Enabling Operationalization of GuardDuty Findings

Many organizations have established Security Programs that include a Security Information and Event Management solution or application such as Splunk, Elasticsearch, logz.io, etc. One of the first steps to enable the security team to respond to issues is ensuring they know the issues exist.

Enabling a delegated administrator account for GuardDuty management separate from the Organization Master account would be recommended. This is done to keep the integrity of the Org account by reducing users need to even authenticate to it. Once an account has been designated the delegated administrator and all members accounts have been integrated, the admin account will be the only one that can do any suppression of findings.

At this point, the findings for all joined accounts will show as findings in the admin account. Thanks to this, EventBridge can be leveraged to provide further maturity of the solution by integrating it further with existing SIEM architecture.

In the delegated admin account (shown as Security Operations Account above), enable a EventBridge rule to capture all GuardDuty findings. By nature of the design, it will capture the events from all member accounts.

By selecting Event bus in another AWS account and supplying the account number for the Central Logging account, the matched events from all accounts will be sent to a central location for aggregation.

Repeating this step in the Central Logging account, choosing an SQS queue, Kinesis Firehose, or SNS for email notification/ingestion will allow the integration with an existing SIEM.

Modernizing companies’ AWS security and governance programs at scale.