Terraform module to setup AWS GuardDuty in an organization
data "aws_caller_identity" "current" {}
resource "aws_guardduty_organization_admin_account" "default" {
admin_account_id = data.aws_caller_identity.current.account_id
}
module "guardduty" {
source = "blackbird-cloud/guardduty-organization/aws"
version = "~> 2"
finding_publishing_frequency = "FIFTEEN_MINUTES"
auto_enable_organization_members = "ALL"
scan_s3_data_events = true
scan_eks_audit_logs = true
enable_ebs_malware_protection = true
enable_eks_runtime_monitoring = false
enable_runtime_protection = true # This will conflict with enable_eks_runtime_monitoring, it includes the eks runtime monitoring
scan_rds_login_events = true
scan_lambda_network_logs = true
tags = {
my = "tag"
}
depends_on = [aws_guardduty_organization_admin_account.default]
}| Name | Version |
|---|---|
| terraform | >= 1 |
| aws | >= 5.54 |
| Name | Version |
|---|---|
| aws | >= 5.54 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| auto_enable_organization_members | (Optional) Indicates the auto-enablement configuration of GuardDuty for the member accounts in the organization. Valid values are ALL, NEW, NONE. Defaults to ALL. |
string |
"ALL" |
no |
| enable_ebs_malware_protection | (Optional) If true, enables Malware Protection for all new accounts joining the organization. Defaults to true. |
bool |
true |
no |
| enable_eks_runtime_monitoring | (Optional) If true, enables EKS GuardDuty Add-on for EKS protection. Defaults to true. |
bool |
true |
no |
| enable_runtime_protection | (Optional) If true, enables Runtime monitoring for EKS and ECS. Conflicts with enable_eks_runtime_monitoring Defaults to false. |
bool |
false |
no |
| finding_publishing_frequency | (Optional) Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS. Defaults to SIX_HOURS. |
string |
"SIX_HOURS" |
no |
| members | List of member accounts to invite to GuardDuty | map(object({ |
{} |
no |
| publish_destination_kms_key_arn | (Optional) The ARN of the KMS key used to encrypt GuardDuty findings. GuardDuty enforces this to be encrypted. | string |
"" |
no |
| publish_destination_s3_arn | (Optional) The bucket arn and prefix under which the findings get exported. Bucket-ARN is required, the prefix is optional and will be AWSLogs/[Account-ID]/GuardDuty/[Region]/ if not provided. |
string |
"" |
no |
| scan_eks_audit_logs | (Optional) If true, enables Kubernetes audit logs as a data source for Kubernetes protection. Defaults to true. |
bool |
true |
no |
| scan_lambda_network_logs | (Optional) Lambda Protection helps you identify potential security threats when an AWS Lambda function gets invoked in your AWS environment. Defaults to true. |
bool |
true |
no |
| scan_rds_login_events | (Optional) GuardDuty RDS Protection detects anomalous login behavior on your database instance. Defaults to true. |
bool |
true |
no |
| scan_s3_data_events | (Optional) Set to true if you want S3 data event logs to be automatically enabled for new members of the organization. Default: true. |
bool |
true |
no |
| tags | (Optional) Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. |
map(string) |
{} |
no |
No outputs.
We are Blackbird Cloud, Amsterdam based cloud consultancy, and cloud management service provider. We help companies build secure, cost efficient, and scale-able solutions.
Checkout our other 👉 terraform modules
Copyright © 2017-2025 Blackbird Cloud