Control: GuardDuty ECS runtime monitoring should be enabled
Description
This control checks whether the Amazon GuardDuty automated security agent is enabled for runtime monitoring of Amazon ECS clusters on AWS Fargate. For a standalone account, the control fails if the security agent is disabled for the account. In a multi-account environment, the control fails if the security agent is disabled for the delegated GuardDuty administrator account and all member accounts.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.guardduty_detector_ecs_runtime_monitoring_enabled
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.guardduty_detector_ecs_runtime_monitoring_enabled --share
SQL
This control uses a named query:
with ecs_runtime_monitoring as ( select arn from aws_guardduty_detector, jsonb_array_elements(features) as f, jsonb_array_elements(f -> 'AdditionalConfiguration') as c where f ->> 'Name' = 'RUNTIME_MONITORING' and c ->> 'Name' = 'ECS_FARGATE_AGENT_MANAGEMENT' and c ->> 'Status' = 'ENABLED')select d.arn as resource, case when m.arn is not null then 'ok' else 'alarm' end as status, case when m.arn is not null then title || ' has ECS runtime monitoring enabled.' else title || ' has ECS runtime monitoring disabled.' end as reason , region, account_idfrom aws_guardduty_detector as d left join ecs_runtime_monitoring as m on m.arn = d.arn