Using Stax-managed GuardDuty
Amazon GuardDuty is a threat detection service that monitors for malicious or unauthorized behavior within your AWS accounts. It also detects compromised AWS resources.
As part of Stax’s well-architected foundation, Stax allows you to implement and manage Amazon GuardDuty. As a baseline, Stax configures the below for you:
- Enabled for all accounts and regions in the AWS Organization
- Security account designated as the delegated administrator
- All findings in the AWS Organization centralized in the Security Account in your Stax Installation Region
- All findings exported to an S3 bucket in the Logging Account*
In addition to this, Amazon GuardDuty also offers protection plans, which analyse non-foundational data sources for potential security threats. Stax allows you to configure these plans, as well as set the findings export frequency for all GuardDuty findings. For a list of plans that can be configured within Stax, see below:
- EKS Protection
- Lambda Protection
- Malware Protection
- RDS Protection
- S3 Protection
- Frequency for updated findings
If you choose to enable these plans, ensure you are aware of the pricing dimensions for Amazon GuardDuty.
*If you have an existing S3 bucket configured as your publishing destination, this S3 bucket will be utilised instead.
Before You Begin
- Estimated time to complete: 10 minutes (Deployment can take a few minutes or up to 2 hours depending on the number of in-scope accounts)
- Ensure you are a member of the Admin role in your Stax tenancy
- Ensure you are authorized to override any existing configurations of GuardDuty
Configure GuardDuty
- Log in to the Stax Console
- Click Organization in the left-hand nav
- Choose Foundation Services in the sub-menu, beneath Service Control Policies, then Get Started on the Stax-managed GuardDuty tile
- Review the changes that will be made as a result of configuring the service, then choose Continue
- Select the checkbox to confirm you will be overriding any existing Guard Duty configuration.
- Optional: Choose the protection plans you wish to enable, and the findings export frequency
- Choose Configure
AWS GuardDuty will take some time to configure depending on the number of AWS accounts you have. Once configured, Stax-managed GuardDuty will transition from Configuring to Active on the Foundation Services page.
Update Amazon GuardDuty Configuration
Once you have configured Stax-managed GuardDuty, you can enable and disable the protection plans offered in Amazon GuardDuty and alter the findings export frequency.
- On the Foundation Services page, choose the settings cog on the Stax-managed GuardDuty tile
- Click on the Edit icon next to Settings
- Enable or disable a protection plan by clicking the toggle. Alternatively, adjust the findings export frequency by clicking the respective radio button
- Click Save
AWS GuardDuty will take some time to configure depending on the number of AWS accounts you have. Once configured, Stax-managed GuardDuty will transition from Configuring to Active on the Foundation Services page.
View Amazon GuardDuty Findings
To view findings from Amazon GuardDuty, you will need to log into the Security account in the aggregation region that Stax has configured for you.
Before you can log in to the account, you must be a member of a group that grants you appropriate access to the Security foundation account.
- Choose Accounts in the left-hand nav
- Click the log in button next to your organization's Security foundation account
- Choose the role you wish to assume. The AWS Management Console will open in a new tab
- Switch to your organization's aggregation region. The aggregation region is the AWS region of your Stax Installation Region
- Navigate to the Amazon GuardDuty service to review the findings for your organization's accounts