Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Export GuardDuty findings to S3 in an AWS Organization

0

Hi there I am in the process of setting up AWS GuardDuty using AWS orgs to manage the member accounts. However, I am having trouble setting up the S3 bucket and KMS key for these findings to be sent to.

The GuardDuty org resources are being provisioned in Account A which then delegates administrator privileges to Account B and is enabling one member in Account C. All these accounts are in the same org. When provisioning the resources w/ Terraform I get the error:

Error: creating GuardDuty Publishing Destination: operation error GuardDuty: CreatePublishingDestination, https response error StatusCode: 400, RequestID: <req_id>, BadRequestException: The request failed because the GuardDuty service principal does not have permission to the KMS key or the resource specified by the destinationArn parameter.

Here is what I'm using for the S3 bucket policy (replacing sensitive details):

{
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "Allow cross account bucket access",
            "Effect": "Allow",
            "Principal": {
              "Service": "guardduty.amazonaws.com"
            },
            "Action": ["s3:GetBucketLocation", "s3:GetBucketAcl", "s3:ListBucket"],
            "Resource": "arn:aws:s3:::<guardduty_results_bucket_in_account_b>",
            "Condition": {
              "ArnLike": {
                "aws:SourceArn": "arn:aws:guardduty:*:*:detector/*"
              },
              "StringEquals": {
                "aws:PrincipalOrgID": "<org_id>"
              }
            }
          },
          {
            "Sid": "Allow PutObject",
            "Effect": "Allow",
            "Principal": {
              "Service": "guardduty.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<guardduty_results_bucket_in_account_b>/*",
            "Condition": {
              "ArnLike": {
                "aws:SourceArn": "arn:aws:guardduty:*:*:detector/*"
              },
              "StringEquals": {
                "aws:PrincipalOrgID": "<org_id>"
              }
            }
          },
...

I did not include the encryption related portions of the policy. This was based off of this doc.

The relevant portions of the KMS policy (excluding the base permissions for admin access) look like:

        {
        "Sid": "AllowGuardDutyKey",
        "Effect": "Allow",
        "Principal": {
            "Service": "guardduty.amazonaws.com"
        },
        "Action": "kms:GenerateDataKey",
        "Resource": "*",
        "Condition": {
            "ArnLike": {
            "aws:SourceArn": "arn:aws:guardduty:*:*:detector/*"	
            },
            "StringEquals": {
            "aws:PrincipalOrgID": "<org_id>"
            }
        }
        }
    ]
    }

What else am I missing here in terms of access policies to enable cross-org access to this bucket & key w/ guardduty?

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM PoliciesAmazon GuardDuty
Language
English
asked 9 months ago651 views
1 Answer
0

To successfully export GuardDuty findings to an S3 bucket in an AWS Organization setup, there are a few key points to consider and adjust in your configuration:

  1. Ensure that the S3 bucket and KMS key are in the same region as the GuardDuty detector you're configuring for export.

  2. The KMS key policy needs to grant GuardDuty permission to use the key for encryption. Your current policy only allows the GenerateDataKey action, which may not be sufficient. Add the following actions to the KMS key policy:

    "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey"

  3. In the S3 bucket policy, make sure you're granting permissions to the GuardDuty service principal from all relevant AWS regions. You can do this by using a wildcard in the Principal section:

    "Principal": { "Service": "guardduty.*.amazonaws.com" }

  4. When setting up the publishing destination, ensure you're using the correct ARNs for both the S3 bucket and the KMS key. These should be from Account B (the delegated administrator account) if that's where you've created these resources.

  5. If you're setting up the publishing destination from Account A (the organization's management account), make sure it has the necessary permissions to access the S3 bucket and KMS key in Account B. You might need to add cross-account permissions to both the S3 bucket and KMS key policies.

  6. Double-check that the org ID used in the condition statements of both policies is correct and matches your AWS Organization ID.

  7. Ensure that the GuardDuty service-linked role has been created in all relevant accounts. This role is usually created automatically when GuardDuty is enabled, but it's worth verifying.

If you've implemented these changes and are still encountering issues, you may need to review the IAM permissions of the entity (user or role) that's attempting to create the publishing destination. Ensure it has the necessary permissions to perform this action across accounts in your organization.

Remember, when working with cross-account setups, it can sometimes take a few minutes for permission changes to propagate. If you've made changes, wait a short while and try the operation again.
Sources
Exporting generated GuardDuty findings to Amazon S3 buckets - Amazon GuardDuty
Exporting findings to Amazon S3 - access error - Amazon GuardDuty
How to Integrate Amazon GuardDuty Findings with On-Premises Splunk | AWS re:Post
Code repository for AWS SRA examples - AWS Prescriptive Guidance

answered 9 months ago
EXPERT
reviewed 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content