Help
FortiCNP
FortiCNP classifies data as either data at rest or traffic data.
CloudSecLior
Staff
Staff

Created on ‎07-29-2022 10:22 AM

Article Id 219107

Technical Tip: Improving FortiCNP RRI Accuracy by enabling AWS Best Practices

Description

 

This article describes to get the best value out of FortiCNP it is recommended to implement AWS Security best practices.

 

According to the AWS Security Reference Architecture (SRA) it is recommended to turn on Services such as Amazon GuardDuty, Amazon Inspector and AWS Security Hub on all accounts across an AWS Organization.

 

Not turning on these services across the entire organization is analogous to not having smoke detectors in some rooms in a house and security is always as good as the weakest link.

 

Beyond turning on the services, the AWS SRA defines an architecture to aggregate security information across the entirety of an AWS organization and defines relevant concepts such as delegated administrators, security monitoring accounts, and finding aggregation regions.

 

This document guide's on how to enable the relevant services and establish security best practices in the organization.  

 

Scope

 

The scope of this guide is to walk through the process of turning  on AWS Security services such as AWS Security Hub, Amazon Inspector and Amazon GuardDuty throughout the AWS Organization.

 

As mentioned these services are important for the best operation of FortiCNP - the services scope is within a single AWS organization that may have multiple AWS Accounts.

 

This guide will walk through the most recommended process to turn these services on.

 

Solution

 

Amazon GuadDuty

 

Consult the AWS Guide to make sure having the necessary delegated admin permissions: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html

 

The following procedure will guides how to enable GuardDuty across the organization.

 

1) Open AWS console and login into the admin organization account.

 

2) Open GuardDuty console at https://console.aws.amazon.com/guardduty/ or search for GuardDuty on search engine.

 

3) Select Get Started button.

 

CloudSecLior_0-1659108860921.png

 

4) Now start the configuration of Guard Duty for the organization as seen in the image below.

 

CloudSecLior_1-1659108874290.png

 

5) To Enable GuardDuty inside the organization there is a need ti have delegated administrator account, this account will manage GuardDuty policies throughout the organization.

 

Refer to the following AWS documentation on how to create a delegated admin account https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html 

 

Copy the account id of the delegated administrator into the blank field, then select the Delegate button.

 

CloudSecLior_3-1659108917764.png

 

6) Make sure to get the confirmation at the bottom of the page.

 

CloudSecLior_4-1659108943337.png

 

7) Select Enable GuardDuty button, to enable GuardDuty and the configuration page can be seen.

 

CloudSecLior_5-1659108955562.png

 

At this point, a delegated GuardDuty administrator account has been defined and enabled GuardDuty for this account.

 

Now enable GuardDuty across the organization and add the existing accounts from the organization.

 

8) Select the Accounts link on the navigation pane.

 

CloudSecLior_6-1659109052114.png

 

9) A very similar page can be seen to the one shown in the picture below.

 

CloudSecLior_7-1659109338460.png

 

10) Select the enable button on the top to enable GuardDuty for the organization.

 

CloudSecLior_8-1659109518581.png

 

11) Select Enable on to confirm it

 

Congratulations. GuardDuty for all the accounts inside the organization has been enabled.

 

Amazon Inspector

 

Consult the AWS guide to make sure to have the necessary permissions https://docs.aws.amazon.com/inspector/latest/user/designating-admin.html

 

The procedure below guides how to enable Inspector across the organization.

 

1) Open AWS console and login into the admin organization account.

 

2) Open the Inspector console at https://console.aws.amazon.com/Inspector/ or search for Inspector on search engine.

 

3) Select Get Started button.

 

CloudSecLior_9-1659109568499.png

 

4) Now start the configuration of Inspector for the organization as seen in the picture below.

 

CloudSecLior_10-1659109586964.png

 

5) To Enable Inspector inside the organization a delegated administrator account will be needed, this account will administer Inspector in the organization.

 

Consult the AWS guide to make sure the necessary permissions are there.

 

https://docs.aws.amazon.com/inspector/latest/user/designating-admin.html

 

6) Copy the account id of the delegated administrator into the blank field, then select the Delegate button.

 

CloudSecLior_12-1659109633684.png

 

7) Select the delegate to confirm it.

 

CloudSecLior_13-1659109645995.png

 

8) The confirmation at the top of the page that Inspector is enabled will be there.

 

CloudSecLior_14-1659109665764.png

 

 

At this point, a delegated Inspector administrator account is defined and enabled Inspector for this account.

 

Now enable Inspector across the organization and add the existing accounts from the organization.

 

9) Select the Account Management link on the navigation pane.

  

CloudSecLior_15-1659109744901.png

 

10) A very similar page as shown in the picture below.

 

CloudSecLior_16-1659109768559.png

 

11) Select Automatically enable Inspector for a new account, then select Save.

 

Select all the existing accounts that is needed for Inspector to be activated and select Enable (all Scanning).

 

CloudSecLior_17-1659109796247.png

 

CloudSecLior_18-1659109821414.png

 

Congratulations The Inspector across all AWS accounts inside the organization has been enabled.

 

AWS Security Hub

 

The procedure below will guide enabling the Security Hub across the organization.

 

1) Open AWS console and login with the admin organization account.

 

2) Open Security Hub Service console at https://console.aws.amazon.com/securityhub/ or search for Security Hub on search engine.

 

3) Select the Go to Security Hub button on the top right of the screen as seen below.

 

CloudSecLior_19-1659109858881.png

 

4) Now the configuration of Security Hub for the organization can be started.

 

CloudSecLior_20-1659109871630.png

 

5) To enable Security Hub inside the organization must delegate an administrator for the sub-account.

 

Consult the AWS guide to make sure there is sufficient permissions https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html

 

6) These accounts will have Security Hub enabled and assigned to administer Security Hub for the organization – the Security Hub Security standards need not be enabled and they are out of scope for this Guide.

 

FortiCNP only uses the finding aggregation features of SecurityHub and provides CSPM functionality similar to the Security Hub Security Standards.

 

CloudSecLior_21-1659109951207.png

 

7) Copy the account ID of the delegated administrator into the blank field, then select the Delegate button, as shown in the picture below.

 

8) The confirmation can be seen at the bottom of the page.

 

CloudSecLior_22-1659110031682.png

 

9) Select Enable Security Hub button and the Security Hub configuration page can be seen.

 

10) On the top of the page, 2 messages for enabling Security Hub will be received for the organization and managing the findings from a single region.

 

CloudSecLior_23-1659110047346.png

 

11) Select the Settings button and select Enable to activate Security Hub for all the organizations.

 

CloudSecLior_24-1659110075431.png

 

12) Select Enable button.

 

13) Now Security Hub is enabled across the organization.

 

CloudSecLior_25-1659110109560.png

 

 

14) Seelect the Configure finding aggregation button on the top of the page.

 

CloudSecLior_26-1659110126416.png

 

15) Select the Configure finding aggregation button.

 

CloudSecLior_27-1659110150621.png

 

16) Select US-WEST-2 for Global(US) or EU-WEST-1 for EU as the region of aggregation (These regions are used by FortiCNP), and select all regions below.

 

CloudSecLior_28-1659110207194.png

 

17) Scroll down and select Link future Regions, and select Save.

 

CloudSecLior_29-1659110260788.png

 

Congratulations the Security Hub has been enabled and finding aggregation across the organization.

1279
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.