter here.
2 participants
Ticket
Resolves #965
Changes
Add to the Infra Template Storage module malware scanning:
Clean File Upload/Download Test
Upload clean document
echo "Testing #965" >> 965.tst.txtaws s3 cp 965.tst.txt s3://<workspace>-platform-test-app-devVerify document uploaded and tagged applied
aws s3api get-object-tagging --bucket <workspace>-platform-test-app-dev --key 965.tst.txtVerify you can download file
aws s3 cp s3://<workspace>-platform-test-app-dev/965.tst.txt ./965.tst.txtMalware Detection Test
Use EICAR test file (standard malware test string)
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > eicar.txtUpload test malware
aws s3 cp eicar.txt s3://<workspace>-platform-test-app-devVerify threat tag
aws s3api get-object-tagging –bucket <workspace>-platform-test-app-dev –key eicar.txtVerify you cannot download the file
aws s3 cp s3://<workspace>-platform-test-app-dev/eicar.txt ./eicar.txtClean File Upload/Download Test
Malware Detection Test
Preview environment for app-nextjs
Preview environment for app
Preview environment for app-rails
Preview environment for app-flask