Configuring Accounts and Permissions in Amazon GuardDuty
In this lesson, we look at how to configure Amazon GuardDuty to work across multiple AWS accounts as well as the different permissions required and used when working with Amazon GuardDuty.
By the end of this lesson, you will have a greater understanding of Amazon GuardDuty, including:
- The terminology for using a multi-account strategy with Amazon GuardDuty
- How to connect multiple AWS accounts to centralize findings
- How to ensure you have the correct permissions in place to work with Amazon GuardDuty successfully
- Individuals working as security consultants or specialists, security analysts, security auditors, Cloud architects, or Cloud operational support analysts
- Anyone looking to learn more about AWS Security and threat detection within AWS
- Have a basic understanding of the fundamentals of AWS
- An awareness of different security measures and mechanisms offered by different AWS services, such as IAM resources, specifically IAM Policies and IAM roles
- Understand AWS Organizations at a fundamental level and have a basic understanding of Amazon GuardDuty
- If you’d like more information on some of these features, check out the following courses titled:
Let’s talk about how to add a member account to an administrator account using the GuardDuty invitation feature. To make this happen, I’ll use my current account as my administrator account, and invite a second AWS account that I have to be a member account. That way I can see all of the findings from both accounts through this administrator account.
Here I am in the dashboard of Amazon GuardDuty and what I need to do is go to the left-hand side and click on the Accounts section.
Then I’ll click add accounts by invitation. Here I can choose to add one account with the account ID and email address they’ll use to receive the invitation. However, if I have 10, 20, 30, or even more AWS accounts, then you might find it time-consuming to add each individual account.
In these situations, you can upload a CSV file with a list of account IDs and associated email addresses. That way you can upload them all in bulk. Since I just have one other account I’d like to link, I can go ahead and put that account number in, as well as the associated email address. Then I’ll click on add. It will then populate the list of accounts to be added.
From there, you’ll click on next. On this screen, we can see that member accounts share findings with you and members must first accept an invitation. Here you can see we’ve added it, but we have yet to send an invite. Before we do that, let’s take a look around.
If we tick this box next to the account we have - we can select a few options. The first thing we can do is export the CSV. If we click this, we can then see a list of the accounts we’ve added, their status, and what protection plans we’ve enabled for each account.
If we want to make changes to the protection plans, we can click edit protection plans. For example, say we wanted S3 Protection, we can either enable or disable for selected accounts or for all accounts.
Then finally, if we click on the actions section, we have several actions we can take - some of which are grey-ed out since we haven’t invited this account yet. We can suspend GuardDuty for this account, re-enable the account, disassociate or disable the account, or add members.
But what we need to do next is invite the account. So I’ll click invite. If you want to, you can enter a personal message here that will go to the owner of this secondary account. I’ll say “Please Accept”. Before we click send, we can check a box that says to notify the root user of the secondary account through e-mail and generate a notification in their personal health dashboard as well. This comes in handy if they don’t have access to their e-mail - they can be notified through personal health dashboard as well. Then, I’ll click send.
And that has now sent an e-mail to the owner of the account that we added. And we can see the status is now saying “invited” with a type of “by invitation”. So let’s go ahead and go to my e-mail and take a look at the e-mail that I received for my secondary account.
This is the email that I've received. The title states that there's action requested, and it says “Another AWS account wants to become the AWS GuardDuty administrator for this secondary AWS account." And we can see down here where it says the following notes were provided with this invitation, and it says "Please accept." - which is the custom message that I added. Now, to view the invitation, we can click this link here. I’m going to copy and paste it into my incognito browser, where I’m logged into my secondary account and it will take me straight to this screen. It says I have a membership invitation, but we must enable GuardDuty before we can accept invitations. So, we'll need to enable GuardDuty on this account first.
So I’ll go ahead and click enable GuardDuty and we’re good to go. Then it tells me that "The following AWS accounts have requested permission to view and manage GuardDuty items on your behalf. You can accept only one invitation." So, this is the administrator account here, and I want to accept, so I’ll toggle this, and then I'll click Accept Invitation. And that's it. So, this is now the member account, and it will push its findings across to the administrator account.
So now, if I go back to the administrator account and view my Accounts dashboard and click refresh, you can see here that I have a member account added, and the status is now enabled. And that's it. So, from the administrator account, you add and then invite any member accounts. Those member accounts then simply accept that invitation, and from that point onwards, your administrator account will then monitor the status and findings of all your member accounts.
That’s it for this one - see you next time!
Alana Layton is an experienced technical trainer, technical content developer, and cloud engineer living out of Seattle, Washington. Her career has included teaching about AWS all over the world, creating AWS content that is fun, and working in consulting. She currently holds six AWS certifications. Outside of Cloud Academy, you can find her testing her knowledge in bar trivia, reading, or training for a marathon.