This is a part of the Garrison security project. This agent provides mirroring of the AWS GuardDuty alerts and other basic checks.
| Function Name | Description |
|---|---|
check_enabled |
Alerts if GuardDuty is not enabled in the region. |
check_findings |
Retrieves all non-archived findings from GuardDuty. |
Docker Hub - https://hub.docker.com/r/forward3d/garrison-agent-aws-guardduty/
docker pull forward3d/garrison-agent-aws-guardduty
docker run --rm -e "GARRISON_URL=https://garrison.internal.acme.com" forward3d/garrison-agent-aws-guardduty check_enabled
docker run --rm -e "GARRISON_URL=https://garrison.internal.acme.com" -e "GARRISON_AWS_REGIONS=eu-west-1,us-west-2" forward3d/garrison-agent-aws-guardduty check_enabled
These are additional specific configuration options for this agent. Global agent configurations still apply.
| Environmental Variable | Default | Expects |
|---|---|---|
GARRISON_AWS_REGIONS |
all [1] |
Comma Separated Strings eg. eu-west-1,us-west-2 |
- Standard AWS Regions as returned by the AWS SDK at runtime for GuardDuty.
As this requires access to the AWS API you will need this IAM policy as a minimum for it to operate correctly.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"guardduty:GetFindings",
"guardduty:ListDetectors",
"guardduty:ListFindings",
"guardduty:GetDetector"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
We recommend using EC2/ECS Task roles so that you don't need to send credentials into the container, however if you can't use those or want to send in specific Access Keys and Secret keys, please see the AWS Documentation as to how you do that.