https://pulumi.com logo
Title
f

freezing-umbrella-71201

03/01/2023, 2:19 AM
hey everyone, I am trying to set up a cloudwatch EventRule for
guardDuty
findings. I am following this link
<https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html#guardduty_findings_cloudwatch_multiaccount>
- here we can see that we have to specify all the member
accountIds
(i am running from the admin account). is there an easier way to specify the member accounts? without having to type them all? My code so far:
const cloudwatchEventRule = new aws.cloudwatch.EventRule(
    "XXXXXXXXX",
    {
      description: "CloudWatch event rule to trigger on GuardDuty Findings",
      isEnabled: true,
      eventPattern: JSON.stringify({
        source: ["aws.guardduty"],
        detailType: ["GuardDuty Finding"],
        detail: {
          accountId: ["AWS"],
          severity: Array.from({ length: 55 }, (_, i) => 4 + i * 0.1), // [4, 4.1, 4.2, 4.3 ..., 8.9]
        },
      }),
    }
  );
l

little-cartoon-10569

03/01/2023, 2:25 AM
No. If you use Organizations, you could load yours and iterate over the accounts, but presumably you don't want to enable Guard Duty for all accounts (no one is that rich!). List the accountIds you want to use as an array in you Pulumi stack config file.
f

freezing-umbrella-71201

03/01/2023, 2:32 AM
Hey, thank you for your reply!! we dont have that many accounts tbh - but we do use organisations so I can add that for now! What would the recommended method be? I need to feed GuardDuty findings into CloudWatch logs and was told to also include member accounts of our org
l

little-cartoon-10569

03/01/2023, 2:38 AM
Guard Duty is pretty expensive. The accounts that can affect your "live" systems, and accounts with direct access to them, are good places to start with Guard Duty. If you have an account that devs use for deploying test environments, or accounts that just contain non-critical resources (maybe your VPC logs from other systems? stuff like that), they don't need Guard Duty.
If you're getting things going, start with a collection of account ids, and add Organizations later. There's no real value in that, it's just an exercise in completeness.
The sooner you have 1 account with Guard Duty set up using Pulumi, the better. Then iterate and improve.
f

freezing-umbrella-71201

03/01/2023, 2:43 AM
Thank you - some really good notes here - ill give it a go with setting up 1 account then try and split the account types up! cheers
🙂
Hey @little-cartoon-10569 I had this setup with just one account ID earlier today and now have a need to have it managed by a organization so all member accounts are affected. In my code below, I create the organizationConfig but when running, I get this error
BadRequestException: The request is rejected because an invalid or out-of-range value is specified as an input parameter.
Is my understanding correct that as we already have an existing organisation, we just need the config? Thank you!
for (const region of regions) {
    const provider = new aws.Provider(region, { region });

    const detector = new aws.guardduty.Detector(
      region,
      {
        enable: true,
        findingPublishingFrequency: "FIFTEEN_MINUTES",
      },
      { provider }
    );

    new aws.guardduty.OrganizationConfiguration(
      `guardduty-organization-${region}`,
      {
        autoEnable: true,
        detectorId: detector.id,
        datasources: {
          malwareProtection: {
            scanEc2InstanceWithFindings: {
              ebsVolumes: { autoEnable: true },
            },
          },
          s3Logs: {
            autoEnable: true,
          },
        },
      },
      { provider }
    );
}
the code for the cloudwatch EventRule is the same except removal of
accountId
and addition of a provider
l

little-cartoon-10569

03/02/2023, 2:16 AM
I'm not sure where the error message is coming from. It might be that "findingPublishingFrequency" doesn't like that constant?
I'm not really an expert on Organizations, but as I understand it, the Organization is only in your org account. Would that mean that OrganizationConfiguration should always be in that account? You may need to read up on that. If it is supposed to always be in the org account, then you're passing in the wrong provider there.
Yea, the API docs seem to imply that you're using the wrong provider:
The AWS account utilizing this resource must have been assigned as a delegated Organization administrator account, e.g., via the aws.guardduty.OrganizationAdminAccount resource.
However that won't fix your current error, I think. It's just another error waiting for you later 🙂