Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security patterns update #171

Merged
merged 6 commits into from
May 8, 2024
Merged

Security patterns update #171

merged 6 commits into from
May 8, 2024

Conversation

aliaksei-ivanou
Copy link
Contributor

@aliaksei-ivanou aliaksei-ivanou commented May 2, 2024
edited
Loading

Issue #, if available:

Description of changes:

  1. Updating GuardDuty features configuration in the guardduty pattern.
  2. Checking if GuardDuty is already enabled in the target account and region. If yes, making sure that EKS-related features are enabled.
  3. Removing the dead link in docs/patterns/kubeflow.md.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

shapirov103
shapirov103 previously approved these changes May 3, 2024
View reviewed changes
Copy link
Contributor

@shapirov103 shapirov103 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@shapirov103
Copy link
Contributor

/do-e2e-test guardduty deploy

@shapirov103
Copy link
Contributor

@aliaksei-ivanou please check the e2e failure:

Failed resources:
guardduty-setup | 1:44:30 PM | CREATE_FAILED        | AWS::GuardDuty::Detector | guardduty-setupGuardDutyDetector (guarddutysetupGuardDutyDetector) Resource handler 
returned message: "Invalid request provided: AWS::GuardDuty::Detector" (RequestToken: bb5d9f83-4589-22e4-e909-a64ee12dd7b9, HandlerErrorCode: InvalidRequest)

(RequestToken: bb5d9f83-4589-22e4-e909-a64ee12dd7b9, HandlerErrorCode: InvalidRequest)

 ❌  guardduty-setup failed: Error: The stack named guardduty-setup failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Invalid request provided: AWS::GuardDuty::Detector" (RequestToken: bb5d9f83-4589-22e4-e909-a64ee12dd7b9, HandlerErrorCode: InvalidRequest)
    at FullCloudFormationDeployment.monitorDeployment (/codebuild/output/src2885543061/src/github.com/aws-samples/cdk-eks-blueprints-patterns/node_modules/aws-cdk/lib/index.js:430:10615)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.deployStack2 [as deployStack] (/codebuild/output/src2885543061/src/github.com/aws-samples/cdk-eks-blueprints-patterns/node_modules/aws-cdk/lib/index.js:433:198753)
    at async /codebuild/output/src2885543061/src/github.com/aws-samples/cdk-eks-blueprints-patterns/node_modules/aws-cdk/lib/index.js:433:180693

@shapirov103
Copy link
Contributor

/do-e2e-test guardduty deploy

@aliaksei-ivanou
Copy link
Contributor Author

@aliaksei-ivanou please check the e2e failure:

Failed resources:
guardduty-setup | 1:44:30 PM | CREATE_FAILED        | AWS::GuardDuty::Detector | guardduty-setupGuardDutyDetector (guarddutysetupGuardDutyDetector) Resource handler 
returned message: "Invalid request provided: AWS::GuardDuty::Detector" (RequestToken: bb5d9f83-4589-22e4-e909-a64ee12dd7b9, HandlerErrorCode: InvalidRequest)

(RequestToken: bb5d9f83-4589-22e4-e909-a64ee12dd7b9, HandlerErrorCode: InvalidRequest)

 ❌  guardduty-setup failed: Error: The stack named guardduty-setup failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Invalid request provided: AWS::GuardDuty::Detector" (RequestToken: bb5d9f83-4589-22e4-e909-a64ee12dd7b9, HandlerErrorCode: InvalidRequest)
    at FullCloudFormationDeployment.monitorDeployment (/codebuild/output/src2885543061/src/github.com/aws-samples/cdk-eks-blueprints-patterns/node_modules/aws-cdk/lib/index.js:430:10615)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.deployStack2 [as deployStack] (/codebuild/output/src2885543061/src/github.com/aws-samples/cdk-eks-blueprints-patterns/node_modules/aws-cdk/lib/index.js:433:198753)
    at async /codebuild/output/src2885543061/src/github.com/aws-samples/cdk-eks-blueprints-patterns/node_modules/aws-cdk/lib/index.js:433:180693

Done

@aliaksei-ivanou
Copy link
Contributor Author

/do-e2e-test guardduty deploy

1 similar comment
@shapirov103
Copy link
Contributor

/do-e2e-test guardduty deploy

@shapirov103
Copy link
Contributor

GuardDuty blueprint stack did not deploy due to missing secrets. Rerunning with the secret setup.

@shapirov103
Copy link
Contributor

/do-e2e-test guardduty deploy

@shapirov103
Copy link
Contributor

Getting this issue during synth time:

AccessDeniedException: User: arn:aws:sts::867286930927:assumed-role/codebuild-ci-service-role/AWSCodeBuild-17452f2d-30db-43f1-b797-2a1e488a7ff2 is not authorized to perform: guardduty:ListDetectors on resource: arn:aws:guardduty:us-east-2:867286930927:detector/*

Is listdetectors the only permission neeed @aliaksei-ivanou ?

@aliaksei-ivanou
Copy link
Contributor Author

Getting this issue during synth time:

AccessDeniedException: User: arn:aws:sts::867286930927:assumed-role/codebuild-ci-service-role/AWSCodeBuild-17452f2d-30db-43f1-b797-2a1e488a7ff2 is not authorized to perform: guardduty:ListDetectors on resource: arn:aws:guardduty:us-east-2:867286930927:detector/*

Is listdetectors the only permission neeed @aliaksei-ivanou ?

ListDetectors and UpdateDetector

@shapirov103
Copy link
Contributor

@aliaksei-ivanou UpdateDetector is needed at deploy, not synth time, correct?

@aliaksei-ivanou
Copy link
Contributor Author

@aliaksei-ivanou UpdateDetector is needed at deploy, not synth time, correct?

I believe so.

@shapirov103
Copy link
Contributor

/do-e2e-test guardduty deploy

@shapirov103
Copy link
Contributor

/do-e2e-test guardduty destroy

shapirov103
shapirov103 approved these changes May 8, 2024
View reviewed changes
Copy link
Contributor

@shapirov103 shapirov103 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@shapirov103 shapirov103 merged commit 21847d4 into aws-samples:main May 8, 2024
3 checks passed
@aliaksei-ivanou aliaksei-ivanou deleted the security-patterns-update branch May 10, 2024 20:16
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shapirov103 shapirov103 shapirov103 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aliaksei-ivanou @shapirov103