This message was deleted.
# aws
s
This message was deleted.
l
No. If you use Organizations, you could load yours and iterate over the accounts, but presumably you don't want to enable Guard Duty for all accounts (no one is that rich!). List the accountIds you want to use as an array in you Pulumi stack config file.
❤️ 1
f
Hey, thank you for your reply!! we dont have that many accounts tbh - but we do use organisations so I can add that for now! What would the recommended method be? I need to feed GuardDuty findings into CloudWatch logs and was told to also include member accounts of our org
l
Guard Duty is pretty expensive. The accounts that can affect your "live" systems, and accounts with direct access to them, are good places to start with Guard Duty. If you have an account that devs use for deploying test environments, or accounts that just contain non-critical resources (maybe your VPC logs from other systems? stuff like that), they don't need Guard Duty.
If you're getting things going, start with a collection of account ids, and add Organizations later. There's no real value in that, it's just an exercise in completeness.
The sooner you have 1 account with Guard Duty set up using Pulumi, the better. Then iterate and improve.
f
Thank you - some really good notes here - ill give it a go with setting up 1 account then try and split the account types up! cheers
🙂
Hey @little-cartoon-10569 I had this setup with just one account ID earlier today and now have a need to have it managed by a organization so all member accounts are affected. In my code below, I create the organizationConfig but when running, I get this error
BadRequestException: The request is rejected because an invalid or out-of-range value is specified as an input parameter.
Is my understanding correct that as we already have an existing organisation, we just need the config? Thank you!
Copy code
for (const region of regions) {
    const provider = new aws.Provider(region, { region });

    const detector = new aws.guardduty.Detector(
      region,
      {
        enable: true,
        findingPublishingFrequency: "FIFTEEN_MINUTES",
      },
      { provider }
    );

    new aws.guardduty.OrganizationConfiguration(
      `guardduty-organization-${region}`,
      {
        autoEnable: true,
        detectorId: detector.id,
        datasources: {
          malwareProtection: {
            scanEc2InstanceWithFindings: {
              ebsVolumes: { autoEnable: true },
            },
          },
          s3Logs: {
            autoEnable: true,
          },
        },
      },
      { provider }
    );
}
the code for the cloudwatch EventRule is the same except removal of
accountId
and addition of a provider
l
I'm not sure where the error message is coming from. It might be that "findingPublishingFrequency" doesn't like that constant?
I'm not really an expert on Organizations, but as I understand it, the Organization is only in your org account. Would that mean that OrganizationConfiguration should always be in that account? You may need to read up on that. If it is supposed to always be in the org account, then you're passing in the wrong provider there.
Yea, the API docs seem to imply that you're using the wrong provider:
The AWS account utilizing this resource must have been assigned as a delegated Organization administrator account, e.g., via the aws.guardduty.OrganizationAdminAccount resource.
However that won't fix your current error, I think. It's just another error waiting for you later 🙂