freezing-umbrella-71201
03/01/2023, 2:19 AMguardDuty
findings. I am following this link <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html#guardduty_findings_cloudwatch_multiaccount>
- here we can see that we have to specify all the member accountIds
(i am running from the admin account). is there an easier way to specify the member accounts? without having to type them all? My code so far:
const cloudwatchEventRule = new aws.cloudwatch.EventRule(
"XXXXXXXXX",
{
description: "CloudWatch event rule to trigger on GuardDuty Findings",
isEnabled: true,
eventPattern: JSON.stringify({
source: ["aws.guardduty"],
detailType: ["GuardDuty Finding"],
detail: {
accountId: ["AWS"],
severity: Array.from({ length: 55 }, (_, i) => 4 + i * 0.1), // [4, 4.1, 4.2, 4.3 ..., 8.9]
},
}),
}
);
little-cartoon-10569
03/01/2023, 2:25 AMfreezing-umbrella-71201
03/01/2023, 2:32 AMlittle-cartoon-10569
03/01/2023, 2:38 AMfreezing-umbrella-71201
03/01/2023, 2:43 AMBadRequestException: The request is rejected because an invalid or out-of-range value is specified as an input parameter.
Is my understanding correct that as we already have an existing organisation, we just need the config? Thank you!
for (const region of regions) {
const provider = new aws.Provider(region, { region });
const detector = new aws.guardduty.Detector(
region,
{
enable: true,
findingPublishingFrequency: "FIFTEEN_MINUTES",
},
{ provider }
);
new aws.guardduty.OrganizationConfiguration(
`guardduty-organization-${region}`,
{
autoEnable: true,
detectorId: detector.id,
datasources: {
malwareProtection: {
scanEc2InstanceWithFindings: {
ebsVolumes: { autoEnable: true },
},
},
s3Logs: {
autoEnable: true,
},
},
},
{ provider }
);
}
accountId
and addition of a providerlittle-cartoon-10569
03/02/2023, 2:16 AMThe AWS account utilizing this resource must have been assigned as a delegated Organization administrator account, e.g., via the aws.guardduty.OrganizationAdminAccount resource.