GuardDuty with Delegated Administration
In this lab you’ll deploy guardDuty across our Control Tower managed organisation with the Audit account being the delegate administrator, depending on you needs you may wish to create a different account for example ‘SecOps’ in your production environment.
Create a Security Audit Group
- Access the AWS Single Sign On dashboard on the master account
- Click AWS accounts in the lefthand menu
- Select Audit, click on Assign users
- Click on the Groups tab
- Select AWSSecurityAuditors, click Next: Permission sets
- click Create new permission set
- scroll the page and click on SecurityAudit, then Create
- select SecurityAudit, and click Finish
- click Proceed to AWS accounts
- click on Users in the lefthand menu
- click on the test user you will use for this lab.
- click the Groups tab
- click Add to group
- select AWSSecurityAuditors and click Add to groups
Once you have set up GuardDuty, you can go on to investigate a security finding with the Amazon Detective service.
Identify the Audit account’s aws account number
- Access the Control Tower dashboard on the master account
- Click on Accounts in the lefthand panel
- find the Audit account in the list and click on it.
- Save the Account ID for use later.
GuardDuty Delegated Administrator
- Access the GuardDuty console on the master account
- click on Settings in the lefthand panel
- Scroll down to Delegated Administrator section
- Delegated administrator account ID :
Audit Account ID - click Delegate
- Delegated administrator account ID :
Administer GuardDuty
- In a separate browser session log in as your security auditor user
- Access the GuardDuty console on the Audit account
- click on Accounts in the lefthand menu
- Listed will be all the accounts within the organisation, they will be marked as not a member
- enable Auto-enable this will ensure new accounts have GuardDuty enabled and added to the Audit account
- click on the checkbox at the top of the list of accounts to select all accounts.
- click on Actions and click
- Confirm add member (… accounts selected)
- click Add member
- All accounts will now be listed with :
- Type : Via Organisations
- Status : Enabled
Explore GuardDuty
- Access the GuardDuty dashboard on the Audit account
- click on Settings in the lefthand panel
- scroll down to Sample findings section
- click on Generate sample findings
- click on Findings in the lefthand panel
- You will now see a variety of sample findings listed in the table, the sample ones you generated above will be prefixed with [SAMPLE]
- Take some time to explore different findings types and the guidance provided about them
Investigating a Security Finding
- Access the GuardDuty dashboard on the Audit account
- click Findings in the lefthand panel
- Select [SAMPLE] UnauthorizedAccess:EC2/RDPBruteForce
- click on [SAMPLE] UnauthorizedAccess:EC2/RDPBruteForce to explore in more detail. [optional]
- click on Actions, and click Investigate, this will launch the Amazon Detective Dashboard
Deleting AWS resources deployed in this lab
- Access the GuardDuty console on the Audit account
- click on Accounts in the lefthand menu
- disable Auto-enable, confirm the action in the pop-up
- click on the checkbox at the top of the list of accounts to select all accounts.
- click on Actions and click Disassociate accounts
- Access the GuardDuty console on the Master account
- Click on Settings in the lefthand menu
- In the Delegated Administrator panel, click on Remove, click Remove Administrator 9, In the Suspend GuardDuty panel, click Disable GuardDuty
References
https://aws.amazon.com/blogs/aws/amazon-guardduty-continuous-security-monitoring-threat-detection/ https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html https://aws.amazon.com/about-aws/whats-new/2019/12/introducing-amazon-detective/ https://docs.aws.amazon.com/detective/latest/adminguide/what-is-detective.html https://aws.amazon.com/blogs/security/amazon-guardduty-threat-detection-and-remediation-scenario/
Copyright 2020, Amazon Web Services, All Rights Reserved.