By using AWS re:Post, you agree to the AWS re:Post Terms of Use

AWS GuardDuty - finding logs location

0

Hi.

I have some questions:

1.I have enabled GuardDuty in my Organization with Control Tower. About findings I see this: "Findings are automatically sent to EventBridge. You can also export findings to an S3 bucket. New findings are exported within 5 minutes. You can modify the frequency for updated findings below." So, I understand that Findings are sent to Eventbridge, but where? in my account I was not be able to see any EventBridge logs or something like that, is it visible or is unmanaged?

2.Also, I see an option for S3 bucket. As I implemented Control Tower I have Log Archive Account with 02 buckets: aws-controltower-logs- aws-controltower-s3-access-logs- So, for GuardDuty findings export, could I use the current s3 buckets in Log Archive account or it is recommended a new buckets?

3.-As I have Control Tower, I recevie sns notifications from Audit Account for events related to Config rules, Controls. Could I use the same sns notification for GuardDuty, or how could I enable something like that?

Thank you-

1 Answer
1

Hi Orlando,

1/ and 3/: For SNS notification rule, check this example for custom notifications from specific AWS service event types [1]. GuardDuty integrates with Amazon EventBridge, which can be used to send findings data to other applications and services for processing. With EventBridge you can use GuardDuty findings to initiate automatic responses to your findings by connecting finding events to targets such as AWS Lambda functions, Amazon EC2 Systems Manager automation and Amazon Simple Notification Service (SNS) [2].

2/: The S3 bucket used can be in the same account in which GuardDuty is enabled, or in a different AWS account. With multiple buckets you can define individual bucket features like bucket policy, S3 Versioning, S3 Object Lock, as documented here in Security best practices for Amazon S3 [3] . Also, GuardDuty recommends configuring settings to export findings because it allows you to export your findings to an S3 bucket for indefinite storage beyond the GuardDuty 90-day retention period. This allows you to keep records of findings or track issues within your AWS environment over time. [4]

[1] - https://repost.aws/knowledge-center/guardduty-eventbridge-sns-rule

[2] - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html#setup-sns

[3] - https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html

[4] - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html#setup-export

profile pictureAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions