☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Amazon GuardDuty for Multiple Accounts
  • Overview of Multi-Account Setup
  • Steps to Set Up GuardDuty for Multiple Accounts
  • Step 3: Automatically Enable GuardDuty Using AWS Organizations
  • Step 4: Accept Invitations from Member Accounts
  • Step 5: Enable GuardDuty in All Regions
  • Step 6: Centralized Findings in the Administrator Account
  • Step 7: Automating Responses to GuardDuty Findings
  • Benefits of Multi-Account GuardDuty Setup
  • Troubleshooting Common Issues
  1. Logging Reference
  2. GuardDuty

Multi-Account Setup

Amazon GuardDuty for Multiple Accounts

If your organization operates multiple AWS accounts, it’s essential to centralize security management to detect threats consistently across your environment. AWS provides a multi-account GuardDuty setup that allows you to manage GuardDuty findings from multiple accounts in a centralized fashion, using delegated administrators and member accounts.

Overview of Multi-Account Setup

  • Delegated Administrator / Security Account: One designated AWS account that centrally manages GuardDuty for other accounts.

  • Member Accounts: These are the accounts being monitored, and their findings are forwarded to the administrator account for centralized visibility.

Steps to Set Up GuardDuty for Multiple Accounts

Step 1: Enable GuardDuty in the Management Account (Delegated Administrator)

  1. Log in to the Delegated Administrator (Security Account).

  2. Open the GuardDuty console.

  3. Click Get Started and enable GuardDuty in your primary region.

  4. Repeat the process to enable GuardDuty in other AWS regions if needed.

Step 2: Add Member Accounts

You can add individual member accounts manually or programmatically using AWS CLI or AWS Organizations. Below are both methods:

Method 1: Add Member Accounts Manually

  1. In the GuardDuty console of the administrator account, go to Settings > Accounts.

  2. Click Add member accounts.

  3. Provide the AWS account IDs and email addresses of the member accounts.

  4. Send invitations to the member accounts.

    • Member accounts need to accept the invitation from their GuardDuty console to enable centralized monitoring.

Method 2: Add Member Accounts Programmatically Using AWS CLI

If you manage many accounts, use the AWS CLI to streamline the process:

aws guardduty create-members \
    --detector-id <detector-id> \
    --account-details '[{"AccountId": "111122223333", "Email": "example@example.com"}]'

  • Replace <detector-id> with the GuardDuty detector ID for the administrator account.

  • Use this command for each account you want to invite.

Step 3: Automatically Enable GuardDuty Using AWS Organizations

AWS Organizations allows automatic GuardDuty enrollment for all new and existing accounts within your organization.

  1. Log in to the Delegated Administrator account and open the GuardDuty console.

  2. Navigate to Settings > Accounts.

  3. Choose Enable Auto-Enable to automatically add new member accounts when they join the organization.

Alternatively, use the AWS CLI to enable auto-enrollment:

aws guardduty update-organization-configuration \
    --detector-id <detector-id> \
    --auto-enable

Step 4: Accept Invitations from Member Accounts

If you added member accounts manually, they must accept the invitation to complete the process.

  1. Log in to the member account.

  2. Open the GuardDuty console and navigate to Settings > Accounts.

  3. Accept the invitation sent by the administrator account.

Step 5: Enable GuardDuty in All Regions

To detect threats from across the globe, enable GuardDuty in all AWS regions.

  • In the GuardDuty console, navigate to Settings > General Settings.

  • Select Manage Regions and enable GuardDuty across all regions.

Alternatively, enable GuardDuty across regions using the CLI:

aws guardduty update-detector \
    --detector-id <detector-id> \
    --enable --region <region-name>

Step 6: Centralized Findings in the Administrator Account

Once the setup is complete:

  • All GuardDuty findings from member accounts will appear in the administrator account.

  • Findings can be viewed centrally through the GuardDuty console or queried using Amazon Athena if findings are exported to S3.

Step 7: Automating Responses to GuardDuty Findings

  1. CloudWatch Alarms:

    • Set CloudWatch alarms on findings with specific severities across all accounts.

    {
  "AlarmName": "GuardDutyHighSeverityAlert",
  "MetricName": "GuardDutyFinding",
  "Namespace": "AWS/GuardDuty",
  "Statistic": "Sum",
  "Threshold": 7,
  "ComparisonOperator": "GreaterThanOrEqualToThreshold"
}

  2. AWS Lambda for Auto-Remediation: Use Lambda functions to automate actions, such as:

    • Disabling compromised IAM users.

    • Isolating affected EC2 instances.

Benefits of Multi-Account GuardDuty Setup

  1. Centralized Monitoring:

    • All findings from multiple accounts are visible in one place, simplifying investigation and response.

  2. Automated Onboarding:

    • New accounts are automatically added to GuardDuty through AWS Organizations.

  3. Reduced Management Overhead:

    • Less manual effort required to maintain consistent security across accounts and regions.

  4. Cost-Effective:

    • GuardDuty charges are based on the volume of logs analyzed across all member accounts, with no additional setup fees.

Troubleshooting Common Issues

  1. Member Account Invitation Not Accepted: Ensure that the invitation email is correct and the member account has GuardDuty enabled.

  2. Findings Not Visible in Administrator Account:

    • Verify that invitations were accepted by member accounts.

    • Check that GuardDuty is enabled in all regions.

  3. Auto-Enable Not Working: Ensure that the organization configuration is correctly set to auto-enable GuardDuty.

PreviousGuardDutyNextGuardDuty Concepts

Last updated 8 months ago