In this lab, you’ll deploy Amazon GuardDuty across AWS Control Tower managed organization, with the Audit account being the delegate administrator. Depending on your needs, you may wish to create a different account, for example, ‘Security Tooling’ in your Infrastructure Organizational Unit(OU).
When you use GuardDuty with an AWS Organizations organization, you can designate any account within the organization to be the GuardDuty delegated administrator. Only the organization management account can designate GuardDuty delegated administrators.
An account that is designated as a delegated administrator becomes a GuardDuty administrator account, has GuardDuty automatically enabled in the designated Region, and is granted permission to enable and manage GuardDuty for all accounts in the organization within that Region. The other accounts in the organization can be viewed and added as GuardDuty member accounts associated with the delegated administrator account.
Auditaccount id, you can find this by navigating to AWS Control Tower console and look at the Accounts list. On this lab, we will use
Auditaccount as the delegated GuardDuty administrator.
Auditaccount. This can be your existing AWS SSO user that you are using for this lab.
First, lets navigate to AWS Control Tower dashboard to identify the
Audit account id.
1.1 Sign in to AWS Control Tower management account using Administrator role.
1.2 Navigate to AWS Control Tower dashboard
1.3. Click on Accounts in the sidebar.
1.4 Find the Audit account in the list and click on it.
1.5 Save the Account ID in notepad, you will need this later.
INFO : You can skip this step if your existing user already have admin rights to
Audit account. If you are using another IDP to manage your access, ensure that your user have administrative rights to
AWS ControlTower creates three AWS SSO groups for security / audit purpose:
AWSAuditAccountAdmins= grant full administrator rights to
AWSSecurityAuditPowerUsers= grant poweruser rights to
AWSSecurityAuditors= grant read-only access to
In this lab, you will assign your AWS SSO users to
AWSAuditAccountAdmins and use it to perform GuardDuty related administrative work.
2.1 From your AWS Control Tower management account, navigate to AWS SSO dashboard.
2.2 Select Groups from the sidebar.
2.3 Click on AWSAuditAccountAdmins.
2.4 Click Add users
To enable delegation of GuardDuty administrator, first you need to specify account id that will receive this delegation.
3.1 Access the GuardDuty console on the AWS Control Tower management account.
3.2 Click Settings from the sidebar.
3.3 On Delegated Administrator section
You have authorized the ‘Audit’ account to supervise GuardDuty in your organization. On this section we will define the protection scope.
4.1 In a separate browser session / incognito mode, login to your
Audit account AWS console.
4.2 Access the GuardDuty console
4.3 Click Accounts from the sidebar.
4.4 Still on the Accounts section.
4.5 It will take a few seconds to activate GuardDuty, click on the refresh button to confirm GuardDuty enabled on all accounts.
All existing accounts now has GuardDuty enabled and will send the findings into
Audit account. Newly vended accounts from AWS Control Tower will have GuardDuty enabled automatically.
On this section, we will generate sample GuardDuty findings and explore it in GuardDuty console.
5.1 Continue from the GuardDuty dashboard on the
5.2 Click on Settings from the sidebar.
5.3 On the Sample findings section, Click on Generate sample findings
5.4 Click on Findings from the sidebar.
5.5 You will now see a variety of sample findings listed in the table, the sample ones you generated above will be prefixed with [SAMPLE]
5.6 Take some time to explore different findings types and the guidance provided about them
https://aws.amazon.com/blogs/aws/amazon-guardduty-continuous-security-monitoring-threat-detection/ https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html https://aws.amazon.com/about-aws/whats-new/2019/12/introducing-amazon-detective/ https://docs.aws.amazon.com/detective/latest/adminguide/what-is-detective.html https://aws.amazon.com/blogs/security/amazon-guardduty-threat-detection-and-remediation-scenario/
Copyright 2021, Amazon Web Services, All Rights Reserved.