{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Template to centralize AWS GuardDuty logging and enable cloud native alerting on vulnerabilities", "Parameters": { "EmailAddress": { "Type": "String", "Description": "Email Address", "Default": "example@domain.com" } }, "Resources": { "GuardDutySNSTopic": { "Type": "AWS::SNS::Topic", "Properties": { "Subscription": [ { "Endpoint": { "Ref": "EmailAddress" }, "Protocol": "email" } ], "TopicName": "GuardDutyNotification" } }, "GuardDutySNSTopicPolicy": { "Type": "AWS::SNS::TopicPolicy", "Properties": { "PolicyDocument": { "Version": "2008-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__default_statement_ID", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "SNS:GetTopicAttributes", "SNS:SetTopicAttributes", "SNS:AddPermission", "SNS:RemovePermission", "SNS:DeleteTopic", "SNS:Subscribe", "SNS:ListSubscriptionsByTopic", "SNS:Publish" ], "Resource": { "Fn::Join": [ "", [ "arn:aws:sns:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":GuardDutyNotification" ] ] }, "Condition": { "StringEquals": { "AWS:SourceOwner": { "Ref": "AWS::AccountId" } } } }, { "Sid": "AWSEvents_GuardDutyNotification", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "sns:Publish", "Resource": { "Fn::Join": [ "", [ "arn:aws:sns:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":GuardDutyNotification" ] ] } } ] }, "Topics": [ { "Ref": "GuardDutySNSTopic" } ] } }, "GuardDutyLogGroup": { "Type": "AWS::Logs::LogGroup", "Properties": { "LogGroupName": "/aws/events/GuardDuty" } }, "GuardDutyEventDeliveryRule": { "Type": "AWS::Events::Rule", "Properties": { "State": "ENABLED", "Name": "GuardDutyEventDeliveryRule", "EventPattern": { "source": [ "aws.guardduty" ], "detail-type": [ "GuardDuty Finding" ] }, "Targets": [ { "Arn": { "Fn::GetAtt": [ "GuardDutyLogGroup", "Arn" ] }, "Id": "GuardDutyEventDeliveryRuleBus" } ] }, "DependsOn": [ "GuardDutyLogGroup" ] }, "GuardDutyEventNotificationRule": { "Type": "AWS::Events::Rule", "Properties": { "State": "ENABLED", "Name": "GuardDutyEventNotificationRule", "EventPattern": { "source": [ "aws.guardduty" ], "detail-type": [ "GuardDuty Finding" ], "detail": { "severity": [ 7, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.9, 9, 9.0, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6, 9.7, 9.8, 9.9, 10, 10.0 ] } }, "Targets": [ { "Arn": { "Ref": "GuardDutySNSTopic" }, "Id": "GuardDutyEventNotificationRuleBus", "InputTransformer": { "InputPathsMap": { "severity": "$.detail.severity", "findingID": "$.detail.id", "type": "$.detail.type", "firstSeen": "$.detail.service.eventFirstSeen", "account": "$.account", "title": "$.detail.title", "region": "$.region", "description": "$.detail.description", "arn": "$.detail.arn" }, "InputTemplate": "\"You have a severity GuardDuty finding type \"\n\"Region: \"\n\"Account: \"\n\"First seen: \"\n\"ARN: \"\n\"Finding Description:\"\n\"\"\n\"Link to GuardDuty console: https://console.aws.amazon.com/guardduty/home?region=#/findings?search=id%3D\"" } } ] }, "DependsOn": [ "GuardDutySNSTopic" ] } }, "Outputs": { "GuardDutySNSTopic": { "Description": "SNS Topic created", "Value": { "Ref": "GuardDutySNSTopic" } }, "GuardDutyLogGroup": { "Description": "Log Group created", "Value": { "Ref": "GuardDutyLogGroup" } }, "GuardDutyEventDeliveryRule": { "Description": "Event Delivery Rule Topic created", "Value": { "Ref": "GuardDutyEventDeliveryRule" } }, "GuardDutyEventNotificationRule": { "Description": "Event Notification Rule Topic created", "Value": { "Ref": "GuardDutyEventNotificationRule" } } } }