sakopov
commented
7 months ago Ended up moving on from this as project looks abandoned.
Closed sakopov closed 7 months ago
sakopov
commented
7 months ago Ended up moving on from this as project looks abandoned.
I'm trying to run the org-formation templates in the reference repository and not able to successfully execute the GuardDuty tasks. It appears that the task is trying to use Security Account as GuardDuty Master and the Organization Management account as GuardDuty Member. It seems to be failing to add it as Member and the stack fails with "Resource Master failed because The request is rejected because the current account does not have an invitation from the requested master account."
It seems like adding Organization Management account as GuardDuty member is no longer possible. You have to manually delegate Security Account as GuardDuty Administrator in the Organization Management account. So, I tried to do that, however, as soon as I do that, it generates the GuardDuty Detector resource in the Management Account which is supposed to be created by the org-formation task. Because the resource already exists and is immutable, org-formation task fails.
Does anybody know how to resolve this? Perhaps, it's best that the Organization Management account is the GuardDuty Master account instead of the Security Account? This should theoretically make this work but would yield Security Account rather useless.