Using shared VPC with automated security agents - Amazon GuardDuty

Using shared VPC with automated security agents

When you choose GuardDuty to manage the security agent automatically, Runtime Monitoring supports using a shared VPC for the AWS accounts that belong to the same organization in AWS Organizations. On your behalf, GuardDuty can set the Amazon VPC endpoint policy based on the details associated with the shared VPC for your organization.

How it works

When the owner account of the shared VPC enables Runtime Monitoring and automated agent configuration for any of the resources (Amazon EKS or AWS Fargate (Amazon ECS only)), all the shared VPCs become eligible for automatic installation of the shared Amazon VPC endpoint and the associated security group in the shared VPC owner account. GuardDuty retrieves the organization ID that is associated with the shared Amazon VPC.

Now, the AWS accounts that belong to the same organization as the shared Amazon VPC owner account can also share the same Amazon VPC endpoint. GuardDuty creates an Amazon VPC endpoint when either the shared VPC owner account or the participating account needs it. Examples of needing an Amazon VPC endpoint include enabling GuardDuty, Runtime Monitoring, EKS Runtime Monitoring, or launching a new Amazon ECS-Fargate task. When these accounts enable Runtime Monitoring and automated agent configuration for any resource type, GuardDuty creates an Amazon VPC endpoint and sets the endpoint policy with the same organization ID as that of the shared VPC owner account. GuardDuty adds a GuardDutyManaged tag and sets it to true for the Amazon VPC endpoint that GuardDuty creates. If the shared Amazon VPC owner account has not enabled Runtime Monitoring or automated agent configuration for any of the resources, GuardDuty will not set the Amazon VPC endpoint policy. For information about configuring Runtime Monitoring and managing the security agent automatically in the shared VPC owner account, see Enabling GuardDuty Runtime Monitoring.

Each of the accounts using the same Amazon VPC endpoint policy is called as the participant AWS account of the associated shared Amazon VPC.

The following example shows the default VPC endpoint policy of the shared VPC owner account and the participant account. The aws:PrincipalOrgID will show the organization ID associated with the shared VPC resource. The use of this policy is limited to the participant accounts present in the organization of the owner account.

{ "Version": "2012-10-17", "Statement": [{ "Action": "*", "Resource": "*", "Effect": "Allow", "Principal": "*" }, { "Condition": { "StringNotEquals": { "aws:PrincipalOrgID": "o-abcdef0123" } }, "Action": "*", "Resource": "*", "Effect": "Deny", "Principal": "*" } ] }

Prerequisites for using shared VPC

Runtime Monitoring supports using a shared VPC when you use GuardDuty automated agent. As a part of an initial setup, perform the following steps in the AWS account that you want to be the owner of the shared VPC:

  1. Creating an organization – Create an organization by following the steps in Creating and managing an organization in the AWS Organizations User Guide.

    For information about adding or removing member accounts, see Managing AWS accounts in your organization.

  2. Creating a shared VPC resource – You can create a shared VPC resource from the owner account. For more information, see Share your VPC with other accounts in the Amazon VPC User Guide.

Prerequisites specific to GuardDuty Runtime Monitoring

The following list provides the prerequisites that are specific to GuardDuty:

  • The owner account of the shared VPC and the participating account can be from different organizations in GuardDuty. However, they must belong to the same organization in AWS Organizations. This is required for GuardDuty to create an Amazon VPC endpoint and a security group for the shared VPC. For information about how shared VPCs work, see Share your VPC with other accounts in Amazon VPC User Guide.

  • Enable Runtime Monitoring or EKS Runtime Monitoring, and GuardDuty automated agent configuration for any resource in the shared VPC owner account and the participant account. For more information, see Enabling Runtime Monitoring.

    If you have already completed these configurations, continue with the next step.

  • When working with either an Amazon EKS or an Amazon ECS (AWS Fargate only) task, make sure to choose the shared VPC resource associated with the owner account and select its subnets.