generated from ministryofjustice/template-repository
-
Notifications
You must be signed in to change notification settings - Fork 291
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into feature/volume-perm-instance-mgmt
- Loading branch information
Showing
1 changed file
with
54 additions
and
0 deletions.
There are no files selected for viewing
54 changes: 54 additions & 0 deletions
54
source/runbooks/enabling-s3-malware-protection.html.md.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| --- | ||
| owner_slack: "#modernisation-platform" | ||
| title: Enabling Malware Protection for S3 | ||
| last_reviewed_on: 2024-11-25 | ||
| review_in: 6 months | ||
| --- | ||
|
|
||
| <!-- Google tag (gtag.js) --> | ||
| <script async src="https://www.googletagmanager.com/gtag/js?id=G-NXTCMQ7ZX6"></script> | ||
| <script> | ||
| window.dataLayer = window.dataLayer || []; | ||
| function gtag(){dataLayer.push(arguments);} | ||
| gtag('js', new Date()); | ||
| gtag('config', 'G-NXTCMQ7ZX6'); | ||
| </script> | ||
|
|
||
| # <%= current_page.data.title %> | ||
|
|
||
| ## Enabling Malware Protection for Amazon S3 | ||
|
|
||
| [AWS Malware Protection for S3](https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malware-protection-s3.html) provides advanced scanning for newly uploaded objects in your S3 buckets for potential malware, providing an added layer of protection for your data. | ||
|
|
||
| --- | ||
| ### Configuration Overview | ||
|
|
||
| All Modernisation Platform accounts have GuardDuty enabled by default, which includes S3 Protection. However, **Malware Protection for S3** must be configured at the account level. This configuration allows you to specify which S3 buckets should be scanned for malware. | ||
|
|
||
|
|
||
| --- | ||
| ### Steps to Enable Malware Protection for S3 with Terraform for your account | ||
|
|
||
| 1. **Define the Buckets to Protect** | ||
| Begin by identifying the S3 buckets you want to enable malware protection for. Specify these buckets in your Terraform configuration as a variable or input list. | ||
|
|
||
| 2. **Create a Malware Protection Plan** | ||
| Set up a resource in Terraform to enable malware protection for each bucket in your list. This involves linking each bucket to a protection plan and ensuring that tagging or logging settings are properly configured for each bucket. | ||
|
|
||
| 3. **Assign IAM Permissions** | ||
| Reference the `MemberInfrastructureAccess` IAM role, which provides GuardDuty the necessary permissions to access and scan the specified S3 buckets. | ||
|
|
||
| 4. **Raise a PR for the Configuration** | ||
| Deploy your Terraform configuration. Validate your setup by running `terraform plan` to confirm the changes. Once validated, raise a Pull Request for review and approval to apply the configuration and enable malware protection for the specified buckets. | ||
|
|
||
| 5. **Verify the Deployment** | ||
| After applying the configuration, confirm that malware protection has been successfully enabled for the specified buckets by reviewing your GuardDuty settings or checking for findings related to malware scanning. | ||
|
|
||
| By following these steps, you can enable Malware Protection for S3 using Terraform, ensuring a scalable and automated approach to securing your S3 buckets. | ||
|
|
||
| --- | ||
| ### Example Implementation | ||
|
|
||
| An example of enabling Malware Protection for S3 can be found [here](https://github.com/ministryofjustice/modernisation-platform-environments/blob/main/terraform/environments/example/s3_malware_protection.tf). | ||
|
|
||
| --- |