Skip to content

Commit 0f20a6d

Browse files
authored
Merge pull request #2703 from guardian/pm-fix-guard-duty-ecs-task
Add necessary permissions for guard duty runtime monitoring of ecs tasks
2 parents df676ec + abae67b commit 0f20a6d

3 files changed

Lines changed: 42 additions & 1 deletion

File tree

.changeset/lemon-pans-grab.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
"@guardian/cdk": minor
3+
---
4+
5+
Add required permissions to GuEcsTask pattern for guard duty sidecar container

src/constructs/ecs/__snapshots__/ecs-task.test.ts.snap

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -551,6 +551,16 @@ exports[`The GuEcsTask pattern should create the correct resources with lots of
551551
],
552552
},
553553
},
554+
{
555+
"Action": [
556+
"ecr:GetAuthorizationToken",
557+
"ecr:BatchCheckLayerAvailability",
558+
"ecr:GetDownloadUrlForLayer",
559+
"ecr:BatchGetImage",
560+
],
561+
"Effect": "Allow",
562+
"Resource": "694911143906.dkr.ecr.eu-west-1.amazonaws.com/aws-guardduty-agent-fargate",
563+
},
554564
],
555565
"Version": "2012-10-17",
556566
},
@@ -1263,6 +1273,16 @@ exports[`The GuEcsTask pattern should support overriding the subnets used by the
12631273
],
12641274
},
12651275
},
1276+
{
1277+
"Action": [
1278+
"ecr:GetAuthorizationToken",
1279+
"ecr:BatchCheckLayerAvailability",
1280+
"ecr:GetDownloadUrlForLayer",
1281+
"ecr:BatchGetImage",
1282+
],
1283+
"Effect": "Allow",
1284+
"Resource": "694911143906.dkr.ecr.eu-west-1.amazonaws.com/aws-guardduty-agent-fargate",
1285+
},
12661286
],
12671287
"Version": "2012-10-17",
12681288
},

src/constructs/ecs/ecs-task.ts

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ import {
1414
TaskDefinition,
1515
} from "aws-cdk-lib/aws-ecs";
1616
import type { ContainerDefinition, ContainerInsights, RepositoryImageProps } from "aws-cdk-lib/aws-ecs";
17-
import type { PolicyStatement } from "aws-cdk-lib/aws-iam";
17+
import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
1818
import { Topic } from "aws-cdk-lib/aws-sns";
1919
import { DefinitionBody, IntegrationPattern, JsonPath, StateMachine, Timeout } from "aws-cdk-lib/aws-stepfunctions";
2020
import type { TaskEnvironmentVariable } from "aws-cdk-lib/aws-stepfunctions-tasks";
@@ -236,6 +236,22 @@ export class GuEcsTask extends Construct {
236236
taskDefinition.addToTaskRolePolicy(distPolicy);
237237
}
238238

239+
// See https://docs.aws.amazon.com/guardduty/latest/ug/prereq-runtime-monitoring-ecs-support.html#before-enable-runtime-monitoring-ecs
240+
const guardDutyPolicy = new PolicyStatement({
241+
effect: Effect.ALLOW,
242+
actions: [
243+
"ecr:GetAuthorizationToken",
244+
"ecr:BatchCheckLayerAvailability",
245+
"ecr:GetDownloadUrlForLayer",
246+
"ecr:BatchGetImage",
247+
],
248+
// See https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring-ecr-repository-gdu-agent.html
249+
// note that if you are using a region other than eu-west-1 you'll need to add extra repositories here
250+
resources: ["694911143906.dkr.ecr.eu-west-1.amazonaws.com/aws-guardduty-agent-fargate"],
251+
});
252+
253+
taskDefinition.addToExecutionRolePolicy(guardDutyPolicy);
254+
239255
(customTaskPolicies ?? []).forEach((p) => taskDefinition.addToTaskRolePolicy(p));
240256

241257
const task = new EcsRunTask(scope, `${id}-task`, {

0 commit comments

Comments
 (0)