1 Answer
- Newest
- Most votes
- Most comments
0
Instead of manually creating the policies, you can use the Amazon GuardDuty console to generate sample polices for you.
- Navigate to the Amazon GuardDuty console. Choose settings in the navigation pane.
- Under Findings export options, choose the frequency for updating findings.
- Under S3 bucket, choose Existing bucket
- Select your bucket and choose View Policy. Copy that policy and apply it to your S3 bucket.
- You can leave Log file prefix as default (blank)
- For KMS, select your key alias and choose View Policy. Copy that policy and apply it to your KMS key. You want to add this to your key, rather than replace the one that is there. For example:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:role/Admin"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow GuardDuty to encrypt findings",
"Effect": "Allow",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:guardduty:us-west-2:<account_ID>:detector/<detectorID>",
"aws:SourceAccount": "<account_ID>"
}
}
}
]
}
- Then choose save.
answered 2 years ago
Relevant content
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 18 days ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
Can you post the bucket policy of the existing bucket that you want your guardduty findings to export into? Please post the KMS key policy as well.
I think I found the problem.