Manages the GuardDuty Organization Configuration in the current AWS Region. The AWS account utilizing this resource must have been assigned as a delegated Organization administrator account, e.g., via the aws_guardduty_organization_admin_account
resource. More information about Organizations support in GuardDuty can be found in the GuardDuty User Guide.
resource "aws_guardduty_detector" "example" {
enable = true
}
resource "aws_guardduty_organization_configuration" "example" {
auto_enable_organization_members = "ALL"
detector_id = aws_guardduty_detector.example.id
datasources {
s3_logs {
auto_enable = true
}
kubernetes {
audit_logs {
enable = true
}
}
malware_protection {
scan_ec2_instance_with_findings {
ebs_volumes {
auto_enable = true
}
}
}
}
}
This argument supports the following arguments:
auto_enable
- (Optional) Deprecated: Use auto_enable_organization_members
instead. When this setting is enabled, all new accounts that are created in, or added to, the organization are added as a member accounts of the organization’s GuardDuty delegated administrator and GuardDuty is enabled in that AWS Region.auto_enable_organization_members
- (Optional) Indicates the auto-enablement configuration of GuardDuty for the member accounts in the organization. Valid values are ALL
, NEW
, NONE
.detector_id
- (Required) The detector ID of the GuardDuty account.datasources
- (Optional) Configuration for the collected datasources.datasources
supports the following:
s3_logs
- (Optional) Enable S3 Protection automatically for new member accounts.kubernetes
- (Optional) Enable Kubernetes Audit Logs Monitoring automatically for new member accounts.malware_protection
- (Optional) Enable Malware Protection automatically for new member accounts.s3_logs
block supports the following:
auto_enable
- (Optional) Set to true
if you want S3 data event logs to be automatically enabled for new members of the organization. Default: false
kubernetes
block supports the following:
audit_logs
- (Required) Enable Kubernetes Audit Logs Monitoring automatically for new member accounts. Kubernetes protection.
See Kubernetes Audit Logs below for more details.The audit_logs
block supports the following:
enable
- (Required) If true, enables Kubernetes audit logs as a data source for Kubernetes protection.
Defaults to true
.malware_protection
block supports the following:
scan_ec2_instance_with_findings
- (Required) Configure whether Malware Protection for EC2 instances with findings should be auto-enabled for new members joining the organization.
See Scan EC2 instance with findings below for more details.The scan_ec2_instance_with_findings
block supports the following:
ebs_volumes
- (Required) Configure whether scanning EBS volumes should be auto-enabled for new members joining the organization
See EBS volumes below for more details.The ebs_volumes
block supports the following:
auto_enable
- (Required) If true, enables Malware Protection for all new accounts joining the organization.
Defaults to true
.This resource exports the following attributes in addition to the arguments above:
id
- Identifier of the GuardDuty Detector.In Terraform v1.5.0 and later, use an import
block to import GuardDuty Organization Configurations using the GuardDuty Detector ID. For example:
import {
to = aws_guardduty_organization_configuration.example
id = "00b00fd5aecc0ab60a708659477e9617"
}
Using terraform import
, import GuardDuty Organization Configurations using the GuardDuty Detector ID. For example:
% terraform import aws_guardduty_organization_configuration.example 00b00fd5aecc0ab60a708659477e9617