Guard Duty: Event Rule not sending SNS

0

I have created MalwareProtection for s3. When an event pattern detects malware finding in s3, an associated SNS topic should send an email. It doesn't. I have the following CloudFormation, and since I have paid AWS Support, I created a service/support case 15+ days ago:

    MalwarePolicy:
        Type: AWS::IAM::ManagedPolicy
        Properties:
            PolicyDocument:
                Version: 2012-10-17
                Statement:
                  - Sid: AllowManagedRuleToSendS3EventsToGuardDuty
                    Effect: Allow
                    Action:
                      - events:PutRule
                      - events:PutTargets
                      - events:DeleteRule
                      - events:RemoveTargets
                    Resource: !Sub arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*
                    Condition:
                        StringLike:
                            'events:ManagedBy': malware-protection-plan.guardduty.amazonaws.com

                  - Sid: AllowGuardDutyToMonitorEventBridgeManagedRule
                    Effect: Allow
                    Action:
                      - events:DescribeRule
                      - events:ListTargetsByRule
                    Resource: !Sub arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*

                  - Sid: AllowPostScanTag
                    Effect: Allow
                    Action:
                      - s3:PutObjectTagging
                      - s3:PutObjectVersionTagging
                      - s3:GetObjectTagging
                      - s3:GetObjectVersionTagging
                    Resource: !Sub arn:aws:s3:::${BucketName}/*

                  - Sid: AllowEnableS3EventBridgeEvents
                    Effect: Allow
                    Action:
                      - s3:PutBucketNotification
                      - s3:GetBucketNotification
                    Resource: !Sub arn:aws:s3:::${BucketName}

                  ##
                  ## Note: when S3 malware protection enabled, test file malware-protection-resource-validation-object
                  ##        is automatically created
                  ##
                  - Sid: AllowPutValidationObject
                    Effect: Allow
                    Action:
                      - s3:PutObject
                    Resource: !Sub arn:aws:s3:::${BucketName}/malware-protection-resource-validation-object

                  - Sid: AllowCheckBucketOwnership
                    Effect: Allow
                    Action:
                      - s3:ListBucket
                    Resource: !Sub arn:aws:s3:::${BucketName}

                  - Sid: AllowMalwareScan
                    Effect: Allow
                    Action:
                      - s3:GetObject
                      - s3:GetObjectVersion
                    Resource: !If
                      - HasFullPrefixes
                      - !Split [',', !Ref FullPrefixes]
                      - !Sub arn:aws:s3:::${BucketName}/${FullPrefixes}

                  - Sid: AllowDecryptForMalwareScan
                    Effect: Allow
                    Action:
                      - kms:GenerateDataKey
                      - kms:Decrypt
                    Resource: !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*
                    Condition:
                        StringLike:
                            'kms:ViaService': !Sub s3.${AWS::Region}.amazonaws.com

    MalwarePolicyRole:
        Type: AWS::IAM::Role
        Properties:
            RoleName: !Sub GuardDutyMalwareProtection-${BucketName}
            AssumeRolePolicyDocument:
                Version: 2012-10-17
                Statement:
                  - Effect: Allow
                    Principal:
                        Service: malware-protection-plan.guardduty.amazonaws.com
                    Action: sts:AssumeRole
            ManagedPolicyArns: [!Ref MalwarePolicy]

    MalwareProtection:
        Type: AWS::GuardDuty::MalwareProtectionPlan
        Properties:
            Actions:
                Tagging:
                    Status: !Ref TaggingStatus
            ProtectedResource:
                S3Bucket:
                    BucketName: !Ref BucketName
                    ObjectPrefixes: !If
                      - HasObjectPrefixes
                      - !Split [',', !Ref ObjectPrefixes]
                      - !Ref AWS::NoValue
            Role: !GetAtt MalwarePolicyRole.Arn

    SnsTopic:
        Type: AWS::CloudFormation::Stack
        Properties:
            TemplateURL: ../path/sns.yaml
            Parameters:
                DisplayName: !Ref BucketName
                TopicName: !Join [ '-', !Split ['.', !Ref BucketName] ]

    SnsTopicSubscription:
        Type: AWS::SNS::Subscription
        Properties:
            Endpoint: !Ref AdminEmail
            Protocol: email
            TopicArn: !GetAtt SnsTopic.Outputs.TopicArn
        DependsOn: SnsTopic

    ##
    ## eventbridge: https://docs.aws.amazon.com/guardduty/latest/ug/monitor-with-eventbridge-s3-malware-protection.html
    ##
    MalwareEventRuleNotification:
        Type: AWS::Events::Rule
        Properties:
            Name: !Join
              - '-'
              - - S3GuardDuty
                - !Join [ '-', !Split ['.', !Ref BucketName] ]
            Description: !Sub malware detection notification for ${BucketName} bucket
            EventPattern:
                source:
                  - aws.guardduty
                detail-type:
                  - GuardDuty Malware Protection Object Scan Result
            Targets:
              - Id: AdminEmail
                Arn: !GetAtt SnsTopic.Outputs.TopicArn

I got a response from the support engineer to hardcode the SNS topic arn instead of using my above GetAtt on the AWS::Events::Rule. Alternatively, I was told that I could use SSM parameter store. Per recommendation from AWS, since I have paid AWS Support, I did something anti pattern to my norm. I created the SNS topic from a parent stack, then in the same parent stack stored the ARN into SSM parameter. Again from the parent stack, I passed the SSM path to the nested/child stack, so that I could Ref it in the above AWS::Events::Rule >> Targets >> Targets >> Arn, then drop a trivial eicar.com file, no email notifications are sent to me.

I'm lucky that guard duty is free trial for 30 days (though I haven't really tried anything, nothing works, and I've wasted my own time at expense of AWS Support I'm paying for). I got maybe 15 days left of free trial, maybe someone here can provide me better support than AWS paid support?

3 Answers
1
Accepted Answer

Hello.

I tried running the CloudFormation template below on my AWS account.
This template should allow you to send notifications via email.
I suspect that your Amazon SNS does not allow access from "events.amazonaws.com" in "AWS::SNS::TopicPolicy".

AWSTemplateFormatVersion: "2010-09-09"

Description: GuardDuty Stack

Conditions:
  HasObjectPrefixes: !Not [!Equals [!Ref ObjectPrefixes, '']]

Parameters:
# ------------------------------------------------------------#
# Parameters
# ------------------------------------------------------------# 
  MailAddress:
    Type: String

  TaggingStatus:
    Type: String
    Default: ENABLED

  ObjectPrefixes:
    Type: String

  BucketName:
    Type: String

  MalwarePolicyRole:
    Type: String

Resources:
# ------------------------------------------------------------#
# SNS
# ------------------------------------------------------------# 
  SnsTopic:
    Type: AWS::SNS::Topic
    Properties: 
      Subscription:
        - Endpoint: !Ref MailAddress
          Protocol: email
      TopicName: sns-guardduty

  SnsTopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties: 
      PolicyDocument:
        Version: '2012-10-17'
        Id: __default_policy_ID
        Statement:
          - Sid: __default_statement_ID
            Effect: Allow
            Principal: 
              AWS: '*'
            Action: 
              - 'SNS:GetTopicAttributes'
              - 'SNS:SetTopicAttributes'
              - 'SNS:AddPermission'
              - 'SNS:RemovePermission'
              - 'SNS:DeleteTopic'
              - 'SNS:Subscribe'
              - 'SNS:ListSubscriptionsByTopic'
              - 'SNS:Publish'
            Resource: !Ref SnsTopic
            Condition: 
              StringEquals: 
                'AWS:SourceOwner': !Sub ${AWS::AccountId}
          - Sid: AWSEvents_guardduty
            Effect: Allow
            Principal: 
              Service: events.amazonaws.com
            Action: 'sns:Publish'
            Resource: !Ref SnsTopic
      Topics:
        - !Ref SnsTopic

# ------------------------------------------------------------#
# GuardDuty
# ------------------------------------------------------------# 
  MalwareProtection:
      Type: AWS::GuardDuty::MalwareProtectionPlan
      Properties:
          Actions:
              Tagging:
                  Status: !Ref TaggingStatus
          ProtectedResource:
              S3Bucket:
                  BucketName: !Ref BucketName
                  ObjectPrefixes: !If
                    - HasObjectPrefixes
                    - !Split [',', !Ref ObjectPrefixes]
                    - !Ref AWS::NoValue
          Role: !Ref MalwarePolicyRole

# ------------------------------------------------------------#
# EventBridge
# ------------------------------------------------------------# 
  MalwareEventRuleNotification:
      Type: AWS::Events::Rule
      Properties:
          Name: !Join
            - '-'
            - - S3GuardDuty
              - !Join [ '-', !Split ['.', !Ref BucketName] ]
          Description: !Sub malware detection notification for ${BucketName} bucket
          EventPattern:
              source:
                - aws.guardduty
              detail-type:
                - GuardDuty Malware Protection Object Scan Result
          Targets:
            - Id: AdminEmail
              Arn: !Ref SnsTopic
profile picture
EXPERT
answered 5 months ago
profile picture
EXPERT
reviewed 5 months ago
profile pictureAWS
EXPERT
reviewed 5 months ago
  • Yes sir, that worked. I overlooked the IAM policy on the SNS, and did not define/attach any. I assumed the SNS would have default policy allowing interaction(s) with any resource(s) from my account.

0

Hi,

I am unable to see any CloudFormation code related to IAM policies and permissions. I have created sample code which can be used for similar purposes which you can find detailed in this blog post - https://aws.amazon.com/blogs/security/using-amazon-guardduty-malware-protection-to-scan-uploads-to-amazon-s3/

Sample code can be found in this GitHub repository - https://github.com/aws-samples/guardduty-malware-protection/tree/main/cfn

Please let us know if this helps.

AWS
answered 5 months ago
  • I've updated the CloudFormation code (on the original post statement) with the associated IAM policies/permissions that I've used 15+ days ago. It's still the same as of right now.

0

I was also told roughly two weeks ago by AWS support engineer:

Additionally, when GuardDuty Malware Protection performs the scan on the uploaded object, no events are recorded in CloudTrail.

That doesn't make any sense. Why would you be able to build an event rule pattern, yet can't see the associated event in CloudTrail?

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions