- Newest
- Most votes
- Most comments
Hello.
I tried running the CloudFormation template below on my AWS account.
This template should allow you to send notifications via email.
I suspect that your Amazon SNS does not allow access from "events.amazonaws.com" in "AWS::SNS::TopicPolicy".
AWSTemplateFormatVersion: "2010-09-09"
Description: GuardDuty Stack
Conditions:
HasObjectPrefixes: !Not [!Equals [!Ref ObjectPrefixes, '']]
Parameters:
# ------------------------------------------------------------#
# Parameters
# ------------------------------------------------------------#
MailAddress:
Type: String
TaggingStatus:
Type: String
Default: ENABLED
ObjectPrefixes:
Type: String
BucketName:
Type: String
MalwarePolicyRole:
Type: String
Resources:
# ------------------------------------------------------------#
# SNS
# ------------------------------------------------------------#
SnsTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint: !Ref MailAddress
Protocol: email
TopicName: sns-guardduty
SnsTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Id: __default_policy_ID
Statement:
- Sid: __default_statement_ID
Effect: Allow
Principal:
AWS: '*'
Action:
- 'SNS:GetTopicAttributes'
- 'SNS:SetTopicAttributes'
- 'SNS:AddPermission'
- 'SNS:RemovePermission'
- 'SNS:DeleteTopic'
- 'SNS:Subscribe'
- 'SNS:ListSubscriptionsByTopic'
- 'SNS:Publish'
Resource: !Ref SnsTopic
Condition:
StringEquals:
'AWS:SourceOwner': !Sub ${AWS::AccountId}
- Sid: AWSEvents_guardduty
Effect: Allow
Principal:
Service: events.amazonaws.com
Action: 'sns:Publish'
Resource: !Ref SnsTopic
Topics:
- !Ref SnsTopic
# ------------------------------------------------------------#
# GuardDuty
# ------------------------------------------------------------#
MalwareProtection:
Type: AWS::GuardDuty::MalwareProtectionPlan
Properties:
Actions:
Tagging:
Status: !Ref TaggingStatus
ProtectedResource:
S3Bucket:
BucketName: !Ref BucketName
ObjectPrefixes: !If
- HasObjectPrefixes
- !Split [',', !Ref ObjectPrefixes]
- !Ref AWS::NoValue
Role: !Ref MalwarePolicyRole
# ------------------------------------------------------------#
# EventBridge
# ------------------------------------------------------------#
MalwareEventRuleNotification:
Type: AWS::Events::Rule
Properties:
Name: !Join
- '-'
- - S3GuardDuty
- !Join [ '-', !Split ['.', !Ref BucketName] ]
Description: !Sub malware detection notification for ${BucketName} bucket
EventPattern:
source:
- aws.guardduty
detail-type:
- GuardDuty Malware Protection Object Scan Result
Targets:
- Id: AdminEmail
Arn: !Ref SnsTopic
Hi,
I am unable to see any CloudFormation code related to IAM policies and permissions. I have created sample code which can be used for similar purposes which you can find detailed in this blog post - https://aws.amazon.com/blogs/security/using-amazon-guardduty-malware-protection-to-scan-uploads-to-amazon-s3/
Sample code can be found in this GitHub repository - https://github.com/aws-samples/guardduty-malware-protection/tree/main/cfn
Please let us know if this helps.
I've updated the CloudFormation code (on the original post statement) with the associated IAM policies/permissions that I've used 15+ days ago. It's still the same as of right now.
I was also told roughly two weeks ago by AWS support engineer:
Additionally, when GuardDuty Malware Protection performs the scan on the uploaded object, no events are recorded in CloudTrail.
That doesn't make any sense. Why would you be able to build an event rule pattern, yet can't see the associated event in CloudTrail?
Relevant content
- Accepted Answerasked 5 months ago
- Accepted Answerasked 5 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a month ago
Yes sir, that worked. I overlooked the IAM policy on the SNS, and did not define/attach any. I assumed the SNS would have default policy allowing interaction(s) with any resource(s) from my account.