detectors

Creates, updates, deletes or gets a detector resource or lists detectors in a region

Overview

Name	detectors
Type	Resource
Description	Resource Type definition for AWS::GuardDuty::Detector
Id	awscc.guardduty.detectors

Fields

get (all properties)

Name	Datatype	Description
finding_publishing_frequency	string
enable	boolean
▶data_sources	object
▶features	array
id	string
▶tags	array
region	string	AWS region.

list (identifiers only)

Name	Datatype	Description
id	string
region	string	AWS region.

For more information, see AWS::GuardDuty::Detector.

Methods

Name	Resource	Accessible by	Required Params
create_resource	detectors	INSERT	Enable, region
delete_resource	detectors	DELETE	Identifier, region
update_resource	detectors	UPDATE	Identifier, PatchDocument, region
list_resources	detectors_list_only	SELECT	region
get_resource	detectors	SELECT	Identifier, region

SELECT examples

get (all properties)

Gets all properties from an individual detector.

SELECT
  region,
  finding_publishing_frequency,
  enable,
  data_sources,
  features,
  id,
  tags
FROM awscc.guardduty.detectors
WHERE
  region = 'us-east-1' AND
  Identifier = '{{ id }}';

list (identifiers only)

Lists all detectors in a region.

SELECT
  region,
  id
FROM awscc.guardduty.detectors_list_only
WHERE
  region = 'us-east-1';

INSERT example

Use the following StackQL query and manifest file to create a new detector resource, using stack-deploy.

Required Properties

/*+ create */
INSERT INTO awscc.guardduty.detectors (
  Enable,
  region
)
SELECT
  '{{ enable }}',
  '{{ region }}';

All Properties

/*+ create */
INSERT INTO awscc.guardduty.detectors (
  FindingPublishingFrequency,
  Enable,
  DataSources,
  Features,
  Tags,
  region
)
SELECT
  '{{ finding_publishing_frequency }}',
  '{{ enable }}',
  '{{ data_sources }}',
  '{{ features }}',
  '{{ tags }}',
  '{{ region }}';

Manifest

version: 1
name: stack name
description: stack description
providers:
  - aws
globals:
  - name: region
    value: '{{ vars.AWS_REGION }}'
resources:
  - name: detector
    props:
      - name: finding_publishing_frequency
        value: '{{ finding_publishing_frequency }}'
      - name: enable
        value: '{{ enable }}'
      - name: data_sources
        value:
          s3_logs:
            enable: '{{ enable }}'
          kubernetes:
            audit_logs:
              enable: '{{ enable }}'
          malware_protection:
            scan_ec2_instance_with_findings:
              ebs_volumes: '{{ ebs_volumes }}'
      - name: features
        value:
          - name: '{{ name }}'
            status: '{{ status }}'
            additional_configuration:
              - name: '{{ name }}'
                status: '{{ status }}'
      - name: tags
        value:
          - key: '{{ key }}'
            value: '{{ value }}'

UPDATE example

Use the following StackQL query and manifest file to update a detector resource, using stack-deploy.

/*+ update */
UPDATE awscc.guardduty.detectors
SET PatchDocument = string('{{ {
    "FindingPublishingFrequency": finding_publishing_frequency,
    "Enable": enable,
    "DataSources": data_sources,
    "Features": features,
    "Tags": tags
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ id }}';

DELETE example

/*+ delete */
DELETE FROM awscc.guardduty.detectors
WHERE
  Identifier = '{{ id }}' AND
  region = 'us-east-1';

Permissions

To operate on the detectors resource, the following permissions are required:

Create

guardduty:CreateDetector,
guardduty:GetDetector,
guardduty:TagResource,
iam:CreateServiceLinkedRole,
iam:GetRole

Read

guardduty:GetDetector,
guardduty:ListTagsForResource

Delete

guardduty:ListDetectors,
guardduty:DeleteDetector,
guardduty:GetDetector

Update

guardduty:UpdateDetector,
guardduty:GetDetector,
guardduty:ListDetectors,
iam:CreateServiceLinkedRole,
iam:GetRole,
guardduty:TagResource,
guardduty:UntagResource

List

guardduty:ListDetectors