How to forward GuardDuty findings from member accounts to Security Hub in a delegated administrator account?

1

I have a use case where I'd like to centralise GuardDuty findings from multiple member accounts into the Security Hub of one account. Let's call it the Audit account.

  • I setup AWS Organisations with a delegated administrator account for GuardDuty and Security Hub called the Audit account
  • That Audit account does successfully receive GuardDuty findings from member accounts.
  • The GuardDuty account in member accounts successfully forward findings to Security Hub in those same member accounts.
  • The GuardDuty in the Audit account does forward local GD findings to the Security Hub in the Audit account.

Issues:

  • The GuardDuty in the Audit account DOES NOT forward member GD findings to the Security Hub in the Audit account.
  • The Security Hub in the Member account DOES NOT forward GD findings to the Security Hub in the Audit account.

See below for a visual representation:

Enter image description here

I may just completely lack knowledge about this or have not set something up correctly. But I believe I followed everything correctly in the docs (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html, https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html) and would like some help solving this problem / gaining a better understanding of why it's not working. Thank you.

1回答
3
承認された回答

Hi,

Did you think of implementing the architecture described in this blog post: https://aws.amazon.com/blogs/security/how-to-manage-amazon-guardduty-security-findings-across-multiple-accounts/

It demonstrates how to use GuardDuty with a central account to which all finding from GuardDuty in other accounts are routed. So, if you create the central account in the account where your Security Hub is located, you should achieve what you need. The central account will receive the findings from other accounts and route them to the hub.

Best,

Didier

profile pictureAWS
エキスパート
回答済み 4ヶ月前
profile picture
エキスパート
レビュー済み 25日前
profile picture
エキスパート
レビュー済み 2ヶ月前
  • Hi Didier,

    The article you sent is to "Enable GuardDuty in a master account and invite member accounts," I essentially did a variation of that following https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html. In my original post I explained that centralising GuardDuty findings in a delegated administrator / master account does work fine.

    "So, if you create the central account in the account where your Security Hub is located, you should achieve what you need. The central account will receive the findings from other accounts and route them to the hub."

    This is the issue. The routing part to the master security hub doesn't seem to be working which is what I am puzzled about.

    Thanks, Brian

  • After experimenting with the "invite account" I found it solved the problem. I still don't understand exactly why though because according to the AWS documentation "This section doesn't apply to you if you use central configuration." (https://docs.aws.amazon.com/securityhub/latest/userguide/orgs-accounts-enable.html) but it looks like that section DOES apply if you want to have guardduty findings from member accounts being sent to the master account that has Security Hub.

  • Hi Brian, glad that you finally found a solution. Thanks for accepting my answer! Didier

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ