Amazon GuardDuty

2020/07/29 - Amazon GuardDuty - 2 new 5 updated api methods

Changes  GuardDuty now supports S3 Data Events as a configurable data source type. This feature expands GuardDuty's monitoring scope to include S3 data plane operations, such as GetObject and PutObject. This data source is optional and can be enabled or disabled at anytime. Accounts already using GuardDuty must first enable the new feature to use it; new accounts will be enabled by default. GuardDuty masters can configure this data source for individual member accounts and GuardDuty masters associated through AWS Organizations can automatically enable the data source in member accounts.

UpdateMemberDetectors (new) Link ¶

Contains information on member accounts to be updated.

See also: AWS API Documentation

Request Syntax

client.update_member_detectors(
    DetectorId='string',
    AccountIds=[
        'string',
    ],
    DataSources={
        'S3Logs': {
            'Enable': True|False
        }
    }
)
type DetectorId

string

param DetectorId

[REQUIRED]

The detector ID of the master account.

type AccountIds

list

param AccountIds

[REQUIRED]

A list of member account IDs to be updated.

  • (string) --

type DataSources

dict

param DataSources

An object describes which data sources will be updated.

  • S3Logs (dict) --

    Describes whether S3 data event logs are enabled as a data source.

    • Enable (boolean) -- [REQUIRED]

      The status of S3 data event logs as a data source.

rtype

dict

returns

Response Syntax

{
    'UnprocessedAccounts': [
        {
            'AccountId': 'string',
            'Result': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • UnprocessedAccounts (list) --

      A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.

      • (dict) --

        Contains information about the accounts that weren't processed.

        • AccountId (string) --

          The AWS account ID.

        • Result (string) --

          A reason why the account hasn't been processed.

GetMemberDetectors (new) Link ¶

Describes which data sources are enabled for the member account's detector.

See also: AWS API Documentation

Request Syntax

client.get_member_detectors(
    DetectorId='string',
    AccountIds=[
        'string',
    ]
)
type DetectorId

string

param DetectorId

[REQUIRED]

The detector ID for the master account.

type AccountIds

list

param AccountIds

[REQUIRED]

The account ID of the member account.

  • (string) --

rtype

dict

returns

Response Syntax

{
    'MemberDataSourceConfigurations': [
        {
            'AccountId': 'string',
            'DataSources': {
                'CloudTrail': {
                    'Status': 'ENABLED'|'DISABLED'
                },
                'DNSLogs': {
                    'Status': 'ENABLED'|'DISABLED'
                },
                'FlowLogs': {
                    'Status': 'ENABLED'|'DISABLED'
                },
                'S3Logs': {
                    'Status': 'ENABLED'|'DISABLED'
                }
            }
        },
    ],
    'UnprocessedAccounts': [
        {
            'AccountId': 'string',
            'Result': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • MemberDataSourceConfigurations (list) --

      An object that describes which data sources are enabled for a member account.

      • (dict) --

        Contains information on which data sources are enabled for a member account.

        • AccountId (string) --

          The account ID for the member account.

        • DataSources (dict) --

          Contains information on the status of data sources for the account.

          • CloudTrail (dict) --

            An object that contains information on the status of CloudTrail as a data source.

            • Status (string) --

              Describes whether CloudTrail is enabled as a data source for the detector.

          • DNSLogs (dict) --

            An object that contains information on the status of DNS logs as a data source.

            • Status (string) --

              Denotes whether DNS logs is enabled as a data source.

          • FlowLogs (dict) --

            An object that contains information on the status of VPC flow logs as a data source.

            • Status (string) --

              Denotes whether VPC flow logs is enabled as a data source.

          • S3Logs (dict) --

            An object that contains information on the status of S3 Data event logs as a data source.

            • Status (string) --

              A value that describes whether S3 data event logs are automatically enabled for new members of the organization.

    • UnprocessedAccounts (list) --

      A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.

      • (dict) --

        Contains information about the accounts that weren't processed.

        • AccountId (string) --

          The AWS account ID.

        • Result (string) --

          A reason why the account hasn't been processed.

CreateDetector (updated) Link ¶
Changes (request) 
{'DataSources': {'S3Logs': {'Enable': 'boolean'}}}

Creates a single Amazon GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region.

See also: AWS API Documentation

Request Syntax

client.create_detector(
    Enable=True|False,
    ClientToken='string',
    FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
    DataSources={
        'S3Logs': {
            'Enable': True|False
        }
    },
    Tags={
        'string': 'string'
    }
)
type Enable

boolean

param Enable

[REQUIRED]

A Boolean value that specifies whether the detector is to be enabled.

type ClientToken

string

param ClientToken

The idempotency token for the create request.

This field is autopopulated if not provided.

type FindingPublishingFrequency

string

param FindingPublishingFrequency

An enum value that specifies how frequently updated findings are exported.

type DataSources

dict

param DataSources

An object that describes which data sources will be enabled for the detector.

  • S3Logs (dict) --

    Describes whether S3 data event logs are enabled as a data source.

    • Enable (boolean) -- [REQUIRED]

      The status of S3 data event logs as a data source.

type Tags

dict

param Tags

The tags to be added to a new detector resource.

  • (string) --

    • (string) --

rtype

dict

returns

Response Syntax

{
    'DetectorId': 'string'
}

Response Structure

  • (dict) --

    • DetectorId (string) --

      The unique ID of the created detector.

DescribeOrganizationConfiguration (updated) Link ¶
Changes (response) 
{'DataSources': {'S3Logs': {'AutoEnable': 'boolean'}}}

Returns information about the account selected as the delegated administrator for GuardDuty.

See also: AWS API Documentation

Request Syntax

client.describe_organization_configuration(
    DetectorId='string'
)
type DetectorId

string

param DetectorId

[REQUIRED]

The ID of the detector to retrieve information about the delegated administrator from.

rtype

dict

returns

Response Syntax

{
    'AutoEnable': True|False,
    'MemberAccountLimitReached': True|False,
    'DataSources': {
        'S3Logs': {
            'AutoEnable': True|False
        }
    }
}

Response Structure

  • (dict) --

    • AutoEnable (boolean) --

      Indicates whether GuardDuty is automatically enabled for accounts added to the organization.

    • MemberAccountLimitReached (boolean) --

      Indicates whether the maximum number of allowed member accounts are already associated with the delegated administrator master account.

    • DataSources (dict) --

      An object that describes which data sources are enabled automatically for member accounts.

      • S3Logs (dict) --

        Describes whether S3 data event logs are enabled as a data source.

        • AutoEnable (boolean) --

          A value that describes whether S3 data event logs are automatically enabled for new members of the organization.

GetDetector (updated) Link ¶
Changes (response) 
{'DataSources': {'CloudTrail': {'Status': 'ENABLED | DISABLED'},
                 'DNSLogs': {'Status': 'ENABLED | DISABLED'},
                 'FlowLogs': {'Status': 'ENABLED | DISABLED'},
                 'S3Logs': {'Status': 'ENABLED | DISABLED'}}}

Retrieves an Amazon GuardDuty detector specified by the detectorId.

See also: AWS API Documentation

Request Syntax

client.get_detector(
    DetectorId='string'
)
type DetectorId

string

param DetectorId

[REQUIRED]

The unique ID of the detector that you want to get.

rtype

dict

returns

Response Syntax

{
    'CreatedAt': 'string',
    'FindingPublishingFrequency': 'FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
    'ServiceRole': 'string',
    'Status': 'ENABLED'|'DISABLED',
    'UpdatedAt': 'string',
    'DataSources': {
        'CloudTrail': {
            'Status': 'ENABLED'|'DISABLED'
        },
        'DNSLogs': {
            'Status': 'ENABLED'|'DISABLED'
        },
        'FlowLogs': {
            'Status': 'ENABLED'|'DISABLED'
        },
        'S3Logs': {
            'Status': 'ENABLED'|'DISABLED'
        }
    },
    'Tags': {
        'string': 'string'
    }
}

Response Structure

  • (dict) --

    • CreatedAt (string) --

      The timestamp of when the detector was created.

    • FindingPublishingFrequency (string) --

      The publishing frequency of the finding.

    • ServiceRole (string) --

      The GuardDuty service role.

    • Status (string) --

      The detector status.

    • UpdatedAt (string) --

      The last-updated timestamp for the detector.

    • DataSources (dict) --

      An object that describes which data sources are enabled for the detector.

      • CloudTrail (dict) --

        An object that contains information on the status of CloudTrail as a data source.

        • Status (string) --

          Describes whether CloudTrail is enabled as a data source for the detector.

      • DNSLogs (dict) --

        An object that contains information on the status of DNS logs as a data source.

        • Status (string) --

          Denotes whether DNS logs is enabled as a data source.

      • FlowLogs (dict) --

        An object that contains information on the status of VPC flow logs as a data source.

        • Status (string) --

          Denotes whether VPC flow logs is enabled as a data source.

      • S3Logs (dict) --

        An object that contains information on the status of S3 Data event logs as a data source.

        • Status (string) --

          A value that describes whether S3 data event logs are automatically enabled for new members of the organization.

    • Tags (dict) --

      The tags of the detector resource.

      • (string) --

        • (string) --

UpdateDetector (updated) Link ¶
Changes (request) 
{'DataSources': {'S3Logs': {'Enable': 'boolean'}}}

Updates the Amazon GuardDuty detector specified by the detectorId.

See also: AWS API Documentation

Request Syntax

client.update_detector(
    DetectorId='string',
    Enable=True|False,
    FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
    DataSources={
        'S3Logs': {
            'Enable': True|False
        }
    }
)
type DetectorId

string

param DetectorId

[REQUIRED]

The unique ID of the detector to update.

type Enable

boolean

param Enable

Specifies whether the detector is enabled or not enabled.

type FindingPublishingFrequency

string

param FindingPublishingFrequency

An enum value that specifies how frequently findings are exported, such as to CloudWatch Events.

type DataSources

dict

param DataSources

An object that describes which data sources will be updated.

  • S3Logs (dict) --

    Describes whether S3 data event logs are enabled as a data source.

    • Enable (boolean) -- [REQUIRED]

      The status of S3 data event logs as a data source.

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --

UpdateOrganizationConfiguration (updated) Link ¶
Changes (request) 
{'DataSources': {'S3Logs': {'AutoEnable': 'boolean'}}}

Updates the delegated administrator account with the values provided.

See also: AWS API Documentation

Request Syntax

client.update_organization_configuration(
    DetectorId='string',
    AutoEnable=True|False,
    DataSources={
        'S3Logs': {
            'AutoEnable': True|False
        }
    }
)
type DetectorId

string

param DetectorId

[REQUIRED]

The ID of the detector to update the delegated administrator for.

type AutoEnable

boolean

param AutoEnable

[REQUIRED]

Indicates whether to automatically enable member accounts in the organization.

type DataSources

dict

param DataSources

An object describes which data sources will be updated.

  • S3Logs (dict) --

    Describes whether S3 data event logs are enabled for new members of the organization.

    • AutoEnable (boolean) -- [REQUIRED]

      A value that contains information on whether S3 data event logs will be enabled automatically as a data source for the organization.

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --