The project source includes function code and supporting resources:
function- A Python function.template.yml- An AWS CloudFormation template that creates and configure this application.automation.py- Python scripts that use the AWS CLI to deploy and manage this application.
Use the following instructions to deploy this application.
- Python 3.13 or latest .
- The Bash shell. For Linux and macOS, this is included by default. In Windows 10, you can install the Windows Subsystem for Linux to get a Windows-integrated version of Ubuntu and Bash.
- The AWS CLI v2.24.7 or newer.
- jsonpickle 4.0.2
- aws-xray-sdk 2.14.0
- jmespath 1.0.1
- boto3
Upon executing the #3 script, a CloudFormation Stack will be created, provisioning the following resources:
- EventBridge Rule: A rule that acts as a trigger for the Serverless function, filtering only GuardDuty Findings events.
- IAM Role and Policy: Automatically configured roles and policies required for the Serverless function and the EventBridge Rule.
- Lambda Function (Serverless): The automation script packages and uploads all necessary files to an S3 bucket, then creates a new Lambda function.
In total, eight resources are deployed, including rules, IAM roles, and the Lambda function.
The CloudFormation Template (CFT) will create specific IAM roles and policies, explicitly defined in the template.yml file. Below are the scope and permissions assigned by the CFT:
The function will have restricted access to a specific S3 bucket and the necessary permissions to execute. These include:
- AWSLambdaBasicExecutionRole
- AWSLambda_ReadOnlyAccess
- AWSXrayWriteOnlyAccess
- s3:ListAllMyBuckets
- s3:GetObject
- s3:PutObject
This rule will grant permission to events.amazonaws.com and allow it to invoke only our serverless function. The assigned permissions are:
- sts:AssumeRole
- lambda:InvokeFunction
Download or clone this repository.
git clone git@github.com:fortinet/aws-lambda-guardduty-v2.git
cd aws-lambda-guardduty-v2
Edit the file config_file.json to reflect your intent, the existing file give us a sample of two regions, with one subnet per AZ. The file expect to have:
- s3_bucket_name: The AWS S3 bucket name
- s3_file_name: The file name that will store the list of IP Address
- aws_region: AWS Region name
- prefix: it is a prefix to ensure the file name uniqueness
- endpoint -> vpc_id: The AWS VPC ID where the automation will create the S3 Endpoint
- endpoint -> subnet_ids: List of AWS subnet ids that will be attached to the S3 endpoint. Must be onw per AZ.
- endpoint -> security_group_ids: List of AWS Security Groups.
All parameters are mandatory.
Make sure you have valid credentials to your AWS environment.
To create a new bucket for deployment artifacts, run python3 automation.py --step 0 --config ./config_file_sample.json.
python3 automation.py --step 0 --config ./config_file_sample.json
Example output:
2025-04-11 14:13:58,152 [MainThread] [INFO] Found credentials in environment variables.
2025-04-11 14:13:58,211 [MainThread] [INFO] Creating S3 bucket: test-us-east-1-ip-block-guardduty, region: us-east-1.
2025-04-11 14:13:58,879 [MainThread] [INFO] Creating S3 bucket - Done.
2025-04-11 14:13:58,881 [MainThread] [INFO] Creating S3 bucket: test-us-east-2-ip-block-guardduty, region: us-east-2.
2025-04-11 14:13:59,969 [MainThread] [INFO] Creating S3 bucket - Done.
It means the S3 bucket got created and a new empty file is already there.
To deploy the application, run python3 automation.py --step 1 --config ./config_file_sample.json.
python3 automation.py --step 1 --config ./config_file_sample.json
This script will:
- Install Lambda function required packages.
- Upload Lambda functions and libraris to S3 bucket.
- Create the Lambda functions and it's IAM role.
- Create the CloudWatch Filter and it's IAM role.
If the AWS CloudFormation stack that contains the resources already exists, the script updates it with any changes to the template or function code.
To create the VPCe, run the command python3 automation.py --step 2 --config ./config_file_sample.json
The script will:
- Create the VPC EndPoint based on the data provider
- Set the S3 Bucket policy
- Print the URL that needs to be used on FortiGate for the Address IP Object.
Link for the Official documentation
