@@ -14,7 +14,7 @@ import {
1414 TaskDefinition ,
1515} from "aws-cdk-lib/aws-ecs" ;
1616import type { ContainerDefinition , ContainerInsights , RepositoryImageProps } from "aws-cdk-lib/aws-ecs" ;
17- import type { PolicyStatement } from "aws-cdk-lib/aws-iam" ;
17+ import { Effect , PolicyStatement } from "aws-cdk-lib/aws-iam" ;
1818import { Topic } from "aws-cdk-lib/aws-sns" ;
1919import { DefinitionBody , IntegrationPattern , JsonPath , StateMachine , Timeout } from "aws-cdk-lib/aws-stepfunctions" ;
2020import type { TaskEnvironmentVariable } from "aws-cdk-lib/aws-stepfunctions-tasks" ;
@@ -236,6 +236,22 @@ export class GuEcsTask extends Construct {
236236 taskDefinition . addToTaskRolePolicy ( distPolicy ) ;
237237 }
238238
239+ // See https://docs.aws.amazon.com/guardduty/latest/ug/prereq-runtime-monitoring-ecs-support.html#before-enable-runtime-monitoring-ecs
240+ const guardDutyPolicy = new PolicyStatement ( {
241+ effect : Effect . ALLOW ,
242+ actions : [
243+ "ecr:GetAuthorizationToken" ,
244+ "ecr:BatchCheckLayerAvailability" ,
245+ "ecr:GetDownloadUrlForLayer" ,
246+ "ecr:BatchGetImage" ,
247+ ] ,
248+ // See https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-ecr-repository-gdu-agent.html
249+ // note that if you are using a region other than eu-west-1 you'll need to add extra repositories here
250+ resources : [ "694911143906.dkr.ecr.eu-west-1.amazonaws.com/aws-guardduty-agent-fargate" ] ,
251+ } ) ;
252+
253+ taskDefinition . addToExecutionRolePolicy ( guardDutyPolicy ) ;
254+
239255 ( customTaskPolicies ?? [ ] ) . forEach ( ( p ) => taskDefinition . addToTaskRolePolicy ( p ) ) ;
240256
241257 const task = new EcsRunTask ( scope , `${ id } -task` , {
0 commit comments