Provides a resource to manage an Amazon GuardDuty detector.
resource "aws_guardduty_detector" "MyDetector" {
enable = true
datasources {
s3_logs {
enable = true
}
kubernetes {
audit_logs {
enable = false
}
}
malware_protection {
scan_ec2_instance_with_findings {
ebs_volumes {
enable = true
}
}
}
}
}
This resource supports the following arguments:
enable
- (Optional) Enable monitoring and feedback reporting. Setting to false
is equivalent to "suspending" GuardDuty. Defaults to true
.finding_publishing_frequency
- (Optional) Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified, otherwise defaults to SIX_HOURS
. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts: FIFTEEN_MINUTES
, ONE_HOUR
, SIX_HOURS
. See AWS Documentation for more information.datasources
- (Optional) Describes which data sources will be enabled for the detector. See Data Sources below for more details. Deprecated in favor of aws_guardduty_detector_feature
resources.tags
- (Optional) Key-value map of resource tags. If configured with a provider default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.The datasources
block supports the following:
s3_logs
- (Optional) Configures S3 protection.
See S3 Logs below for more details.kubernetes
- (Optional) Configures Kubernetes protection.
See Kubernetes and Kubernetes Audit Logs below for more details.malware_protection
- (Optional) Configures Malware Protection.
See Malware Protection, Scan EC2 instance with findings and EBS volumes below for more details.The datasources
block is deprecated since March 2023. Use the features
block instead and map each datasources
block to the corresponding features
block.
The s3_logs
block supports the following:
enable
- (Required) If true, enables S3 protection.
Defaults to true
.The kubernetes
block supports the following:
audit_logs
- (Required) Configures Kubernetes audit logs as a data source for Kubernetes protection.
See Kubernetes Audit Logs below for more details.The audit_logs
block supports the following:
enable
- (Required) If true, enables Kubernetes audit logs as a data source for Kubernetes protection.
Defaults to true
.malware_protection
block supports the following:
scan_ec2_instance_with_findings
- (Required) Configure whether Malware Protection is enabled as data source for EC2 instances with findings for the detector.
See Scan EC2 instance with findings below for more details.The scan_ec2_instance_with_findings
block supports the following:
ebs_volumes
- (Required) Configure whether scanning EBS volumes is enabled as data source for the detector for instances with findings.
See EBS volumes below for more details.The ebs_volumes
block supports the following:
enable
- (Required) If true, enables Malware Protection as data source for the detector.
Defaults to true
.This resource exports the following attributes in addition to the arguments above:
account_id
- The AWS account ID of the GuardDuty detectorarn
- Amazon Resource Name (ARN) of the GuardDuty detectorid
- The ID of the GuardDuty detectortags_all
- A map of tags assigned to the resource, including those inherited from the provider default_tags
configuration block.In Terraform v1.5.0 and later, use an import
block to import GuardDuty detectors using the detector ID. For example:
import {
to = aws_guardduty_detector.MyDetector
id = "00b00fd5aecc0ab60a708659477e9617"
}
Using terraform import
, import GuardDuty detectors using the detector ID. For example:
% terraform import aws_guardduty_detector.MyDetector 00b00fd5aecc0ab60a708659477e9617
The ID of the detector can be retrieved via the AWS CLI using aws guardduty list-detectors
.