DOC: updated readme

examples/baseline-resources/README.md

@@ -7,3 +7,6 @@
 - enable securityhub
 - disable s3 public access
 - require EBS encryption
+
+## If AWS organisation is in use
+If you are using AWS organisation, setup delegated admin for guardduty and securityhub. This allows centralised management.

examples/baseline-resources/main.tf

@@ -20,20 +20,28 @@ module "delete-default-vpcs" {
 }
 
 module "enable-aws-config" {
-  # enable aws config in all regions
+  # enable aws config in all regions and setup aggregation
   source = "../../modules/security_identity_compliance/aws_config"
   resource-prefix = local.resource-prefix
   default-tags  = local.default-tags
 }
 
 module "enable-guardduty" {
-  # enable guardduty
+  /* enable guardduty
+  If you are using AWS organisation, GD delegated admin should be configured
+  on the landing zone security account. This allows centralised management.
+  See https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html
+  */
   source = "../../modules/security_identity_compliance/guardduty"
   default-tags = local.default-tags
 }
 
 module "enable-securityhub" {
-  # enable security hub
+  /* enable security hub
+  If you are using AWS organisation, SH deleted admin should be configured
+  on the landing zone security account. This allows centralised management.
+  https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html
+  */
   source = "../../modules/security_identity_compliance/security_hub"
 }