Profile Applicability:
Level 1
Description:
Amazon GuardDuty is a threat detection service that continuously monitors your AWS environment for malicious activity, unauthorized behavior, and security vulnerabilities. By enabling GuardDuty centrally, organizations can manage threat detection and monitoring across multiple AWS accounts from a single account, ensuring consistent security practices across the entire organization. This approach is essential for larger environments that require centralized monitoring and security response to effectively manage risks and identify potential threats.
Centrally managed GuardDuty enables cross-account aggregation, where findings from multiple linked accounts are sent to a master account for analysis and response. This ensures that the security team can monitor all accounts from a central location and take appropriate action, rather than managing each account separately.
Rationale:
Centrally managing GuardDuty provides several benefits:
Unified Security Monitoring: All findings from various accounts can be accessed from one centralized dashboard, providing a complete view of security threats.
Consistent Security Policies: Central management ensures that all accounts are subject to the same security monitoring policies and configurations.
Efficient Incident Response: Security teams can take immediate action on findings from multiple accounts in one place, streamlining the investigation and resolution process.
Cost Optimization: Central management helps avoid duplicate configurations and reduces the operational overhead of managing multiple independent GuardDuty accounts.
Impact:
Pros:
Centralized Monitoring: A centralized view of security findings across multiple AWS accounts.
Streamlined Incident Response: Easier and faster response to security incidents across all accounts.
Consistency: Ensures that GuardDuty configurations and findings are uniformly applied across all linked accounts.
Improved Security Posture: Helps detect threats earlier and respond proactively by consolidating data from multiple AWS accounts.
Cons:
Initial Setup Complexity: Setting up centralized management can require proper IAM role configurations and permissions.
Cost: While managing GuardDuty centrally may optimize costs, it still involves additional service charges for cross-account data aggregation and monitoring.
Default Value:
By default, GuardDuty is not centrally managed. You must configure multi-account setup using the master account to aggregate findings from other accounts and manage GuardDuty centrally.
Pre-requisite:
AWS IAM Permissions:
guardduty:CreateDetector
guardduty:ListDetectors
guardduty:EnableOrganizationAdminAccount
guardduty:CreateMembers
guardduty:ListMembers
guardduty:EnableFindings
AWS CLI installed and configured.
Knowledge of GuardDuty and its multi-account features.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to GuardDuty under Services.
In the GuardDuty Dashboard, go to Settings.
Under Master Account, verify that GuardDuty is enabled for the master account.
Ensure that the member accounts are linked to the master account and that findings are being aggregated centrally.
Review the findings for all linked accounts in the Findings section of the GuardDuty dashboard.
Using AWS CLI:
To check the GuardDuty master account setup, run:
aws guardduty list-detectors The output should list the master account detector if GuardDuty is centrally managed.
To link member accounts with the master account, run:
aws guardduty create-members --detector-id <detector-id> --account-details AccountId=<account-id>,EmailAddress=<email-address>
To check if GuardDuty findings from member accounts are being aggregated into the master account, run:
aws guardduty list-findings --detector-id <master-detector-id>
This should return findings from multiple accounts, confirming centralized monitoring.
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to GuardDuty.
In the GuardDuty Dashboard, select Settings and ensure that the Master Account is properly set up.
To enable multi-account management:
Select Enable Organizations under GuardDuty settins.
Follow the prompts to designate the master account.
Link the member accounts by providing their Account IDs and Email addresses.
After setting up, review the aggregated findings from the master account.
Using AWS CLI:
Enable GuardDuty in the master account by running:
aws guardduty create-detector --enable
Enable GuardDuty for member accounts and associate them with the master account:
aws guardduty enable-organization-admin-account --admin-account-id <account-id>
Link member accounts to the master account:
aws guardduty create-members --detector-id <detector-id> --account-details AccountId=<member-account-id>,EmailAddress=<email>
Verify the findings from all linked accounts:
aws guardduty list-findings --detector-id <master-detector-id>
Backout Plan:
If central management causes issues (e.g., incorrect findings, permissions issues):
Disassociate the master account from the member accounts:
aws guardduty delete-members --detector-id <detector-id> --account-id <account-id>
Disable GuardDuty from the master account:
aws guardduty delete-detector --detector-id <detector-id>
If necessary, revert any findings or alerts triggered due to the configuration by checking CloudWatch or SNS notifications and reviewing GuardDuty findings.
Note :
Alerting: Set up SNS or CloudWatch Alarms to notify security teams when high-severity findings are detected in the GuardDuty master account.
Monitoring: Continuously monitor the aggregated findings to ensure that any high-severity alerts are promptly addressed.