Manage GuardDuty At Enterprise Scale
- Deploy a lambda to enable GuardDuty for new accounts.
- Deploy a Lambda to take GuardDuty CloudWatch Events and forward to an Splunk HTTP Event Collector (HEC) of your choice
More stuff to come later. Like Splunk forwarding, or Security Hub. Maybe....
- Install cfn-deploy
pip3 install cftdeploy- Make the Manifest
make BUCKET=SETME enable-manifest- Edit the Manifest
- Remove the lines for pLambdaZipFile and pDeployBucket as they will be set by the Makefile
- Add the role name for listing accounts in the payer (pAuditRole) and for accepting the invite in the child (pAcceptRole)
- Add a SES emailed email address for the pEmailFrom and pEmailTo parameters
- Replace None with the new account topic if you want to subscribe the lambda to a new account topic
- Validate the manifest
make BUCKET=SETME enable-validate-manifest- Deploy!
make BUCKET=SETME enable-deploy- Create A Secret in AWS Secrets Manager. By Default the Secret is named
GuardDutyHECand located inus-east-1. The format of the secret should be:
{
"HECToken": "2SOMETHING-THAT-SHOULD-BE-SECRET",
"HECEndpoint": "https://hec.endpoint.yourcompany.com:8088/services/collector/event"
}- Deploy it everywhere via the
deploy_splunk_to_all_regions.shscript
~/aws-guardduty-enterprise$ ./scripts/deploy_splunk_to_all_regions.shThe Script will deploy a CloudFormation Stack in each region named GuardDuty2Splunk-$region and wait for a successful deployment before proceeding to the next region. Modify this script if you didn't use the default secret name, secret region, or want to name the Lambda or CFT something else.
- You can remove the stacks in each region with the
./scripts/delete_splunk_stack_in_all_regions.shshell script.
Note: There is no update script at the moment. Sorry.....
The message published to SNS must contain the following element:
message = {
'account_id': 'string',
'dry_run': true|false, # optional, if un-specified, dry_run=false
'region': ['string'], # optional, if un-specified, runs all regions
}