Configure GuardDuty with a single account

You can configure Amazon GuardDuty® to send the necessary logs to Arctic Wolf® for security monitoring if you have a single account or multiple single accounts without AWS Organizations.

These resources are required:

  • A single AWS account, or multiple single AWS accounts without AWS Organizations
  • An AWS user or Identity and Access Management (IAM) role with AdministratorAccess or an equivalent IAM policy
  • Access to the AWS Management Console
  • Access to the GuardDuty console
Optional: Complete additional AWS configurations. For more information, see Configure AWS for Arctic Wolf monitoring.

Create the base stack

Note: If the AWS CloudTrail stack exists on this account already, you do not need to create the base stack.
  1. Complete Configure CloudTrail monitoring with no existing trails.
  2. When the stack has a status of CREATE_COMPLETE, navigate to CloudTrail.
  3. Select the newly created trail, and then delete it.
    The trail was required to deploy GuardDuty configurations, and it is no longer needed.

Create a dedicated S3 bucket for GuardDuty findings

  1. Sign in to the AWS Management Console.
  2. In the navigation menu, click the current AWS region, and then change the region to where you want to create a bucket.
  3. In the navigation menu, click Buckets.
  4. Click Create bucket.
    The Create bucket page opens.
  5. In the Bucket name field, enter a name similar to awn-guardduty-logs-bucket-account_id-region, where account_id is the 12-digit ID number of your current AWS account and region is the region of the S3 bucket.
    Note: Do not change the other default settings.
  6. Click Create bucket.

Configure findings for each region that has GuardDuty enabled

For each region that has GuardDuty monitoring enabled, complete these steps:

  1. Sign in to the GuardDuty console.
  2. In the navigation menu, click Settings.
  3. In the Findings export options section, in the Frequency section, click Edit, and then select 15 minutes.
  4. Click Save changes.
  5. In the Findings export options section, in the S3 Bucket section, click Configure now.
  6. In the S3 bucket ARN field, enter the ARN of the bucket that you created in Create a dedicated S3 bucket for GuardDuty findings.
  7. In the KMS key ARN field, enter the ARN of the AWNKMSKey.
  8. Click Save.
    Note: If you receive an error about the policy, follow the steps and apply the policy according to the instructions in the error message.

Enable S3 protection

  1. Sign in to the GuardDuty console.
  2. In the navigation menu, click Settings > S3 Protection.
  3. Select the S3 Protection is enabled on this account checkbox.

Enable EKS protection for a single account

Complete these steps for each of the Amazon GuardDuty accounts that you want Arctic Wolf to monitor.

Tip:
  1. Sign in to the GuardDuty console with administrator permissions.
  2. In the navigation menu, click Settings > Kubernetes protection.
  3. If you see a notice similar to Kubernetes Audit Logs Monitoring is not enabled for this account, click Enable to enable EKS protection.

Launch the S3 CloudFormation stack

  1. Sign in to the AWS Management Console with the log archive account.
  2. Navigate to CloudFormation.
  3. On the CloudFormation page, click Create stack > With new resources (standard).
  4. On the Create stack page, configure these settings:
    • Prepare template — Select Choose an existing template.
    • Template source — Select Amazon S3 URL.
  5. In a new browser tab, go to the Arctic Wolf Unified Portal, copy the Simple Storage Service (S3) logs link, and then paste it into the Amazon S3 URL field.
  6. Click Next.
  7. In the Specify stack details section, in the Stack name field, enter a name for the S3 log forwarding stack. For example, ArcticWolf-S3LogForward.
    Note: This name helps you identify resources that are created to collect and forward security events to Arctic Wolf. Make sure it is unique.
  8. In the Parameters section, in the bucketName field, enter the name of the S3 bucket used to save logs.
  9. Keep the prefixPath field empty when using a dedicated bucket.
    Note: When entering the prefixPath value, do not include a trailing slash, /.
  10. If the logs use encryption that is different from the AWNKMSKey, enter the ARN of the KMS key in the kmsKey field.
    Note: If the KMS key is located in a different account from the account you are deploying the CloudFormation stack in, contact your Concierge Security® Team (CST) for configuration guidance.
  11. Click Next.
    You are redirected to the Configure stack options page. Do not make change son this page.
  12. Click Next.
  13. On the Review page, read the Capabilities section.
  14. Select all checkboxes.
    Note: You must select all checkboxes to create the stack correctly.
  15. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5-10 minutes to complete.

  16. Wait until the base stack and all nested stacks have a status of CREATE_COMPLETE before proceeding to the next step, to make sure that the CloudFormation stacks were successfully created.
  17. Contact your CST® to verify that Arctic Wolf is processing logs from your S3 bucket.

Generate sample findings

Generate a sample finding for each finding type to make sure that Arctic Wolf is receiving data.

  1. Sign in to the GuardDuty console with the same account that you used to set up Arctic Wolf configurations.
  2. In the navigation menu, click Settings.
  3. On the Settings page, in the Sample findings section, click Generate sample findings.
  4. In the navigation menu, click Findings.
    Sample findings are displayed with the prefix [SAMPLE].