Skip to content

[Security] Fix AWS Security Hub findings - GuardDuty, Inspector, and SSM #7249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[Security] Fix AWS Security Hub findings - GuardDuty, Inspector, and SSM #7249

wants to merge 4 commits into from

Conversation

@sean-navapbc
Copy link
Collaborator

@sean-navapbc sean-navapbc commented Nov 26, 2025

Summary

Fixes 7 HIGH/CRITICAL findings from AWS Security Hub by enabling account-level security monitoring and scanning features.

Findings Resolved:

  • ✅ GuardDuty.11 - GuardDuty Runtime Monitoring (CRITICAL)
  • ✅ GuardDuty.7 - GuardDuty EKS Runtime Monitoring (HIGH)
  • ✅ Inspector.1 - EC2 scanning (HIGH)
  • ✅ Inspector.2 - ECR scanning (HIGH)
  • ✅ Inspector.3 - Lambda code scanning (HIGH)
  • ✅ Inspector.4 - Lambda standard scanning (HIGH)
  • ✅ SSM.7 - Block SSM document public sharing (CRITICAL)

Findings Documented as Accepted:

  • CloudFront.1 - False positive (control doesn't apply to ALB origins)
  • ECS.5 - Operational requirement (Fluent Bit needs write access)

Changes

New Terraform files:

  • infra/accounts/guardduty.tf - GuardDuty detector with runtime monitoring enabled
  • infra/accounts/inspector.tf - Amazon Inspector scanning for EC2, ECR, Lambda
  • infra/accounts/ssm.tf - SSM document public sharing block
  • docs/security/accepted-findings.md - Documentation of accepted/false positive findings

Security improvements:

  • Enables runtime threat detection for ECS Fargate, EKS, and EC2 instances
  • Enables vulnerability scanning for container images and Lambda functions
  • Prevents accidental public sharing of SSM documents

Deployment Notes

Before applying, import the existing GuardDuty detector:

cd infra/accounts
terraform import aws_guardduty_detector.main 94c62cc0d4fe7b2eb627a33e8273238c
terraform plan  # Review changes
terraform apply # Apply when ready

These are account-level settings (not environment-specific) that apply to the entire AWS account.

Validation

  • ✅ All Terraform files validated with terraform validate
  • ✅ All files formatted with terraform fmt
  • ✅ Plan reviewed (adds 6 resources, updates 2, removes 13 unrelated legacy resources)

Security Hub findings should update within 24 hours of applying these changes.

Fix AWS Security Hub findings - GuardDuty, Inspector, and SSM
1ce0bd3 
Resolves 7 HIGH/CRITICAL findings from AWS Security Hub by enabling
account-level security monitoring and scanning features.

Changes:
- Enable GuardDuty Runtime Monitoring for ECS/EKS/EC2 (GuardDuty.11)
- Enable GuardDuty EKS Runtime Monitoring (GuardDuty.7)
- Enable Amazon Inspector scanning for EC2, ECR, Lambda (Inspector.1-4)
- Block SSM document public sharing (SSM.7)
- Document CloudFront.1 and ECS.5 as accepted findings

New Terraform files:
- infra/accounts/guardduty.tf - GuardDuty detector with runtime monitoring
- infra/accounts/inspector.tf - Inspector scanning enablement
- infra/accounts/ssm.tf - SSM public sharing block
- docs/security/accepted-findings.md - Security finding documentation

Note: GuardDuty detector must be imported before applying:
terraform import aws_guardduty_detector.main 94c62cc0d4fe7b2eb627a33e8273238c
Sean Thomas added 3 commits November 26, 2025 14:48
Add Checkov skip for organization-level GuardDuty check
fefe17b 
CKV2_AWS_3 expects organization-level GuardDuty configuration, but this
is a member account in an AWS Organization where the organization
administrator (account 215331682793) manages GuardDuty settings.
Fix Checkov skip placement for CKV2_AWS_3
c525a73
Move Checkov skip inside resource block
391c853
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mdragon mdragon Awaiting requested review from mdragon mdragon is a code owner

@joshtonava joshtonava Awaiting requested review from joshtonava joshtonava is a code owner

@chouinar chouinar Awaiting requested review from chouinar chouinar is a code owner

@prasnava prasnava Awaiting requested review from prasnava prasnava is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sean-navapbc