How to forward GuardDuty findings from member accounts to Security Hub in a delegated administrator account?

1

I have a use case where I'd like to centralise GuardDuty findings from multiple member accounts into the Security Hub of one account. Let's call it the Audit account.

  • I setup AWS Organisations with a delegated administrator account for GuardDuty and Security Hub called the Audit account
  • That Audit account does successfully receive GuardDuty findings from member accounts.
  • The GuardDuty account in member accounts successfully forward findings to Security Hub in those same member accounts.
  • The GuardDuty in the Audit account does forward local GD findings to the Security Hub in the Audit account.

Issues:

  • The GuardDuty in the Audit account DOES NOT forward member GD findings to the Security Hub in the Audit account.
  • The Security Hub in the Member account DOES NOT forward GD findings to the Security Hub in the Audit account.

See below for a visual representation:

Enter image description here

I may just completely lack knowledge about this or have not set something up correctly. But I believe I followed everything correctly in the docs (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html, https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html) and would like some help solving this problem / gaining a better understanding of why it's not working. Thank you.

1개 답변
3
수락된 답변

Hi,

Did you think of implementing the architecture described in this blog post: https://aws.amazon.com/blogs/security/how-to-manage-amazon-guardduty-security-findings-across-multiple-accounts/

It demonstrates how to use GuardDuty with a central account to which all finding from GuardDuty in other accounts are routed. So, if you create the central account in the account where your Security Hub is located, you should achieve what you need. The central account will receive the findings from other accounts and route them to the hub.

Best,

Didier

profile pictureAWS
전문가
답변함 4달 전
profile picture
전문가
검토됨 19일 전
profile picture
전문가
검토됨 2달 전
  • Hi Didier,

    The article you sent is to "Enable GuardDuty in a master account and invite member accounts," I essentially did a variation of that following https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html. In my original post I explained that centralising GuardDuty findings in a delegated administrator / master account does work fine.

    "So, if you create the central account in the account where your Security Hub is located, you should achieve what you need. The central account will receive the findings from other accounts and route them to the hub."

    This is the issue. The routing part to the master security hub doesn't seem to be working which is what I am puzzled about.

    Thanks, Brian

  • After experimenting with the "invite account" I found it solved the problem. I still don't understand exactly why though because according to the AWS documentation "This section doesn't apply to you if you use central configuration." (https://docs.aws.amazon.com/securityhub/latest/userguide/orgs-accounts-enable.html) but it looks like that section DOES apply if you want to have guardduty findings from member accounts being sent to the master account that has Security Hub.

  • Hi Brian, glad that you finally found a solution. Thanks for accepting my answer! Didier

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠