turbot/steampipe-mod-aws-compliance

Control: GuardDuty ECS runtime monitoring should be enabled

Description

This control checks whether the Amazon GuardDuty automated security agent is enabled for runtime monitoring of Amazon ECS clusters on AWS Fargate. For a standalone account, the control fails if the security agent is disabled for the account. In a multi-account environment, the control fails if the security agent is disabled for the delegated GuardDuty administrator account and all member accounts.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.guardduty_detector_ecs_runtime_monitoring_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.guardduty_detector_ecs_runtime_monitoring_enabled --share

SQL

This control uses a named query:

with ecs_runtime_monitoring as (
select
arn
from
aws_guardduty_detector,
jsonb_array_elements(features) as f,
jsonb_array_elements(f -> 'AdditionalConfiguration') as c
where
f ->> 'Name' = 'RUNTIME_MONITORING'
and c ->> 'Name' = 'ECS_FARGATE_AGENT_MANAGEMENT'
and c ->> 'Status' = 'ENABLED'
)
select
d.arn as resource,
case
when m.arn is not null then 'ok'
else 'alarm'
end as status,
case
when m.arn is not null then title || ' has ECS runtime monitoring enabled.'
else title || ' has ECS runtime monitoring disabled.'
end as reason
, region, account_id
from
aws_guardduty_detector as d
left join ecs_runtime_monitoring as m on m.arn = d.arn

Tags