search

awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
536 stars 425 forks source link

Enable GuardDuty delegated admin Malware Protection policy option in management account #480

Open millerdq2038 opened 3 months ago

millerdq2038 commented 3 months ago

Is your feature request related to a problem? Please describe. When enabling GuardDuty, I'd like LZA to be able to enable the "Allow delegated administrator to attach relevant permissions to enable Malware Protection for member accounts." option within the GuardDuty settings page within the management account. This option is within the "Delegated Administrator" config section. https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html#configure-malware-protection-multi-account

Describe the feature you'd like Supporting this option will remove the need for manual configuration of this option within the management account.

Additional context

Warning from within the GuardDuty delegated administration account: Your organization’s management account has not allowed the delegated administrator to attach relevant permissions to enable GuardDuty Malware Protection feature on the member accounts. Please follow the instructions here.

snemir2 commented 3 months ago

While at it, include/exclude tags for ec2 runtime and malware protection (dataguard) configuration would be very convenient. Looks like no way to define configuration for newer dataguard features.