Amazon GuardDuty is an AWS service of threat detection that continously monitor AWS accounts and workload for malicious activity and anomalous behavior to protect AWS accounts, workloads, and data.
In that post we will see how to activate Amazon GuardDuty on multiples account's and multiples regions.
When you have multiples accounts the first account created on AWS is the "Management account". It utilizes in that account AWS Organisations as a management account (or the payer account to pay bills from different accounts), which gives the account the ability to create and financially manage member accounts.
We will use GuardDuty with AWS Organizations to "find" all the accounts in the organizations (if there's multiple accounts).
Also as a best practices we will have a dedicated account for the security part.
When initializing GuardDuty we have the option to delegate the administrator of GuardDuty to another account (in our case Security account)
In the delegated account we will have the option to enable GuardDuty on another accounts, and also to auto-enable in another accounts with different options
And, voila! GuardDuty is now enabled on different accounts (it can take 24h before all the data appear on the console)
But...wait, it's only activated on one region, how to enable on an another region ?
We will have to come-back on the management account and activate the second region with the same delegated administrator account, after that we can (again) activate GuardDuty on the security account on all the project account of region 2.
If you have any comments or observations on how to do better, feel free to comment below.
Thanks to Hugo for the idea
Top comments (0)