Delegated admin with GuardDuty and Access Analyzer

2020.05.04

RSS feed

This post discusses the new Delegated Admin concept, which makes it easier to enable GuardDuty and Access Analyzer across an Organization.

With the release of GuardDuty in November 2017, AWS started down a bad path. GuardDuty is a great service that I recommend everyone use, but its use of an invite/accept dance in order to connect accounts was awkward. For every existing account, and for every new account, you’ve had to enable GuardDuty and then go through this multi-step process involving multiple accounts. Many have setup automation to do this (example here), but it is a frustrating burden AWS has placed on the customer instead of simplifying the process on their end.

When you contrast GuardDuty’s flow with the one-time CloudTrail configuration to get setup with an Organization Trail, you’re left scratching your head. Then AWS applied that same awkward invite/accept dance to Security Hub, so it seemed this was just how AWS wanted you to do things (although you could avoid much of the awkwardness by using CloudWatch Events as I discusssed here).

Then on March 30, 2020, AWS announced the concept of a Delegated Administrator for their Access Analyzer service (announcement here), followed by GuardDuty on April 24 (announcement here).

Creating a Delegated Admin for GuardDuty and Access Analyzer

The way this works is in the Organization Master account, for the GuardDuty and Access Analazyer services, you specify a Delegated Admin account. The screen shot below is of the GuardDuty service in one region in the Organization Master.

Organization master view of the GuardDuty service

Organization master view of the GuardDuty service

Contrast that screenshot with the view you get in a normal organization member account.

Organization member view of the GuardDuty service

Organization member view of the GuardDuty service

That new section in the Organization Master account allows you to specify another account, such as your dedicated Security account, to enable GuardDuty across your organization and for all new accounts in the org! This is basically the Organization Trail concept being applied to GuardDuty!!! No more invite/accept for accounts in your same org. You do unfortunately have to do this across all regions though.

This same concept is also used for Access Analyzer.

Organization master view of the Access Analyzer service

Organization master view of the Access Analyzer service

This is a little weird because the Organization specific configuration is within the services, as opposed to involving the Settings view of the Organization service, like you do for CloudTrail.

Organization master view of the Org Settings

Organization master view of the Org Settings

Configuring the Delegated Admin account

After setting my Security account as a Delegated Admin for both service, I then need to configure that account. In the GuardDuty service, I’ll see this new button.

Delegated Admin account view of GuardDuty

Delegated Admin account view of GuardDuty

Clicking “Enable” shows this pop-up, which you click, and now you’re done! No more Lambdas assuming roles across multiple accounts.

Delegated Admin account view of GuardDuty popup window

Delegated Admin account view of GuardDuty popup window

Similarly, for Access Analyzer, you create a new analyzer for you whole Organization.

Delegated Admin account view of Access Analyzer

Delegated Admin account view of Access Analyzer

Doing this from the command-line

From the command-line it looks like in the Org Master you run:

aws guardduty enable-organization-admin-account --admin-account-id SECURITY_ACCOUNT
aws organizations enable-aws-service-access --service-principal guardduty.amazonaws.com
aws organizations register-delegated-administrator --account-id SECURITY_ACCOUNT --service-principal guardduty.amazonaws.com

aws organizations register-delegated-administrator --account-id SECURITY_ACCOUNT --service-principal access-analyzer.amazonaws.com
aws organizations enable-aws-service-access --service-principal access-analyzer.amazonaws.com

And in the Security account you run:

aws accessanalyzer create-analyzer --analyzer-name analyzer --type ORGANIZATION

# For each region...
# Create a detector and then get its detector ID
aws guardduty create-detector --enable
aws guardduty update-organization-configuration --detector-id DETECTOR_ID --auto-enable
aws guardduty create-members --detector-id DETECTOR_ID --account-details EXISTING_ACCOUNTS

Conclusion

This new concept is great as it removes much the burden that AWS had previously been putting on customers.




If you’re interested in learning more about AWS Security, I provide training, including remote training!