GuardDuty with Delegated Administration

In this lab, you’ll deploy Amazon GuardDuty across AWS Control Tower managed organization, with the Audit account being the delegate administrator. Depending on your needs, you may wish to create a different account, for example, ‘Security Tooling’ in your Infrastructure Organizational Unit(OU).

Overview

When you use GuardDuty with an AWS Organizations organization, you can designate any account within the organization to be the GuardDuty delegated administrator. Only the organization management account can designate GuardDuty delegated administrators.

An account that is designated as a delegated administrator becomes a GuardDuty administrator account, has GuardDuty automatically enabled in the designated Region, and is granted permission to enable and manage GuardDuty for all accounts in the organization within that Region. The other accounts in the organization can be viewed and added as GuardDuty member accounts associated with the delegated administrator account.

Prerequisites

  • This lab requires fully provisioned AWS Control Tower and administrator role access to AWS Control Tower management account.
  • AWS Control Tower Audit account id, you can find this by navigating to AWS Control Tower console and look at the Accounts list. On this lab, we will use Audit account as the delegated GuardDuty administrator.
  • AWS SSO user which will be given Administrative rights to login to Audit account. This can be your existing AWS SSO user that you are using for this lab.

1. Locate the Audit account

First, lets navigate to AWS Control Tower dashboard to identify the Audit account id.

1.1 Sign in to AWS Control Tower management account using Administrator role.

1.2 Navigate to AWS Control Tower dashboard

1.3. Click on Accounts in the sidebar.

1.4 Find the Audit account in the list and click on it.

1.5 Save the Account ID in notepad, you will need this later.

2. Assign Security Audit members

INFO : You can skip this step if your existing user already have admin rights to Audit account. If you are using another IDP to manage your access, ensure that your user have administrative rights to Audit account.

AWS ControlTower creates three AWS SSO groups for security / audit purpose:

  • AWSAuditAccountAdmins = grant full administrator rights to Audit account
  • AWSSecurityAuditPowerUsers = grant poweruser rights to Audit account
  • AWSSecurityAuditors = grant read-only access to Audit account

In this lab, you will assign your AWS SSO users to AWSAuditAccountAdmins and use it to perform GuardDuty related administrative work.

2.1 From your AWS Control Tower management account, navigate to AWS SSO dashboard.

2.2 Select Groups from the sidebar.

2.3 Click on AWSAuditAccountAdmins.

2.4 Click Add users

  • Select users that will be members of AWSAuditAccountAdmins groups
  • Click Add user(s)

3. GuardDuty Delegated Administrator

To enable delegation of GuardDuty administrator, first you need to specify account id that will receive this delegation.

IMPORTANT

  • Multi-region deployment: Amazon GuardDuty is a region-based service. To activate GuardDuty on another AWS regions, repeat steps on this section for each AWS regions.

3.1 Access the GuardDuty console on the AWS Control Tower management account.

3.2 Click Settings from the sidebar.

3.3 On Delegated Administrator section

  • Delegated administrator account ID : enter the Audit account id
  • Click Delegate

4. Administer GuardDuty from Audit account

You have authorized the ‘Audit’ account to supervise GuardDuty in your organization. On this section we will define the protection scope.

IMPORTANT :

  • use separate browser or incognito mode to ensure your existing AWS Control Tower management account session persisted.
  • multi-region deployment: Amazon GuardDuty is a region-based service. To activate GuardDuty on another AWS regions, repeat steps on this section for each AWS regions.

4.1 In a separate browser session / incognito mode, login to your Audit account AWS console.

4.2 Access the GuardDuty console

4.3 Click Accounts from the sidebar.

  • Select the toggle Auto-enable
  • Select **Auto-enable GuardDuty for all the accounts added to your Organization
  • Optional select **Enable S3 Protection automatically for new member accounts
  • Click Update Settings

4.4 Still on the Accounts section.

  • Click the checkbox on the table header to select all accounts
  • Select Action from the drop-down menu
  • Select Add member
  • Click Add member to confirm

4.5 It will take a few seconds to activate GuardDuty, click on the refresh button to confirm GuardDuty enabled on all accounts.

All existing accounts now has GuardDuty enabled and will send the findings into Audit account. Newly vended accounts from AWS Control Tower will have GuardDuty enabled automatically.

5. Explore GuardDuty

On this section, we will generate sample GuardDuty findings and explore it in GuardDuty console.

5.1 Continue from the GuardDuty dashboard on the Audit account.

5.2 Click on Settings from the sidebar.

5.3 On the Sample findings section, Click on Generate sample findings

5.4 Click on Findings from the sidebar.

5.5 You will now see a variety of sample findings listed in the table, the sample ones you generated above will be prefixed with [SAMPLE]

5.6 Take some time to explore different findings types and the guidance provided about them

Deleting AWS resources deployed in this lab

  1. Access the GuardDuty console on the Audit account
  2. Click on Accounts in the lefthand menu
  3. Disable Auto-enable, confirm the action in the pop-up
  4. Click on the checkbox at the top of the list of accounts to select all accounts.
  5. Click on Actions and click Disassociate accounts
  6. Access the GuardDuty console on the AWS Control Tower Management account
  7. Click on Settings in the lefthand menu
  8. In the Delegated Administrator panel, click on Remove, click Remove Administrator
  9. In the Suspend GuardDuty panel, click Disable GuardDuty

References

https://aws.amazon.com/blogs/aws/amazon-guardduty-continuous-security-monitoring-threat-detection/ https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html https://aws.amazon.com/about-aws/whats-new/2019/12/introducing-amazon-detective/ https://docs.aws.amazon.com/detective/latest/adminguide/what-is-detective.html https://aws.amazon.com/blogs/security/amazon-guardduty-threat-detection-and-remediation-scenario/

Copyright 2021, Amazon Web Services, All Rights Reserved.