AWS guardduty medium security documentation change
Summary
Expanded documentation on validating service control policies (SCPs) and permissions boundaries for GuardDuty Runtime Monitoring. Added detailed steps to check SCPs in Organizations console, clarified multi-account environment requirements, and provided explicit guidance for validating role permissions and policy boundaries.
Security assessment
The changes explicitly address potential security monitoring gaps by ensuring SCPs and permissions boundaries don't block guardduty:SendSecurityTelemetry. This action is critical for threat detection, and misconfiguration could disable security telemetry collection.
Diff
diff --git a/guardduty/latest/ug/prereq-runtime-monitoring-ecs-support.md b/guardduty/latest/ug/prereq-runtime-monitoring-ecs-support.md index 7b11584e7..0c03ad629 100644 --- a//guardduty/latest/ug/prereq-runtime-monitoring-ecs-support.md +++ b//guardduty/latest/ug/prereq-runtime-monitoring-ecs-support.md @@ -5 +5 @@ -Validating architectural requirementsProvide ECR permissions and subnet detailsValidating your organization service control policyCPU and memory limits +Validating architectural requirementsProvide ECR permissions and subnet detailsValidating your organization service control policy in a multi-account environmentValidating role permissions and policy permissions boundaryCPU and memory limits @@ -10,0 +11,15 @@ This section includes the prerequisites for monitoring runtime behavior of your +###### Topics + + * Validating architectural requirements + + * Provide ECR permissions and subnet details + + * Validating your organization service control policy in a multi-account environment + + * Validating role permissions and policy permissions boundary + + * CPU and memory limits + + + + @@ -26,3 +41,2 @@ The OS distribution and CPU architecture impacts the support provided by the Gua -**OS distribution**1**** | **Kernel support** | **CPU architecture** ----|---|--- -**x64 (AMD64)** | **Graviton (ARM64)** +OS distribution**1** | Kernel support | CPU architecture x64 (AMD64) | CPU architecture Graviton (ARM64) +---|---|---|--- @@ -31 +45 @@ Linux | eBPF, Tracepoints, Kprobe | Supported | Supported -1Support for various operating systems - GuardDuty has verified the support for using Runtime Monitoring on the operating systems that are listed in the preceding table. If you use a different operating system and are able to install the security agent successfully, you might get all the expected security value that GuardDuty has been verified to provide with the listed OS distribution. +1Support for various operating systems - GuardDuty has verified Runtime Monitoring support for the operating distribution listed in the preceding table. While the GuardDuty security agent may run on operating systems not listed in the preceding table, the GuardDuty team cannot guarantee the expected security value. @@ -66 +80,3 @@ For information about enabling Fargate to download the GuardDuty container, see -## Validating your organization service control policy +## Validating your organization service control policy in a multi-account environment + +This section explains how to validate your service control policy (SCP) settings to ensure Runtime Monitoring works as expected across your organization. @@ -68 +84 @@ For information about enabling Fargate to download the GuardDuty container, see -This step is required for GuardDuty to support Runtime Monitoring and assess coverage across different resource types. +If you have set up one or more service control policies to manage permissions in your organization, you must validate that it doesn't deny the `guardduty:SendSecurityTelemetry` action. For information about how SCPs work, see [SCP evaluation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html) in the _AWS Organizations User Guide_. @@ -70 +86 @@ This step is required for GuardDuty to support Runtime Monitoring and assess cov -If you have set up a service control policy (SCP) to manage permissions in your organization, validate that permissions boundary is not restricting `guardduty:SendSecurityTelemetry` in your `TaskExecutionRole` and its policy. +If you are a member account, connect with the associated delegated administrator. For information about managing SCPs for your organization, see [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the _AWS Organizations User Guide_. @@ -72 +88 @@ If you have set up a service control policy (SCP) to manage permissions in your -The following policy is an example for _allowing_ the `guardduty:SendSecurityTelemetry` policy: +Perform the following steps for all the SCPs that you have set up in your multi-account environment: @@ -73,0 +90,11 @@ The following policy is an example for _allowing_ the `guardduty:SendSecurityTel +###### To validate `guardduty:SendSecurityTelemetry` is not denied in SCP + + 1. Sign in to the Organizations console at [https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/). You must sign in as an IAM role, or sign in as the root user [(not recommended)](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials) in the organization's management account. + + 2. In the left navigation pane, select **Policies**. Then, under **Supported policy types** , select **Service control policies**. + + 3. On the **Service control policies** page, choose the name of the policy that you want to validate. + + 4. On the policy's detail page, view the **Content** of this policy. Make sure that it doesn't deny the `guardduty:SendSecurityTelemetry` action. + +The following SCP policy is an example for _not denying_ the `guardduty:SendSecurityTelemetry` action: @@ -90 +117 @@ The following policy is an example for _allowing_ the `guardduty:SendSecurityTel - 1. Use the following steps to validate that the **Permissions boundary** doesn' restrict `guardduty:SendSecurityTelemetry`: +If your policy denies this action, you must update the policy. For more information, see [Update a service control policy (SCP)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_policies_update.html#update_policy) in the _AWS Organizations User Guide_. @@ -92 +118,0 @@ The following policy is an example for _allowing_ the `guardduty:SendSecurityTel - 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). @@ -94 +119,0 @@ The following policy is an example for _allowing_ the `guardduty:SendSecurityTel - 2. In the navigation pane, under **Access management** , choose **Roles**. @@ -96 +120,0 @@ The following policy is an example for _allowing_ the `guardduty:SendSecurityTel - 3. Choose the **Role name** for the details page. @@ -98 +122 @@ The following policy is an example for _allowing_ the `guardduty:SendSecurityTel - 4. Expand the **Permissions boundary** section. Ensure that the `guardduty:SendSecurityTelemetry` is not denied or restricted. +## Validating role permissions and policy permissions boundary @@ -100 +124,3 @@ The following policy is an example for _allowing_ the `guardduty:SendSecurityTel - 2. Use the following steps to validate that the **Permissions boundary** for your `TaskExecutionRole` policy doesn't restrict `guardduty:SendSecurityTelemetry`: +Use the following steps to validate that the permissions boundaries associated with the role and its policy **doesn't** the restrict `guardduty:SendSecurityTelemetry` action. + +###### To view permissions boundary for roles and its policy @@ -104 +130,9 @@ The following policy is an example for _allowing_ the `guardduty:SendSecurityTel - 2. In the navigation pane, under **Access management** , choose **Policies**. + 2. In the left navigation pane, under **Access management** , choose **Roles**. + + 3. On the **Roles** page, select the role ``TaskExecutionRole`` that you may have created. + + 4. On the selected role's page, under the **Permissions** tab, expand the policy name associated with this role. Then, validate that this policy doesn't restrict `guardduty:SendSecurityTelemetry`. + + 5. If the **Permissions boundary** is set, then expand this section. Then, expand each policy to review that it doesn't restrict the `guardduty:SendSecurityTelemetry` action. The policy should appear similar to this Example SCP policy. + +As needed, perform one of the following actions: @@ -106 +140 @@ The following policy is an example for _allowing_ the `guardduty:SendSecurityTel - 3. Choose the **Policy name** for the details page. + * To modify the policy, select **Edit**. On the **Modify permissions** page for this policy, update the policy in the **Policy editor**. Make sure that the JSON schema remains valid. Then, choose **Next**. Then, you can review and save the changes. @@ -108 +142 @@ The following policy is an example for _allowing_ the `guardduty:SendSecurityTel - 4. Under the **Entities attached** tab, view the **Attached as a permissions boundary** section. Ensure that the `guardduty:SendSecurityTelemetry` is not denied or restricted. + * To change this permissions boundary and choose another boundary, choose **Change boundary**. @@ -109,0 +144 @@ The following policy is an example for _allowing_ the `guardduty:SendSecurityTel + * To remove this permissions boundary, choose **Remove boundary**. @@ -110,0 +146 @@ The following policy is an example for _allowing_ the `guardduty:SendSecurityTel +For information about managing policies, see [Policies and permissions in AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the _IAM User Guide_. @@ -113 +148,0 @@ The following policy is an example for _allowing_ the `guardduty:SendSecurityTel -For information about policies and permissions, see [Permissions boundaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the _IAM User Guide_. @@ -115 +149,0 @@ For information about policies and permissions, see [Permissions boundaries](htt -If you are a member account, connect with the associated delegated administrator. For information about managing SCPs for your organization, see [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html).