If you’re building an AWS Organization, or getting ready to deploy a new organization using AWS Control Tower, be advised that there are very helpful AWS services that can be integrated into your organization. In this “Be sure to integrate…” series, we’ll look at 3 baseline services that should be enabled and integrated into your AWS Organization….AWS Security Hub, AWS GuardDuty, and AWS IAM Access Analyzer.
In the first post, we took a look at AWS Security Hub. On this post, we’ll cover AWS GuardDuty.
AWS GuardDuty is a threat detection service that continuously monitors an AWS environment for malicious activity by analyzing VPC Flow Logs, AWS CloudTrail management and S3 data event logs, and DNS logs. Once enabled, GuardDuty immediately starts monitoring your environment using threat intelligence feeds and machine learning to identify unexpected, potentially unauthorized, and malicious activities.
GuardDuty can interact with the following AWS services and/or features:
- Security Hub – GuardDuty can send all of its security findings to Security Hub, which Security Hub then uses when analyzing your organizations security posture.
- Detective – Detective can create data visualizations of GuardDuty data
- AWS Organizations
In terms of enabling for AWS Organizations, GuardDuty has this in common with Security Hub:
- Enabling (and disabling) of GuardDuty can be easily done through the AWS Management Console or the AWS CLI/API
- GuardDuty is a regional construct, thus it will need to be enabled in each region…it is recommended that you enable GuardDuty in all supported regions, not just those in which you have deployed services or resources. Why? It will be nearly impossible to detect unauthorized or unusual activity in regions where GuardDuty has not been enabled, PLUS, enabling GuardDuty in all regions allows you to detect unusual activity for global AWS services like IAM.
Integrating GuardDuty with AWS Organizations
Like Security Hub, GuardDuty can be integrated with AWS Organizations. This allows you to set an AWS Account as the Delegated Administrator. All GuardDuty findings would be sent to this account so that an entire organization (at least up to 5,000 AWS accounts) can be managed/viewed/analyzed from a single account.
- To get started, identify the AWS Account that will serve as the GuardDuty Delegated Administrator and notate its account ID. In this example case, the account ID will be 123456789123.
2. Login to the Master Account and launch the GuardDuty dashboard. Assuming GuardDuty has never been enabled, click Get Started.
3. Scroll down to Delegated Administrator section, enter the appropriate Delegated administrator account ID, and click Delegate.
4. The Delegated Administrator account has been successfully configured as shown below:
5. Now that we’ve specified the delegated administrator, login to that AWS Account, and launch the GuardDuty service dashboard.
6. When you launch GuardDuty, you will likely see a blue information message box prompting you to enable GuardDuty for your organization. Click Accounts. On the Accounts page, click Auto-enable is OFF to enable Auto-enable (confusing?). With Auto-enable ON, any new AWS accounts added to the Organization will have GuardDuty auto-enabled for the regions in which Auto-enable was enabled.
7. To bring other AWS accounts under the management realm of the GuardDuty delegated administrator, select the account(s), and then click Actions | Add member. The Status of the AWS accounts should now read Enabled.
Want to use the CLI?
As with the Security Hub setup, I’ll also give you the relevant GuardDuty CLI commands required to integrate it with AWS Organizations. In detailing the commands, let me list the following assumptions:
- The Security Account (Delegated Administrator) ID is 234598760742
- The Prod Account ID is 012376543456
- The .aws\credentials file includes 2 profiles/credentials
- Mgmt = for master/payer | Management Account
- Security = for the Security account, which is the Delegated Administrator
Next, there are 6 basic commands:
- Under the Management Account Profile
- Specify the GuardDuty Delegated Administrator Account
- As the GuardDuty Delegated Administrator Profile
- List the Detector ID
- Turn ON and verify Auto-Enable
- Add and List Members
To specify the delegated administrator account:
aws guardduty enable-organization-admin-account –admin-account-id 234598760742 –profile Management
To list the GuardDuty Detector-ID:
aws guardduty list-detectors –profile Security
To enable GuardDuty and set auto-enable to ON:
aws guardduty update-organization-configuration –detector-id <paste detectorID here> –auto-enable –profile Security
To verify Auto-Enable has been turned ON:
aws guardduty describe-organization-configuration –detector-id <paste detectorID here> –profile Security
Verify that the “AutoEnable” value = True
To enable GuardDuty for the Prod account:
aws guardduty create-members –detector-id <paste detectorID here> –account-details AccountId=012376543456,Emailfirstname.lastname@example.org –profile Security
To list AWS Accounts that have had GuardDuty enabled:
aws guardduty list-members –detector-id <paste detectorID here> –profile Security
GuardDuty is threat detection service that continuously monitors you AWS environment for unauthorized and malicious activity. With its ability to be integrated with Security Hub and AWS Organizations, GuardDuty becomes another part of your security defense system. Like Security Hub, GuardDuty is relatively easy to integrate within your AWS Organization and it can play a vital part in enabling a strong security defense system.