Configure GuardDuty with AWS Control Tower

You can configure Amazon GuardDuty for multiple accounts with AWS Control Tower if exporting to S3 is not configured.

These resources are required:

Note: For most environments, the base stack adds the permissions needed to the newly created log bucket. However, AWS Control Tower guardrails prevent the addition of the necessary policy.
Optional: Complete additional AWS configurations. For more information, see Configure AWS for Arctic Wolf monitoring.

Create a dedicated S3 bucket for GuardDuty findings

  1. Sign in to the AWS Management Console with the log archive account.
  2. In the navigation menu, click the current AWS region, and then change the region to where you want to create a bucket.
  3. In the navigation menu, click Buckets.
  4. Click Create bucket.
    The Create bucket page opens.
  5. In the Bucket name field, enter a name similar to awn-guardduty-logs-bucket-account_id-region, where account_id is the 12-digit ID number of your current AWS account and region is the region of the S3 bucket.
    Note: Do not change the other default settings.
  6. Click Create bucket.

Configure the Control Tower GuardDuty Security account to export logs

Note: This section uses AWS Control Tower best practices. For more information, see Enabling Amazon GuardDuty in AWS Control Tower using Delegated Administrator.
  1. Sign in to the AWS Management Console with the audit account.
  2. Navigate to the GuardDuty console.
  3. In the navigation menu, click Settings.
  4. In the Findings export options section, in the Frequency section, click Edit, and then select 15 minutes.
  5. Click Save changes.
  6. In the Findings export options section, in the S3 Bucket section, click Configure now.
  7. In the S3 bucket ARN field, enter the ARN of the bucket that you created in Create a dedicated S3 bucket for GuardDuty findings.
  8. In the KMS key ARN field, enter the ARN of the AWNKMSKey.
  9. Click Save.
    Note: If you receive an error about the policy, follow the steps and apply the policy according to the instructions in the error message.

Attach policies to the S3 bucket and KMS key

  1. Sign in to the AWS Management Console with the delegated GuardDuty administrator account.
  2. Navigate to the GuardDuty console.
  3. In the navigation menu, click Settings.
  4. In the Attach Policy section, copy the required policy and attach it to the selected S3 bucket that you specified in the previous step.
  5. Copy the required policy and attach it to the selected KMS Key that you specified in the previous step.

Enable S3 protection

  1. Sign in to the GuardDuty console.
  2. In the navigation menu, click Settings > S3 Protection.
  3. Select the S3 Protection is enabled on this account checkbox.

Enable EKS protection for multiple accounts

Complete these steps for each of the Amazon GuardDuty accounts that you want Arctic Wolf to monitor.

Note:
  • Only GuardDuty delegated GuardDuty administrator accounts can configure EKS in multi-account environments.
  • If you use AWS Organizations, this procedure automatically enables EKS protection for all new and existing accounts.
Tip:
  1. Sign in to the GuardDuty console with administrator permissions.
  2. In the navigation menu, click Settings > Kubernetes protection.
  3. Click Enable all to enable automatic EKS protection for new and existing member accounts.
  4. Click Update Settings.

Launch the S3 CloudFormation stack

  1. Sign in to the AWS Management Console with the log archive account.
  2. Navigate to CloudFormation.
  3. On the CloudFormation page, click Create stack > With new resources (standard).
  4. On the Create stack page, configure these settings:
    • Prepare template — Select Choose an existing template.
    • Template source — Select Amazon S3 URL.
  5. In a new browser tab, go to the Arctic Wolf Unified Portal, copy the Simple Storage Service (S3) logs link, and then paste it into the Amazon S3 URL field.
  6. Click Next.
  7. In the Specify stack details section, in the Stack name field, enter a name for the S3 log forwarding stack. For example, ArcticWolf-S3LogForward.
    Note: This name helps you identify resources that are created to collect and forward security events to Arctic Wolf. Make sure it is unique.
  8. In the Parameters section, in the bucketName field, enter the name of the S3 bucket used to save logs.
  9. Keep the prefixPath field empty when using a dedicated bucket.
    Note: When entering the prefixPath value, do not include a trailing slash, /.
  10. If the logs use encryption that is different from the AWNKMSKey, enter the ARN of the KMS key in the kmsKey field.
    Note: If the KMS key is located in a different account from the account you are deploying the CloudFormation stack in, contact your Concierge Security® Team (CST) for configuration guidance.
  11. Click Next.
    You are redirected to the Configure stack options page. Do not make change son this page.
  12. Click Next.
  13. On the Review page, read the Capabilities section.
  14. Select all checkboxes.
    Note: You must select all checkboxes to create the stack correctly.
  15. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5-10 minutes to complete.

  16. Wait until the base stack and all nested stacks have a status of CREATE_COMPLETE before proceeding to the next step, to make sure that the CloudFormation stacks were successfully created.
  17. Contact your CST® to verify that Arctic Wolf is processing logs from your S3 bucket.

Generate sample findings

Generate a sample finding for each finding type to make sure that Arctic Wolf is receiving data.

  1. Sign in to the GuardDuty console with the same account that you used to set up Arctic Wolf configurations.
  2. In the navigation menu, click Settings.
  3. On the Settings page, in the Sample findings section, click Generate sample findings.
  4. In the navigation menu, click Findings.
    Sample findings are displayed with the prefix [SAMPLE].