I have a use case where I'd like to centralise GuardDuty findings from multiple member accounts into the Security Hub of one account. Let's call it the Audit account.
- I setup AWS Organisations with a delegated administrator account for GuardDuty and Security Hub called the Audit account
- That Audit account does successfully receive GuardDuty findings from member accounts.
- The GuardDuty account in member accounts successfully forward findings to Security Hub in those same member accounts.
- The GuardDuty in the Audit account does forward local GD findings to the Security Hub in the Audit account.
Issues:
- The GuardDuty in the Audit account DOES NOT forward member GD findings to the Security Hub in the Audit account.
- The Security Hub in the Member account DOES NOT forward GD findings to the Security Hub in the Audit account.
See below for a visual representation:
I may just completely lack knowledge about this or have not set something up correctly. But I believe I followed everything correctly in the docs (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html, https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html) and would like some help solving this problem / gaining a better understanding of why it's not working. Thank you.
Hi Didier,
The article you sent is to "Enable GuardDuty in a master account and invite member accounts," I essentially did a variation of that following https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html. In my original post I explained that centralising GuardDuty findings in a delegated administrator / master account does work fine.
"So, if you create the central account in the account where your Security Hub is located, you should achieve what you need. The central account will receive the findings from other accounts and route them to the hub."
This is the issue. The routing part to the master security hub doesn't seem to be working which is what I am puzzled about.
Thanks, Brian
After experimenting with the "invite account" I found it solved the problem. I still don't understand exactly why though because according to the AWS documentation "This section doesn't apply to you if you use central configuration." (https://docs.aws.amazon.com/securityhub/latest/userguide/orgs-accounts-enable.html) but it looks like that section DOES apply if you want to have guardduty findings from member accounts being sent to the master account that has Security Hub.
Hi Brian, glad that you finally found a solution. Thanks for accepting my answer! Didier