By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How can I confirm if GuardDuty logs are consolidated in one account?

0

I have a task where I'm required to make sure all my GuardDuty logs from multiple accounts are logged to one account using a centralized logging solution.

At the moment, I'm trying to find a way either via console or cli, or both to confirm if my guardduty logs are centralized in the account I am in.

Is there an easy way to confirm this?

Topics
Security, Identity, & ComplianceManagement & GovernanceAWS Well-Architected Framework
Tags
Amazon GuardDutyAmazon CloudWatchAWS OrganizationsSecurityAmazon CloudWatch Logs
Language
English
rePost-User-6925766
asked a year ago831 views
3 Answers
2

Having a central GuardDuty (delegated administrator) is the best practice in a multi-account environment. Member accounts join the central GuardDuty and consolidate all findings there. Central GuardDuty can store logs/finding in an S3 bucket.

Another option is to have independent GuardDuty service in every AWS account and you can make them send logs to the same S3 buket in different folders (prefixes), but this is not so convenient.

profile picture
EXPERT
Oleksii Bebych
answered a year ago
profile picture
EXPERT
Artem
reviewed a month ago
  • rePost-User-0476594
    a year ago

    I'm asking how do I verify this. I'm not asking what's the best option to use for GuradDuty. Though this is helpful information it wasn't m question.

    My question is how do I confirm through the console or even an CLI that my accounts have a Delegated Administrator or if it's sending logs to a bucket?

  • Oleksii Bebych EXPERT
    a year ago

    AWS Organization's Management account: GuardDuty - Settings - Delegated Administrator - Account ID

    GuardDuty Delegated Administrator account: GuardDuty - Settings - Findings export options - S3 bucket

    You can select an S3 bucket in the same account or in another account + KMS key for logs encryption

0

1/ Navigate to GuardDuty in the main account (payer) in your organization. Choose settings, and you will see which account is the Delegated Administrator. Delegated admin screenshot 2/ Login to that account and go to the GuardDuty console. 3/ Choose settings, Accounts. You will see a list of every account in the organization, and if GuardDuty is enabled. Enabled GuardDuty accounts 4/ You will have to repeat this for each Region you want GuardDuty enabled in.

You can enable Export findings from the GuardDuty administrator account. It will include the findings from all associated member accounts that are generated in that Region. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html?icmpid=docs_gd_help_panel

profile pictureAWS
Jeremy_S
answered a year ago
0

Amazon GuardDuty supports the consolidation of these findings to one AWS account to support centralized log management. You must choose a one of AWS accounts to be the central log account for GuardDuty. There are two ways to associate accounts

  1. By sending an invitation through GuardDuty. Additional for multiple accounts, you can add child accounts by using the “Upload List (.csv)”.
  2. Throughout an AWS Organization that all accounts are members of.

Once child accounts has accepted the invitation, all the findings log in the secondary account will now be sent to the central log account.

After that, look back in GuardDuty central log account, the status of invited account will now be “Enable”

All GuardDuty logs will be stored in central log account which is in an S3 bucket of central log account.

For more detail, please visit https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html .

profile pictureAWS
Kajonsak
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content