Configuring Accounts and Permissions in Amazon GuardDuty
In this lesson, we look at how to configure Amazon GuardDuty to work across multiple AWS accounts as well as the different permissions required and used when working with Amazon GuardDuty.
By the end of this lesson, you will have a greater understanding of Amazon GuardDuty, including:
- The terminology for using a multi-account strategy with Amazon GuardDuty
- How to connect multiple AWS accounts to centralize findings
- How to ensure you have the correct permissions in place to work with Amazon GuardDuty successfully
- Individuals working as security consultants or specialists, security analysts, security auditors, Cloud architects, or Cloud operational support analysts
- Anyone looking to learn more about AWS Security and threat detection within AWS
- Have a basic understanding of the fundamentals of AWS
- An awareness of different security measures and mechanisms offered by different AWS services, such as IAM resources, specifically IAM Policies and IAM roles
- Understand AWS Organizations at a fundamental level and have a basic understanding of Amazon GuardDuty
- If you’d like more information on some of these features, check out the following courses titled:
Most AWS customers have more than one AWS account. If you have a multi-account strategy and you also use GuardDuty, you’ll end up with findings in multiple accounts. So what do you do when you want to understand all of your findings in all of your accounts?
It’s probably unlikely that you’ll go into each account and look at each individual finding - especially if you have 10, 20, 30, or even more accounts. That would take a lot of time. Instead, you’ll most likely want to see a centralized view of all of your findings within all of your accounts.
Fortunately, you can do this in Amazon GuardDuty. Here’s how it works:
If you want this centralized view, you’ll need one of your accounts to act as the GuardDuty administrator account. All the other accounts you’d like to link would be referred to as “member accounts”.
Then, all the findings from the member accounts are configured to send a copy of their results to the administrator account. You’ll be able to see all the findings in the administrator account, once the accounts are linked. This prevents you from having to look within each member account to see each set of findings.
The administrator account helps manage the member accounts and can set up certain features of GuardDuty for those accounts.
For example, an administrator account can enable or suspend GuardDuty for each member account. Administrator accounts can also create trusted IP lists, threat lists, and suppression rules that enable you to filter and suppress findings for member accounts. This is an important consideration because when you’re using a shared account environment, member accounts can’t actually enable these features themselves - they have to rely on the administrator account instead.
To link accounts, administrator accounts must go through a process to add member accounts. There are two ways to add member accounts: through AWS Organizations or by sending invites through Amazon GuardDuty.
The recommended method by AWS is through AWS Organizations. With AWS Organizations, the process to link accounts is as follows:
You first specify a delegated administrator account. This should be different than the AWS Organizations management account. The delegated administrator account is the same thing as an administrator account and enables you to add, remove, and manage member accounts.
You can then select which accounts in your Organization you’d like to add. Once they’re added, the accounts become member accounts and are linked to the delegated administrator account.
The second method is through Amazon GuardDuty invitations. This comes in handy if you have an account outside of your organization that you’d like to become a member account. In that case, you can’t invite them through AWS Organizations - but you can use the invite method. You can also use this method if you’re not using AWS Organizations at all.
To invite an account, you use the GuardDuty dashboard, enter in the account IDs you’d like to invite, and then send an e-mail notification to those accounts to invite them. Once they accept the invite, they’ll be linked to the administrator account.
If you’d like to disable or suspend GuardDuty, you’d need to remove the member accounts from the administrator account. That brings us to the end of this video. I’ll see you in the next one.
Alana Layton is an experienced technical trainer, technical content developer, and cloud engineer living out of Seattle, Washington. Her career has included teaching about AWS all over the world, creating AWS content that is fun, and working in consulting. She currently holds six AWS certifications. Outside of Cloud Academy, you can find her testing her knowledge in bar trivia, reading, or training for a marathon.