Manage GuardDuty At Enterprise Scale
- Deploy a lambda to enable GuardDuty for new accounts.
- Deploy a Lambda to take GuardDuty CloudWatch Events and forward to an Splunk HTTP Event Collector (HEC) of your choice
More stuff to come later. Like Splunk forwarding, or Security Hub. Maybe....
- Install cfn-deploy
pip3 install cftdeploy
- Make the Manifest
make BUCKET=SETME enable-manifest
- Edit the Manifest
- Remove the lines for pLambdaZipFile and pDeployBucket as they will be set by the Makefile
- Add the role name for listing accounts in the payer (pAuditRole) and for accepting the invite in the child (pAcceptRole)
- Add a SES emailed email address for the pEmailFrom and pEmailTo parameters
- Replace None with the new account topic if you want to subscribe the lambda to a new account topic
- Validate the manifest
make BUCKET=SETME enable-validate-manifest
- Deploy!
make BUCKET=SETME enable-deploy
This is Deployed via the SAM application for Splunk logging. See the AWS Console Page for more info.
The makefile will deploy it to all regions
- Install cfn-deploy
pip3 install cftdeploy
- Make the Manifest
make BUCKET=SETME splunk-manifest
- Edit the Manifest
- SET the HEC Token and URL in the Manifest
- Remove the region
- Deploy to all regions
make BUCKET=SETME splunk-deploy
The message published to SNS must contain the following element:
message = {
'account_id': 'string',
'dry_run': true|false, # optional, if un-specified, dry_run=false
'region': ['string'], # optional, if un-specified, runs all regions
}