turbot/steampipe-mod-aws-compliance

Control: 12 GuardDuty ECS Runtime Monitoring should be enabled

Description

This control checks whether the Amazon GuardDuty automated security agent is enabled for runtime monitoring of Amazon ECS clusters on AWS Fargate. For a standalone account, the control fails if the security agent is disabled for the account. In a multi-account environment, the control fails if the security agent is disabled for the delegated GuardDuty administrator account and all member accounts.

In a multi-account environment, this control generates findings only in the delegated GuardDuty administrator account. This is because only the delegated GuardDuty administrator can enable or disable Runtime Monitoring of ECS-Fargate resources for accounts in their organization. GuardDuty member accounts can't do this for their own accounts. In addition, this control generates FAILED findings if GuardDuty is suspended for a member account and Runtime Monitoring of ECS-Fargate resources is disabled for the member account. To receive a PASSED finding, the GuardDuty administrator must disassociate the suspended member account from their administrator account by using GuardDuty.

GuardDuty Runtime Monitoring observes and analyzes operating system-level, networking, and file events to help you detect potential threats in specific AWS workloads in your environment. It uses GuardDuty security agents that add visibility into runtime behavior, such as file access, process execution, command line arguments, and network connections. You can enable and manage the security agent for each type of resource that you want to monitor for potential threats. This includes Amazon ECS clusters on AWS Fargate.

Remediation

To enable and manage the security agent for GuardDuty Runtime Monitoring of ECS-Fargate resources, you must use GuardDuty directly. You can't enable or manage it manually for ECS-Fargate resources. For information about enabling and managing the security agent, see Prerequisites for AWS Fargate (Amazon ECS only) support and Managing the automated security agent for AWS Fargate (Amazon ECS only) in the Amazon GuardDuty User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_guardduty_12

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_guardduty_12 --share

SQL

This control uses a named query:

with ecs_runtime_monitoring as (
select
arn
from
aws_guardduty_detector,
jsonb_array_elements(features) as f,
jsonb_array_elements(f -> 'AdditionalConfiguration') as c
where
f ->> 'Name' = 'RUNTIME_MONITORING'
and c ->> 'Name' = 'ECS_FARGATE_AGENT_MANAGEMENT'
and c ->> 'Status' = 'ENABLED'
)
select
d.arn as resource,
case
when m.arn is not null then 'ok'
else 'alarm'
end as status,
case
when m.arn is not null then title || ' has ECS runtime monitoring enabled.'
else title || ' has ECS runtime monitoring disabled.'
end as reason
, region, account_id
from
aws_guardduty_detector as d
left join ecs_runtime_monitoring as m on m.arn = d.arn

Tags