1 Answer
- Newest
- Most votes
- Most comments
2
Hi,
Did you think of implementing the architecture described in this blog post: https://aws.amazon.com/blogs/security/how-to-manage-amazon-guardduty-security-findings-across-multiple-accounts/
It demonstrates how to use GuardDuty with a central account to which all finding from GuardDuty in other accounts are routed. So, if you create the central account in the account where your Security Hub is located, you should achieve what you need. The central account will receive the findings from other accounts and route them to the hub.
Best,
Didier
Relevant content
- Accepted Answerasked 2 years ago
- Accepted Answerasked 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 years ago
Hi Didier,
The article you sent is to "Enable GuardDuty in a master account and invite member accounts," I essentially did a variation of that following https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html. In my original post I explained that centralising GuardDuty findings in a delegated administrator / master account does work fine.
"So, if you create the central account in the account where your Security Hub is located, you should achieve what you need. The central account will receive the findings from other accounts and route them to the hub."
This is the issue. The routing part to the master security hub doesn't seem to be working which is what I am puzzled about.
Thanks, Brian
After experimenting with the "invite account" I found it solved the problem. I still don't understand exactly why though because according to the AWS documentation "This section doesn't apply to you if you use central configuration." (https://docs.aws.amazon.com/securityhub/latest/userguide/orgs-accounts-enable.html) but it looks like that section DOES apply if you want to have guardduty findings from member accounts being sent to the master account that has Security Hub.
Hi Brian, glad that you finally found a solution. Thanks for accepting my answer! Didier