Configuring Accounts and Permissions in Amazon GuardDuty
In this lesson, we look at how to configure Amazon GuardDuty to work across multiple AWS accounts as well as the different permissions required and used when working with Amazon GuardDuty.
By the end of this lesson, you will have a greater understanding of Amazon GuardDuty, including:
- The terminology for using a multi-account strategy with Amazon GuardDuty
- How to connect multiple AWS accounts to centralize findings
- How to ensure you have the correct permissions in place to work with Amazon GuardDuty successfully
- Individuals working as security consultants or specialists, security analysts, security auditors, Cloud architects, or Cloud operational support analysts
- Anyone looking to learn more about AWS Security and threat detection within AWS
- Have a basic understanding of the fundamentals of AWS
- An awareness of different security measures and mechanisms offered by different AWS services, such as IAM resources, specifically IAM Policies and IAM roles
- Understand AWS Organizations at a fundamental level and have a basic understanding of Amazon GuardDuty
- If you’d like more information on some of these features, check out the following courses titled:
In this video, I’ll be showing you how to delegate an administrator account and add a member account using AWS organizations.
As you can see, I’ve already created an AWS organization for this account and I just have one account in it. So, the first thing I’ll do is go to the GuardDuty dashboard and click on settings. Under delegated administrator, I’m going to put in an account number for the account that I want to manage my GuardDuty findings. I’m going to make the administrator account the account I’m currently using and then click delegate.
Note that I’m using this account for demo purposes, but in the real world, you would not want to make your AWS Organizations management account the same as your GuardDuty delegated administrator account.
Moving on - here, it lets me know I’ve authorized this account to be the administrator, and can remove those privileges any time I’d like. Now we’ll go to the AWS organizations console and I’ll go ahead and add an AWS account to my organization. I’ll do this by adding an existing account,
I’ll put in the email address for the account owner - in this case, my email email@example.com. Then I’ll click send invitation.
Then I’ll get an email and in that email, it will look like this, where it’s saying I’ve been invited to a very exclusive club. Normally, you can just press accept invitation and be good to go.
However, I have a couple different accounts open, so I’m going to copy this link and paste it in my incognito browser, where I’m logged into my secondary AWS account.
Once I do that, it’s asking me to accept the invitation, which I will. All right, so now if I go to my AWS organizations page here from my delegated administrator account and refresh the page - you can see I now have two accounts here.
Now if we go back to the GuardDuty console and click accounts - we can see that I now have an account listed here. It has a type of via organizations and a status of not a member.
Now to add this account as a member, I can check the box here and then click actions and add member and then add member.
The last feature to talk about here is the auto-enable feature for Organizations. If I click auto-enable, I can either enable Amazon GuardDuty for either all existing and new accounts, or for just any new accounts that join the organization. I can additionally enable any or all protection plans for all accounts or new accounts.
By turning this on, it allows the delegated administrator to manage any new members' accounts. If you have greater than 5000 member accounts, this feature will turn off automatically. However, if an account is removed, and you have less than 5000 accounts once again, the feature will turn back on.
This is a helpful feature as you don’t have to enable GuardDuty for each account, which automates part of the process for you. With this feature, you can also control which protection plans you’d like to enable automatically for new and existing accounts.
All right - that’s all for this one - see you next time!
Alana Layton is an experienced technical trainer, technical content developer, and cloud engineer living out of Seattle, Washington. Her career has included teaching about AWS all over the world, creating AWS content that is fun, and working in consulting. She currently holds six AWS certifications. Outside of Cloud Academy, you can find her testing her knowledge in bar trivia, reading, or training for a marathon.