Accenture MDR Quick Start Guide for Amazon Web Services (AWS) GuardDuty Generic

This quick start guide will help Accenture MDR customers configure Amazon Web Services (AWS) GuardDuty to allow log collection from the Log Collection Platform (LCP).

The document includes the following topics:

1 Supported Versions
2 Port Requirements
3 Configuring AWS GuardDuty
4 LCP Configuration Parameters

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source	Destination	Port	Description
LCP	SQS	TCP/443	Default Port

Configuring AWS GuardDuty

MxDR supports log collection using S3 via SQS.

Prerequisite:

S3 bucket is created. Please refer the following page to create a S3 bucket. https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html
KMS Key is created. Please refer the following page to create a KMS Key. https://docs.aws.amazon.com/kms/latest/developerguide/asymm-create-key.html
GuardDuty encrypts the findings data in your bucket by using an AWS KMS key. GuardDuty should have permission to access KMS key.
- Please refer the following page to grant KMS key permission to GuardDuty: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html

Sample KMS Policy

{
            "Sid": "Allow GuardDuty to encrypt findings",
            "Effect": "Allow",
            "Principal": {
                "Service": "guardduty.<AWS_REGION>.amazonaws.com"
            },
            "Action": [
                "kms:Encrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "<KEY_ARN>"
        }

Note: Please replace <AWS_REGION>, <KEY_ARN> placeholders with actual values.

Configuration Steps:

Please follow below steps to configure AWS GuardDuty:

Log in to the AWS console.

2. Search for GuardDuty.

3. Select Settings.

4. In finding export option

a. select the frequency from the drop down for update finding: Update CWE and S3 every 15 minutes (Note: this frequency selection is for updated findings only, new findings will be exported in 5 minutes from the creation time. )

b. Select the S3 bucket in which you want to export GuardDuty findings. You can select existing bucket which was created as per pre-requisite.

c. Provide the log file prefix if you wish to give any.

d. Select KMS encryption and select key from dropdown.

e. Click on Save button to save the settings

5. Once logs are being stored in log files in S3, we have to create SQS queue.

6. To create SQS and attach it with S3 please refer https://mdrkb.atlassian.net/wiki/x/AQCeEQ

Note: Please refer below page to check required IAM user and KMS Key policies for S3, SQS and KMS

https://mdrkb.atlassian.net/wiki/x/hoCdEQ

Note: Below are the URL details which we need to allow for connectivity (Please identify URLs by referring AWS document according to your services and regions):

IAM: For any logging source IAM URL should be allowed

S3: For S3 or SQS logging source, S3 URL should be allowed.

SQS: For SQS logging source, SQS URL should be allowed.

LCP Configuration Parameters

MxDR supports log collection using role based access control (RBAC) or access key ID and secret method.

To create access key ID and secret please refer
To support log collection using RBAC please refer

Table 1-2: The AWS GuardDuty Generic event collector (API - 3911) properties to be configured by MDR are shown in the table.

Property	Access Key and Secret Access	RBAC
Region	Enter region (Eg: us-west-2)	Enter region (Eg: us-west-2)
AWS Access Key ID Or Role ARN	Enter Access Key	Provide Role ARN
AWS Secret Access Key Or External ID	Enter Secret	Enter external ID
Logging Source	SQS	SQS
S3 Bucket/Log Group(s)/SQS Queue URL	Provide SQS URL	Provide SQS URL
Bucket Prefix Path(s)	Leave Empty	Leave Empty