In our previous article, we discussed how GuardDuty can help organizations monitor their workloads and  AWS accounts from malicious activities and how to monitor findings with Amazon CloudWatch Events.

Imagine that your organization has multiple AWS accounts for different workloads, teams, and projects. With every account, you need to monitor GuardDuty findings individually. It will be quite difficult for your security team to monitor these findings with their constant switching between AWS accounts. 

Amazon GuardDuty supports the consolidation of these findings to one AWS account. For example, your organization has 10 AWS accounts. All you have to do is to create a “GuardDuty” AWS account with the sole purpose of ingesting all the findings from the 10 AWS accounts. With the help of this article, you should be able to aggregate your GuardDuty findings from multiple AWS accounts to a single AWS account.

In this scenario, we’ll be using two AWS accounts: first is the master account where all the findings will be sent to, and a secondary AWS account which will send its findings to the master account.

Managing Amazon GuardDuty Security Findings Across Multiple Accounts

1.  To start, we need to “Enable GuardDuty” for both the master and secondary accounts.

2.  Once enabled, you will be redirected to the GuardDuty console. Head over to the “Accounts” section and click
“Add accounts”. For multiple accounts, you can add accounts by using the “Upload List (.csv)”

3.  Enter the 12-digit account number and the email address associated with the secondary account. Click “Add” then “Next”

4.  Once you have filled in the details of the secondary account, you should see it under the accounts tab. During this stage, the status of the account is “invite”. Click on invite and a pop up message will appear. 

1. You can send an optional message to the receiver.
2. Tick the “also send an email notification” to ensure that the associated email of the secondary account will receive the email. 
3. Once done, click “Send Invitation”
4. During the invitation process, AWS will check if the account ID and the email address associated with the account is valid. 

5.  You have two options to accept the invitation:

• Head over to your secondary account’s GuardDuty and accept the invitation.
• Click the URL sent by AWS over the email.
  **Note: Remember that you need to enable GuardDuty on the secondary account before accepting the invitation.

6.  Once you have accepted the invitation, all of the findings in the secondary account will now be sent to the master account.

7.  Once the secondary account has accepted the invitation, the status of it will now be “Enabled”

Summary

In this article, you have learned how to monitor multiple AWS accounts using one GuardDuty master account. GuardDuty is a powerful AWS service that makes it easier for security teams to monitor malicious activity on a single or multiple AWS accounts. 

Sources: 

https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html