Using shared VPC with automated security agents - Amazon GuardDuty
How it works

Using shared VPC with automated security agents

When you choose GuardDuty to manage the security agent automatically, Runtime Monitoring supports using a shared VPC for the AWS accounts that belong to the same organization in AWS Organizations. On your behalf, GuardDuty can set the Amazon VPC endpoint policy based on the details associated with the shared VPC for your organization.

Prior to this release, GuardDuty supported the use of shared VPCs only when you chose to manage the GuardDuty security agent manually.

Contents

How it works

When the owner account of the shared VPC enables Runtime Monitoring and automated agent configuration for any of the resources (Amazon EKS or AWS Fargate (Amazon ECS only)), all the shared VPCs become eligible for automatic installation of the shared Amazon VPC endpoint and the associated security group in the shared VPC owner account. GuardDuty retrieves the organization ID that is associated with the shared Amazon VPC.

Now, the AWS accounts that belong to the same organization as the shared Amazon VPC owner account can also share the same Amazon VPC endpoint. GuardDuty creates the shared VPC when either the shared VPC owner account or the participating account needs an Amazon VPC endpoint. Examples of needing an Amazon VPC endpoint include enabling GuardDuty, Runtime Monitoring, EKS Runtime Monitoring, or launching a new Amazon ECS-Fargate task. When these accounts enable Runtime Monitoring and automated agent configuration for any resource type, GuardDuty creates a Amazon VPC endpoint and sets the endpoint policy with the same organization ID as that of the shared VPC owner account. GuardDuty adds a GuardDutyManaged tag and sets it to true for the Amazon VPC endpoint that GuardDuty creates. If the shared Amazon VPC owner account has not enabled Runtime Monitoring or automated agent configuration for any of the resources, GuardDuty will not set the Amazon VPC endpoint policy. For information about configuring Runtime Monitoring and managing the security agent automatically in the shared VPC owner account, see Enabling GuardDuty Runtime Monitoring.

Each of the accounts using the same Amazon VPC endpoint policy is called as the participant AWS account of the associated shared Amazon VPC.

The following example shows the default VPC endpoint policy of the shared VPC owner account and the participant account. The aws:PrincipalOrgID will show the organization ID associated with the shared VPC resource. The use of this policy is limited to the participant accounts present in the organization of the owner account.

{
    "Version": "2012-10-17",
    "Statement": [{
            "Action": "*",
            "Resource": "*",
            "Effect": "Allow",
            "Principal": "*"
        },
        {
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalOrgID": "o-abcdef0123"
                }
            },
            "Action": "*",
            "Resource": "*",
            "Effect": "Deny",
            "Principal": "*"
        }
    ]
}
Show moreShow less