How does GuardDuty work in a Shared VPC?
- How will Guard Duty work with a Shared VPC?
- Who get's to see the findings?
- What will happen if the VPC owner has enabled Guard Duty but the participant hasn’t’?
- What’s the best practice?
This topic came up a few times already - I'm using this post to document the answer from the GuardDuty & VPC service teams.
- Newest
- Most votes
- Most comments
The general recommendation is that all participants and the owner of the Shared VPC should have Guard Duty enabled.
By default, any GuardDuty findings will only be available to the account which owns the resource against which malicious activity was detected. For example, if there are findings against an EC2 instance owned by a Shared VPC participant then only that participant AWS account will see those findings. The owner of the Shared VPC will not have access to findings related to participant resources.
If findings need to be shared across accounts customers can follow the standard administrator/member deployment model: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html
If a participant hasn’t turned on GuardDuty but the owner has it running then no findings will be generated against that participants resources. Any findings against owner resources will still be generated as usual and sent to the owner account.
Relevant content
- asked 9 months ago
- asked 9 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
