Merge pull request #2358 from kapoorsumit20023/kapoorsumit20023-featu…

…re-s3-guardduty-eventbridge-sns New serverless pattern - s3-guardduty-eventbridge-sns-sam
aws-samples · Aug 21, 2024 · 1e156e1 · 1e156e1
2 parents c0f7f0b + bf0cf64
commit 1e156e1
Show file tree

Hide file tree

Showing 5 changed files with 421 additions and 0 deletions.
diff --git a/guardduty-malware-s3/README.md b/guardduty-malware-s3/README.md
@@ -0,0 +1,91 @@
+# Amazon GuardDuty Malware Protection for Amazon S3
+
+This pattern demonstrates creating an S3 Malware Protection plan and integrating the findings with Amazon EventBridge and Amazon SNS to notify users of the scan results. The SAM template creates an IAM role that includes the permissions required to scan and (optionally) add tags to the associated protected resource. The template also creates an EventBridge managed rule, which is used to route S3 `put-object` and S3 bucket-level event notifications to GuardDuty's S3 Malware Protection Service. Another EventBridge rule monitors the S3 object scan results and sends notifications to an SNS topic where users can subscribe via email.
+
+Learn more about this pattern at Serverless Land Patterns: https://serverlessland.com/patterns/guardduty-malware-s3
+
+Important: this application uses various AWS services and there are costs associated with these services after the Free Tier usage - please see the [AWS Pricing page](https://aws.amazon.com/pricing/) for details. You are responsible for any AWS costs incurred. No warranty is implied in this example.
+
+## Requirements
+
+* [Create an AWS account](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html) if you do not already have one and log in. The IAM user that you use must have sufficient permissions to make necessary AWS service calls and manage AWS resources.
+* [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured
+* [Git Installed](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)
+* [AWS Serverless Application Model](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html) (AWS SAM) installed
+
+## Deployment Instructions
+
+1. Create a new directory, navigate to that directory in a terminal and clone the GitHub repository:
+    ``` 
+    git clone https://github.com/aws-samples/serverless-patterns
+    ```
+1. Change directory to the pattern directory:
+    ```
+    cd guardduty-malware-s3
+    ```
+1. From the command line, use AWS SAM to deploy the AWS resources for the pattern as specified in the template.yml file:
+    ```
+    sam deploy --guided
+    ```
+1. During the prompts:
+    * Enter a stack name.
+    * Enter the desired AWS Region.
+    * Enter the name of S3 bucket to be protected.
+    * Enter ENABLED or DISABLED for the option to add tags to the S3 objects after the scan ends.
+    * Enter an email address to receive the GuardDuty Malware Protection Object Scan Results.
+    * Allow the SAM CLI to create IAM roles with the required permissions.
+
+    Once you run `sam deploy --guided` once and save arguments to a configuration file (samconfig.toml), you can use `sam deploy` for future deployments.
+
+1. Note the outputs from the SAM deployment process. These contain the resource names and/or ARNs which are used for testing.
+
+1. After the template is deployed, an email notification will be sent to the email address you provided during the prompts. Please ensure that you confirm the email subscription in order to receive notifications about the scan results.
+
+## How it works
+Once you enable Malware Protection for S3 on a bucket, GuardDuty will automatically start scanning newly uploaded objects for potential malware.
+After each malware scan, GuardDuty adds a tag indicating the scan status for the object.
+GuardDuty adds the following predefined tags to the scanned object:
+
+* NO_THREATS_FOUND: No threats were detected in the file.
+* THREATS_FOUND: Threats were detected in the file.
+* UNSUPPORTED: The file type is unsupported for scanning.
+* ACCESS_DENIED: Access to the file was denied.
+* FAILED: The scan failed for some reason.
+
+Note: The GuardDuty Malware Protection for S3 feature can also be used independently. For this, you don’t need to enable all the features of GuardDuty.
+
+## Testing
+1. Download the Eicar test file, a standard anti-malware test file:
+    ``` 
+    curl -O https://secure.eicar.org/eicar_com.zip
+    ```
+1. Upload the eicar file to the ScanningBucket:
+    ```
+    aws s3 cp eicar_com.zip s3://<YOUR_SCANNING_BUCKET>
+    ```
+   The uploaded S3 object is tagged with 'GuardDutyMalwareScanStatus=THREATS_FOUND'. Additionally, a notification message is delivered to your email 
+   address with 'scanResultStatus=THREATS_FOUND'.
+
+1. Upload a good file to the ScanningBucket:
+    ```
+    echo "This is a test file." > testfile.txt
+    aws s3 cp testfile.txt s3://<YOUR_SCANNING_BUCKET>/
+    ```
+   The uploaded S3 object is tagged with 'GuardDutyMalwareScanStatus=NO_THREATS_FOUND'. Additionally, a notification message is delivered to your email 
+   address with 'scanResultStatus=NO_THREATS_FOUND'.
+
+## Cleanup
+1. Delete all files from the S3 bucket
+
+1. Delete the stack
+    ```bash
+    sam delete --stack-name STACK_NAME
+    ```
+1. Confirm the stack has been deleted
+    ```bash
+    aws cloudformation list-stacks --query "StackSummaries[?contains(StackName,'STACK_NAME')].StackStatus"
+    ```
+----
+Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+SPDX-License-Identifier: MIT-0
diff --git a/guardduty-malware-s3/example-pattern.json b/guardduty-malware-s3/example-pattern.json
@@ -0,0 +1,59 @@
+{
+  "title": "AWS S3 to AWS GuardDuty to EventBridge to SNS",
+  "description": "Configure Malware Protection for S3 bucket using Amazon GuardDuty",
+  "language": "yaml",
+  "level": "200",
+  "framework": "SAM",
+  "introBox": {
+    "headline": "How it works",
+    "text": [
+      "This pattern protects an S3 bucket with malware protection by using GuardDuty to detect malicious file uploads.",
+      "The SAM template creates an IAM role that allows GuardDuty to receive S3 put object and bucket-level event notifications through an EventBridge managed rule. Another EventBridge rule, created by the template, monitors the S3 object scan results and sends notifications to the user’s email address, which is subscribed to an Amazon SNS topic.",
+      "This pattern deploys one S3 Bucket, one SNS topic, one SNS subscription, one IAM role, one EventBridge rule and one Malware protection plan resources "
+    ]
+  },
+  "gitHub": {
+    "template": {
+      "repoURL": "https://github.com/aws-samples/serverless-patterns/tree/main/guardduty-malware-s3",
+      "templateURL": "serverless-patterns/guardduty-malware-s3",
+      "projectFolder": "guardduty-malware-s3",
+      "templateFile": "template.yaml"
+    }
+  },
+  "resources": {
+    "bullets": [
+      {
+        "text": "GuardDuty Malware Protection for S3",
+        "link": "https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malware-protection-s3.html"
+      },
+      {
+        "text": "Introducing Amazon GuardDuty Malware Protection for Amazon S3",
+        "link": "https://aws.amazon.com/blogs/aws/introducing-amazon-guardduty-malware-protection-for-amazon-s3/"
+      }
+    ]
+  },
+  "deploy": {
+    "text": [
+      "sam deploy --guided"
+    ]
+  },
+  "testing": {
+    "text": [
+      "See the GitHub repo for detailed testing instructions."
+    ]
+  },
+  "cleanup": {
+    "text": [
+      "Delete the stack: <code>sam delete</code>."
+    ]
+  },
+  "authors": [
+    {
+      "name": "Sumit Kapoor",
+      "image": "./sumit.jpg",
+      "bio": "I am currently working as a Lead DevOps Engineer at Clarivate",
+      "linkedin": "sumit-kapoor-61574839",
+      "twitter": ""
+    }
+  ]
+}
diff --git a/guardduty-malware-s3/guardduty-malware-s3.json b/guardduty-malware-s3/guardduty-malware-s3.json
@@ -0,0 +1,98 @@
+{
+    "title": "Amazon GuardDuty Malware Protection for Amazon S3",
+    "description": "Configure Malware Protection for Amazon S3 bucket using Amazon GuardDuty",
+    "language": "YAML",
+    "level": "200",
+    "framework": "SAM",
+    "introBox": {
+        "headline": "How it works",
+        "text": [
+            "This pattern demonstrates creating an Amazon S3 Malware Protection plan and integrating the findings with Amazon EventBridge and Amazon SNS to notify users of the scan results.",
+            "The SAM template creates an IAM role that includes permissions required for GuardDuty to receive S3 put object and bucket-level event notifications through an EventBridge managed rule. The template also creates an EventBridge managed rule, which is used to route S3 `put-object` and S3 bucket-level event notifications to GuardDuty's S3 Malware Protection Service.",
+            "Another EventBridge rule monitors the S3 object scan results and sends notifications to an SNS topic where users can subscribe via email.",
+            "This pattern deploys one S3 Bucket, one SNS topic, one SNS subscription, one IAM role, one EventBridge rule, and one Malware protection plan."
+        ]
+    },
+    "gitHub": {
+        "template": {
+            "repoURL": "https://github.com/aws-samples/serverless-patterns/tree/main/guardduty-malware-s3",
+            "templateURL": "serverless-patterns/guardduty-malware-s3",
+            "projectFolder": "guardduty-malware-s3",
+            "templateFile": "template.yaml"
+        }
+    },
+    "resources": {
+        "bullets": [
+            {
+                "text": "GuardDuty Malware Protection for S3",
+                "link": "https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malware-protection-s3.html"
+            },
+            {
+                "text": "Introducing Amazon GuardDuty Malware Protection for Amazon S3",
+                "link": "https://aws.amazon.com/blogs/aws/introducing-amazon-guardduty-malware-protection-for-amazon-s3/"
+            }
+        ]
+    },
+    "deploy": {
+        "text": [
+            "sam deploy --guided"
+        ]
+    },
+    "testing": {
+        "text": [
+            "See the GitHub repo for detailed testing instructions."
+        ]
+    },
+    "cleanup": {
+        "text": [
+            "Delete the stack: <code>sam delete</code>."
+        ]
+    },
+    "authors": [
+        {
+            "name": "Sumit Kapoor",
+            "image": "./sumit.jpg",
+            "bio": "I am currently working as a Lead DevOps Engineer at Clarivate",
+            "linkedin": "sumit-kapoor-61574839",
+            "twitter": ""
+        }
+    ],
+    "patternArch": {
+        "icon1": {
+            "x": 10,
+            "y": 50,
+            "service": "s3",
+            "label": "Amazon S3"
+        },
+        "icon2": {
+            "x": 35,
+            "y": 50,
+            "service": "eventbridge",
+            "label": "Amazon EventBridge"
+        },
+        "icon3": {
+            "x": 65,
+            "y": 50,
+            "service": "guard-duty",
+            "label": "Amazon GuardDuty"
+        },
+        "icon5": {
+            "x": 90,
+            "y": 50,
+            "service": "sns",
+            "label": "Amazon SNS"
+        },
+        "line1": {
+            "from": "icon1",
+            "to": "icon2"
+        },
+        "line2": {
+            "from": "icon2",
+            "to": "icon3"
+        },
+        "line3": {
+            "from": "icon3",
+            "to": "icon5"
+        }
+    }
+}
diff --git a/guardduty-malware-s3/sumit.jpg b/guardduty-malware-s3/sumit.jpg