How to forward GuardDuty findings from member accounts to Security Hub in a delegated administrator account?

1

I have a use case where I'd like to centralise GuardDuty findings from multiple member accounts into the Security Hub of one account. Let's call it the Audit account.

  • I setup AWS Organisations with a delegated administrator account for GuardDuty and Security Hub called the Audit account
  • That Audit account does successfully receive GuardDuty findings from member accounts.
  • The GuardDuty account in member accounts successfully forward findings to Security Hub in those same member accounts.
  • The GuardDuty in the Audit account does forward local GD findings to the Security Hub in the Audit account.

Issues:

  • The GuardDuty in the Audit account DOES NOT forward member GD findings to the Security Hub in the Audit account.
  • The Security Hub in the Member account DOES NOT forward GD findings to the Security Hub in the Audit account.

See below for a visual representation:

Enter image description here

I may just completely lack knowledge about this or have not set something up correctly. But I believe I followed everything correctly in the docs (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html, https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html) and would like some help solving this problem / gaining a better understanding of why it's not working. Thank you.

Brian
已提問 4 個月前檢視次數 275 次
1 個回答
3
已接受的答案

Hi,

Did you think of implementing the architecture described in this blog post: https://aws.amazon.com/blogs/security/how-to-manage-amazon-guardduty-security-findings-across-multiple-accounts/

It demonstrates how to use GuardDuty with a central account to which all finding from GuardDuty in other accounts are routed. So, if you create the central account in the account where your Security Hub is located, you should achieve what you need. The central account will receive the findings from other accounts and route them to the hub.

Best,

Didier

profile pictureAWS
專家
已回答 4 個月前
profile picture
專家
已審閱 18 天前
profile picture
專家
已審閱 2 個月前
  • Hi Didier,

    The article you sent is to "Enable GuardDuty in a master account and invite member accounts," I essentially did a variation of that following https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html. In my original post I explained that centralising GuardDuty findings in a delegated administrator / master account does work fine.

    "So, if you create the central account in the account where your Security Hub is located, you should achieve what you need. The central account will receive the findings from other accounts and route them to the hub."

    This is the issue. The routing part to the master security hub doesn't seem to be working which is what I am puzzled about.

    Thanks, Brian

  • After experimenting with the "invite account" I found it solved the problem. I still don't understand exactly why though because according to the AWS documentation "This section doesn't apply to you if you use central configuration." (https://docs.aws.amazon.com/securityhub/latest/userguide/orgs-accounts-enable.html) but it looks like that section DOES apply if you want to have guardduty findings from member accounts being sent to the master account that has Security Hub.

  • Hi Brian, glad that you finally found a solution. Thanks for accepting my answer! Didier

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南