(enhancement): Add GuardDuty Kubernetes Protection #1058
Conversation
rjjaegeraws
changed the title
| await updateMemberDataSource(requiredMemberAccounts, detectorId, s3Protection); | ||
| } | ||
|
|
||
| await updateMemberDataSource(existingMembers, detectorId, s3Protection, eksProtection); |
There was a problem hiding this comment.
Moved updateMemberDataSource outside the previous if statement and updated to iterate over all existing members. This will enable EKS for existing members. Without this, it will only get enabled on new accounts.
| } | ||
|
|
||
| async function updateMemberDataSource(memberAccounts: AccountDetail[], detectorId: string, s3Protection: boolean) { | ||
| if (s3Protection) { |
There was a problem hiding this comment.
It's not clear why this statement was here. I feel that this would have originally not enabled S3 protection on existing members if it was previously not enabled. Removing this check.
| "@aws-accelerator/custom-resource-runtime-cfn-response": "workspace:*", | ||
| "aws-lambda": "1.0.6", | ||
| "aws-sdk": "2.944.0" | ||
| "aws-sdk": "2.1217.0" |
There was a problem hiding this comment.
I had to bump up the sdk version as 2.944.0 does not contain the GuardDuty Kubernetes API.
| "main": "dist/index.js", | ||
| "types": "src/index.ts", | ||
| "scripts": { | ||
| "build": "pnpx esbuild --minify --bundle --platform=node --target=node14 --external:aws-sdk --outfile=./dist/index.js src/index.ts", |
There was a problem hiding this comment.
The current Lambda runtime includes nodejs AWS SDK v2.1055.0, but the GuardDuty EKS is introduced in v.2.1063.0. Therefore, this Lambda bundles the SDK library.
Brian969
changed the title
Brian969
changed the title
* exponential backoff fix * exponential backoff fix * Fixed backoff for lambdas * added backoff in other location * fixed lambda timeouts and added timeout aspect * fixed typo * tweak default max jitter delay to 2s from 5s Co-authored-by: hickeydh-aws <hickeydh@amazon.com> Co-authored-by: Brian969 <56414362+Brian969@users.noreply.github.com>
* added Elastic Beanstalk entry to FAQ * Update index.md Co-authored-by: Jahnke <ejahnke@909c4acec9cf.ant.amazon.com>
* added CW Alarms * fix typo Co-authored-by: Brian969 <56414362+Brian969@users.noreply.github.com>
dliggat
left a comment
dliggat
left a comment
There was a problem hiding this comment.
LGTM @rjjaegeraws. Just verified feature in a test environment including region disabling.
…les#1057) * add frequency for GuardDuty * update sample config files with new config option
…ironment-accelerator-1 into guardduty_eks
6 participants
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
This pull requests implements a new configuration values "guardduty-eks" and "guardduty-eks-excl-regions".
example:
This enabled GuardDuty Kubernetes Protection.
Note this PR builds on #1057