AI CloudAdvisor (Beta)

Configuration Builder
New!

My Presets

You must be logged in to save or view your saved configuration templates

Security Controls

Service Control PoliciesConfig RulesCloudWatch Alarms and Event RulesCloudFormation Guard RulesLogging & Monitoring ConfigurationsBackups & DRAuto Remediation RulesConformance PacksBilling and Cost ManagementS3 Bucket PoliciesSecurity Groups & NACLsIAM PoliciesVPC Endpoint Policies

AWS Services

Guided Walkthroughs

Configuration Packages

Reference Guides

Other

AI CloudAdvisor (Beta)

Configuration Builder
New!

Configuration Stack (Legacy)
0

My Presets

Loading Library ...

Guided Walkthroughs

Configuration Packages

Other

AWS Threat Detection Services

A configuration package to enable AWS threat detection services: 

  • Amazon GuardDuty: Continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. 
  • Amazon Inspector: An automated security assessment service that helps improve the security and compliance of applications deployed on EC2 instances. By default,  the Common Vulnerabilities and Exposures (CVE) package is configured to run against all EC2 instances, every Saturday at Midnight. Other configuration packages and more settings can be customized below.
  • AWS Security Hub: Provides a comprehensive view of high-priority security alerts and compliance status across AWS accounts. The CIS AWS Foundations compliance standard is enabled by default.

In addition to the above services, the following additional configuration can be enabled:

  • Email Notifications: Enable notifications for GuardDuty and Security Hub using CloudWatch Event Rules and SNS.
  • Security Hub Prerequisites: To enable Compliance Standards in Security Hub (e.g. CIS AWS Foundations), AWS Config must be enabled as well.

A premium subscription is required for this content
You can browse templates for individual logging services such as GuardDuty, Security Hub and Inspector in our repository for free! Go to Library

Items
11
Size
9.9 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  GuardDuty:
    Type: 'AWS::GuardDuty::Detector'
    Properties:
      Enable: true
      DataSources:
        S3Logs:
          Enable: true
  CwEventAutoAssessment:
    Type: 'AWS::Events::Rule'
    Properties:
      Name: InspectorScheduledAssessment
      Description: 'Scheduled trigger for Amazon Inspector Assessment: '
      State: ENABLED
      Targets:
        - Arn:
            Ref: AssessmentTemplate
          Id: AmazonInspectorAssessment
          RoleArn:
            'Fn::GetAtt':
              - AutoAssessmentIamRole
              - Arn
      ScheduleExpression: cron(00 00 ? * SAT *)
  AssessmentTarget:
    Type: 'AWS::Inspector::AssessmentTarget'
    Properties:
      AssessmentTargetName: Amazon Inspector Targets
  AssessmentTemplate:
    Type: 'AWS::Inspector::AssessmentTemplate'
    Properties:
      AssessmentTargetArn:
        Ref: AssessmentTarget
      DurationInSeconds: 3600
      RulesPackageArns:
        - 'Fn::FindInMap':
            - RulePackageArn
            - Ref: 'AWS::Region'
            - CVE
  AutoAssessmentIamRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: AWS_InspectorEvents_Invoke_Assessment_TemplateUzO
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - events.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Policies:
        - PolicyName: InspectorAssessmentTrigger
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - 'inspector:StartAssessmentRun'
                Resource: '*'
  SecurityHub:
    Type: 'AWS::SecurityHub::Hub'
    Properties: {}
  SnsTopic1:
    Type: 'AWS::SNS::Topic'
    Properties:
      Subscription:
        - Endpoint: email@example.com
          Protocol: email
      TopicName: sns-topic
  CwEvent1:
    Type: 'AWS::Events::Rule'
    Properties:
      Name: detect-securityhub-finding
      Description: A CloudWatch Event Rule that triggers on AWS Security Hub findings. The Event Rule can be used to trigger notifications or remediative actions using AWS Lambda.
      State: ENABLED
      Targets:
        - Arn:
            Ref: SnsTopic1
          Id: target-id1
      EventPattern:
        detail-type:
          - Security Hub Findings - Imported
        source:
          - aws.securityhub
  SnsTopicPolicyCwEvent1:
    Type: 'AWS::SNS::TopicPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Sid: __default_statement_ID
            Effect: Allow
            Principal:
              AWS: '*'
            Action:
              - 'SNS:GetTopicAttributes'
              - 'SNS:SetTopicAttributes'
              - 'SNS:AddPermission'
              - 'SNS:RemovePermission'
              - 'SNS:DeleteTopic'
              - 'SNS:Subscribe'
              - 'SNS:ListSubscriptionsByTopic'
              - 'SNS:Publish'
              - 'SNS:Receive'
            Resource:
              Ref: SnsTopic1
            Condition:
              StringEquals:
                'AWS:SourceOwner':
                  Ref: 'AWS::AccountId'
          - Sid: TrustCWEToPublishEventsToMyTopic
            Effect: Allow
            Principal:
              Service: events.amazonaws.com
            Action: 'sns:Publish'
            Resource:
              Ref: SnsTopic1
      Topics:
        - Ref: SnsTopic1
  CwEvent2:
    Type: 'AWS::Events::Rule'
    Properties:
      Name: detect-guardduty-finding
      Description: A CloudWatch Event Rule that triggers on Amazon GuardDuty findings. The Event Rule can be used to trigger notifications or remediative actions using AWS Lambda.
      State: ENABLED
      Targets:
        - Arn:
            Ref: SnsTopic1
          Id: target-id1
      EventPattern:
        detail-type:
          - GuardDuty Finding
        source:
          - aws.guardduty
  SnsTopicPolicyCwEvent2:
    Type: 'AWS::SNS::TopicPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Sid: __default_statement_ID
            Effect: Allow
            Principal:
              AWS: '*'
            Action:
              - 'SNS:GetTopicAttributes'
              - 'SNS:SetTopicAttributes'
              - 'SNS:AddPermission'
              - 'SNS:RemovePermission'
              - 'SNS:DeleteTopic'
              - 'SNS:Subscribe'
              - 'SNS:ListSubscriptionsByTopic'
              - 'SNS:Publish'
              - 'SNS:Receive'
            Resource:
              Ref: SnsTopic1
            Condition:
              StringEquals:
                'AWS:SourceOwner':
                  Ref: 'AWS::AccountId'
          - Sid: TrustCWEToPublishEventsToMyTopic
            Effect: Allow
            Principal:
              Service: events.amazonaws.com
            Action: 'sns:Publish'
            Resource:
              Ref: SnsTopic1
      Topics:
        - Ref: SnsTopic1
Parameters: {}
Metadata: {}
Conditions: {}
Mappings:
  RulePackageArn:
    us-west-2:
      CVE: 'arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p'
      CIS: 'arn:aws:inspector:us-west-2:758058086616:rulespackage/0-H5hpSawc'
      Network: 'arn:aws:inspector:us-west-2:758058086616:rulespackage/0-rD1z6dpl'
      Security: 'arn:aws:inspector:us-west-2:758058086616:rulespackage/0-JJOtZiqQ'
      Runtime: 'arn:aws:inspector:us-west-2:758058086616:rulespackage/0-vg5GGHSD'
    us-east-1:
      CVE: 'arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7'
      CIS: 'arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8'
      Network: 'arn:aws:inspector:us-east-1:316112463485:rulespackage/0-PmNV0Tcd'
      Security: 'arn:aws:inspector:us-east-1:316112463485:rulespackage/0-R01qwB5Q'
      Runtime: 'arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gBONHN9h'
    us-east-2:
      CVE: 'arn:aws:inspector:us-east-2:646659390643:rulespackage/0-JnA8Zp85'
      CIS: 'arn:aws:inspector:us-east-2:646659390643:rulespackage/0-m8r61nnh'
      Network: 'arn:aws:inspector:us-east-2:646659390643:rulespackage/0-cE4kTR30'
      Security: 'arn:aws:inspector:us-east-2:646659390643:rulespackage/0-AxKmMHPX'
      Runtime: 'arn:aws:inspector:us-east-2:646659390643:rulespackage/0-UCYZFKPV'
    us-west-1:
      CVE: 'arn:aws:inspector:us-west-1:166987590008:rulespackage/0-TKgzoVOa'
      CIS: 'arn:aws:inspector:us-west-1:166987590008:rulespackage/0-xUY8iRqX'
      Network: 'arn:aws:inspector:us-west-1:166987590008:rulespackage/0-TxmXimXF'
      Security: 'arn:aws:inspector:us-west-1:166987590008:rulespackage/0-byoQRFYm'
      Runtime: 'arn:aws:inspector:us-west-1:166987590008:rulespackage/0-yeYxlt0x'
    ap-south-1:
      CVE: 'arn:aws:inspector:ap-south-1:162588757376:rulespackage/0-LqnJE9dO'
      CIS: 'arn:aws:inspector:ap-south-1:162588757376:rulespackage/0-PSUlX14m'
      Network: 'arn:aws:inspector:ap-south-1:162588757376:rulespackage/0-YxKfjFu1'
      Security: 'arn:aws:inspector:ap-south-1:162588757376:rulespackage/0-fs0IZZBj'
      Runtime: 'arn:aws:inspector:ap-south-1:162588757376:rulespackage/0-EhMQZy6C'
    ap-southeast-2:
      CVE: 'arn:aws:inspector:ap-southeast-2:454640832652:rulespackage/0-D5TGAxiR'
      CIS: 'arn:aws:inspector:ap-southeast-2:454640832652:rulespackage/0-Vkd2Vxjq'
      Network: 'arn:aws:inspector:ap-southeast-2:454640832652:rulespackage/0-FLcuV4Gz'
      Security: 'arn:aws:inspector:ap-southeast-2:454640832652:rulespackage/0-asL6HRgN'
      Runtime: 'arn:aws:inspector:ap-southeast-2:454640832652:rulespackage/0-P8Tel2Xj'
    ap-northeast-2:
      CVE: 'arn:aws:inspector:ap-northeast-2:526946625049:rulespackage/0-PoGHMznc'
      CIS: 'arn:aws:inspector:ap-northeast-2:526946625049:rulespackage/0-T9srhg1z'
      Network: 'arn:aws:inspector:ap-northeast-2:526946625049:rulespackage/0-s3OmLzhL'
      Security: 'arn:aws:inspector:ap-northeast-2:526946625049:rulespackage/0-2WRpmi4n'
      Runtime: 'arn:aws:inspector:ap-northeast-2:526946625049:rulespackage/0-PoYq7lI7'
    ap-northeast-1:
      CVE: 'arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-gHP9oWNT'
      CIS: 'arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu'
      Network: 'arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-YI95DVd7'
      Security: 'arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq'
      Runtime: 'arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-knGBhqEu'
    eu-west-1:
      CVE: 'arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-ubA5XvBh'
      CIS: 'arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-sJBhCr0F'
      Network: 'arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-SPzU33xe'
      Security: 'arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-SnojL3Z6'
      Runtime: 'arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-lLmwe1zd'
    eu-central-1:
      CVE: 'arn:aws:inspector:eu-central-1:537503971621:rulespackage/0-wNqHa8M9'
      CIS: 'arn:aws:inspector:eu-central-1:537503971621:rulespackage/0-nZrAVuv8'
      Network: 'arn:aws:inspector:eu-central-1:537503971621:rulespackage/0-6yunpJ91'
      Security: 'arn:aws:inspector:eu-central-1:537503971621:rulespackage/0-ZujVHEPB'
      Runtime: 'arn:aws:inspector:eu-central-1:537503971621:rulespackage/0-0GMUM6fg'
    us-gov-east-1:
      CVE: 'arn:aws-us-gov:inspector:us-gov-east-1:206278770380:rulespackage/0-3IFKFuOb'
      CIS: 'arn:aws-us-gov:inspector:us-gov-east-1:206278770380:rulespackage/0-pTLCdIww'
      Security: 'arn:aws-us-gov:inspector:us-gov-east-1:206278770380:rulespackage/0-vlgEGcVD'
      Runtime: 'arn:aws-us-gov:inspector:us-gov-east-1:206278770380:rulespackage/0-850TmCFX'
    us-gov-west-1:
      CVE: 'arn:aws-us-gov:inspector:us-gov-west-1:850862329162:rulespackage/0-4oQgcI4G'
      CIS: 'arn:aws-us-gov:inspector:us-gov-west-1:850862329162:rulespackage/0-Ac4CFOuc'
      Security: 'arn:aws-us-gov:inspector:us-gov-west-1:850862329162:rulespackage/0-rOTGqe5G'
      Runtime: 'arn:aws-us-gov:inspector:us-gov-west-1:850862329162:rulespackage/0-JMyjuzoW'

Actions



Customize Template

Configuration Presets

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT