GuardDuty with Delegated Administration
In this lab you’ll deploy guardDuty across our Control Tower managed organisation with the Audit account being the delegate administrator, depending on you needs you may wish to create a different account for example ‘SecOps’ in your production environment.
Create a Security Audit Group
Access the AWS Single Sign On dashboard on the master account
Click AWS accounts in the lefthand menu
Select Audit , click on Assign users
Click on the Groups tab
Select AWSSecurityAuditors , click Next: Permission sets
click Create new permission set
scroll the page and click on SecurityAudit , then Create
select SecurityAudit , and click Finish
click Proceed to AWS accounts
click on Users in the lefthand menu
click on the test user you will use for this lab.
click the Groups tab
click Add to group
select AWSSecurityAuditors and click Add to groups
Once you have set up GuardDuty, you can go on to investigate a security finding with the Amazon Detective service.
Identify the Audit account’s aws account number
Access the Control Tower dashboard on the master account
Click on Accounts in the lefthand panel
find the Audit account in the list and click on it.
Save the Account ID for use later.
GuardDuty Delegated Administrator
Access the GuardDuty console on the master account
click on Settings in the lefthand panel
Scroll down to Delegated Administrator section
Delegated administrator account ID : Audit Account ID
click Delegate
Administer GuardDuty
In a separate browser session log in as your security auditor user
Access the GuardDuty console on the Audit account
click on Accounts in the lefthand menu
Listed will be all the accounts within the organisation, they will be marked as not a member
enable Auto-enable this will ensure new accounts have GuardDuty enabled and added to the Audit account
click on the checkbox at the top of the list of accounts to select all accounts.
click on Actions and click
Confirm add member (… accounts selected)
click Add member
All accounts will now be listed with :
Type : Via Organisations
Status : Enabled
Explore GuardDuty
Access the GuardDuty dashboard on the Audit account
click on Settings in the lefthand panel
scroll down to Sample findings section
click on Generate sample findings
click on Findings in the lefthand panel
You will now see a variety of sample findings listed in the table, the sample ones you generated above will be prefixed with [SAMPLE]
Take some time to explore different findings types and the guidance provided about them
Investigating a Security Finding
Access the GuardDuty dashboard on the Audit account
click Findings in the lefthand panel
Select [SAMPLE] UnauthorizedAccess:EC2/RDPBruteForce
click on [SAMPLE] UnauthorizedAccess:EC2/RDPBruteForce to explore in more detail.
[optional]
click on Actions , and click Investigate , this will launch the Amazon Detective Dashboard
Deleting AWS resources deployed in this lab
Access the GuardDuty console on the Audit account
click on Accounts in the lefthand menu
disable Auto-enable , confirm the action in the pop-up
click on the checkbox at the top of the list of accounts to select all accounts.
click on Actions and click Disassociate accounts
Access the GuardDuty console on the Master account
Click on Settings in the lefthand menu
In the Delegated Administrator panel, click on Remove , click Remove Administrator
9, In the Suspend GuardDuty panel, click Disable GuardDuty
References
https://aws.amazon.com/blogs/aws/amazon-guardduty-continuous-security-monitoring-threat-detection/
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html
https://aws.amazon.com/about-aws/whats-new/2019/12/introducing-amazon-detective/
https://docs.aws.amazon.com/detective/latest/adminguide/what-is-detective.html
https://aws.amazon.com/blogs/security/amazon-guardduty-threat-detection-and-remediation-scenario/
Copyright 2020, Amazon Web Services, All Rights Reserved.