How to forward GuardDuty findings from member accounts to Security Hub in a delegated administrator account?

1

I have a use case where I'd like to centralise GuardDuty findings from multiple member accounts into the Security Hub of one account. Let's call it the Audit account.

  • I setup AWS Organisations with a delegated administrator account for GuardDuty and Security Hub called the Audit account
  • That Audit account does successfully receive GuardDuty findings from member accounts.
  • The GuardDuty account in member accounts successfully forward findings to Security Hub in those same member accounts.
  • The GuardDuty in the Audit account does forward local GD findings to the Security Hub in the Audit account.

Issues:

  • The GuardDuty in the Audit account DOES NOT forward member GD findings to the Security Hub in the Audit account.
  • The Security Hub in the Member account DOES NOT forward GD findings to the Security Hub in the Audit account.

See below for a visual representation:

Enter image description here

I may just completely lack knowledge about this or have not set something up correctly. But I believe I followed everything correctly in the docs (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html, https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html) and would like some help solving this problem / gaining a better understanding of why it's not working. Thank you.

1 réponse
3
Réponse acceptée

Hi,

Did you think of implementing the architecture described in this blog post: https://aws.amazon.com/blogs/security/how-to-manage-amazon-guardduty-security-findings-across-multiple-accounts/

It demonstrates how to use GuardDuty with a central account to which all finding from GuardDuty in other accounts are routed. So, if you create the central account in the account where your Security Hub is located, you should achieve what you need. The central account will receive the findings from other accounts and route them to the hub.

Best,

Didier

profile pictureAWS
EXPERT
répondu il y a 4 mois
profile picture
EXPERT
vérifié il y a un mois
profile picture
EXPERT
vérifié il y a 2 mois
  • Hi Didier,

    The article you sent is to "Enable GuardDuty in a master account and invite member accounts," I essentially did a variation of that following https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html. In my original post I explained that centralising GuardDuty findings in a delegated administrator / master account does work fine.

    "So, if you create the central account in the account where your Security Hub is located, you should achieve what you need. The central account will receive the findings from other accounts and route them to the hub."

    This is the issue. The routing part to the master security hub doesn't seem to be working which is what I am puzzled about.

    Thanks, Brian

  • After experimenting with the "invite account" I found it solved the problem. I still don't understand exactly why though because according to the AWS documentation "This section doesn't apply to you if you use central configuration." (https://docs.aws.amazon.com/securityhub/latest/userguide/orgs-accounts-enable.html) but it looks like that section DOES apply if you want to have guardduty findings from member accounts being sent to the master account that has Security Hub.

  • Hi Brian, glad that you finally found a solution. Thanks for accepting my answer! Didier

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions