Managing Amazon GuardDuty Security Findings Across Multiple Accounts

In our previous article, we discussed how GuardDuty can help organizations monitor their workloads and  AWS accounts from malicious activities and how to monitor findings with Amazon CloudWatch Events.

Imagine that your organization has multiple AWS accounts for different workloads, teams, and projects. With every account, you need to monitor GuardDuty findings individually. It will be quite difficult for your security team to monitor these findings with their constant switching between AWS accounts.

Amazon GuardDuty supports the consolidation of these findings to one AWS account. For example, your organization has 10 AWS accounts. All you have to do is to create a “GuardDuty” AWS account with the sole purpose of ingesting all the findings from the 10 AWS accounts. With the help of this article, you should be able to aggregate your GuardDuty findings from multiple AWS accounts to a single AWS account.

In this scenario, we’ll be using two AWS accounts: first is the master account where all the findings will be sent to, and a secondary AWS account which will send its findings to the master account.

Managing Amazon GuardDuty Security Findings Across Multiple Accounts

1.  To start, we need to “Enable GuardDuty” for both the master and secondary accounts.

Managing Amazon GuardDuty Security Findings Across Multiple Accounts1

2.  Once enabled, you will be redirected to the GuardDuty console. Head over to the “Accounts” section and click
“Add accounts”. For multiple accounts, you can add accounts by using the “Upload List (.csv)”

Managing Amazon GuardDuty Security Findings Across Multiple Accounts2

3.  Enter the 12-digit account number and the email address associated with the secondary account. Click “Add” then “Next”

IT Certification Category (English)728x90

Managing Amazon GuardDuty Security Findings Across Multiple Accounts3

4.  Once you have filled in the details of the secondary account, you should see it under the accounts tab. During this stage, the status of the account is “invite”. Click on invite and a pop up message will appear.

  1. You can send an optional message to the receiver.
  2. Tick the “also send an email notification” to ensure that the associated email of the secondary account will receive the email.
  3. Once done, click “Send Invitation”
  4. During the invitation process, AWS will check if the account ID and the email address associated with the account is valid.

Managing Amazon GuardDuty Security Findings Across Multiple Accounts4

5.  You have two options to accept the invitation:

  • Head over to your secondary account’s GuardDuty and accept the invitation.
  • Click the URL sent by AWS over the email.
    **Note: Remember that you need to enable GuardDuty on the secondary account before accepting the invitation.

Managing Amazon GuardDuty Security Findings Across Multiple Accounts5

Managing Amazon GuardDuty Security Findings Across Multiple Accounts6

6.  Once you have accepted the invitation, all of the findings in the secondary account will now be sent to the master account.

Managing Amazon GuardDuty Security Findings Across Multiple Accounts7

7.  Once the secondary account has accepted the invitation, the status of it will now be “Enabled”

Managing Amazon GuardDuty Security Findings Across Multiple Accounts8

Summary

In this article, you have learned how to monitor multiple AWS accounts using one GuardDuty master account. GuardDuty is a powerful AWS service that makes it easier for security teams to monitor malicious activity on a single or multiple AWS accounts.

Sources: 
https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html

BLACK FRIDAY Sale FINAL Week! Biggest Discounts on Practice Test + eBook Bundles

tutorials dojo black friday sale

NEW Course – AWS Certified Data Analytics Specialty Practice Exams

AWS Certified Data Analytics Sepcialty

Pass your AWS and Azure Certifications with the Tutorials Dojo Portal

Tutorials Dojo portal

Our Bestselling AWS Certified Solutions Architect Associate Practice Exams

AWS Certified Solutions Architect Associate Practice Exams

Enroll Now – Our AWS Practice Exams with 95% Passing Rate

AWS Practice Exams Tutorials Dojo

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Tutorials Dojo Study Guide and Cheat Sheets eBooks

Tutorials Dojo Study Guide and Cheat Sheets-2

FREE Intro to Cloud Computing for Beginners

FREE AWS Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts