Description:
Amazon GuardDuty is a security monitoring service that analyzes and processes the following Data sources: VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs, and DNS logs. It uses for threat intelligence, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment.
Rationale:
GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin. It also monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments, instances deployed in a Region that has never been used, or unusual API calls, like a password policy change to reduce password strength.
Impact:
If GuardDuty is enabled it helps to find any malicious activity or unauthorized behaviour in AWS environment. Thus your AWS infrastructure does not affect the performance or reliability of your applications.
Default Value:
By default, GuardDuty is not enabled on your AWS Infrastructure.
Pre-Requisite:
Amazon GuardDuty is Region dependent and must be enabled in all regions where you have resources, to monitor AWS CloudTrail events for global AWS Services like IAM.
Remediation:
Test Plan:
Sign in to the AWS Console
Go to the region you want to check
Go to the GuardDuty Service by clicking on the link console.aws.amazon.com/guardduty/home
On the GuardDuty home page if it shows “GET STARTED” on the GuardDuty HOME page, it means that it has not been enabled in that region
Repeat this step 1 to 4 for all AWS REGIONS
Using AWS CLI:
- Run list-detectors command using custom query filters to list the IDs of all the existing Amazon GuardDuty detectors. A detector is an object that represents the AWS GuardDuty service. A detector must be created for GuardDuty to become operational
aws guardduty list-detectors --region us-east-1 --query 'DetectorIds'
The command output should return an array with the requested detector ID(s):
[]If the list-detectors command output returns an empty array (as shown in the example above), there are no GuardDuty detectors available, therefore the Amazon GuardDuty service is not enabled within your AWS account.
- Change the AWS region by updating the --region command parameter value and repeating the above steps to perform the audit process for other regions.
Implementation Steps:
Sign in to the AWS Console
Change the region to where you want to deploy GuardDuty
Go to the GuardDuty Service by clicking on the link console.aws.amazon.com/guardduty/home
Click on get started
Click on “Enable GuardDuty”
Repeat the steps 2 to 5 on the regions where you want to deploy GuardDuty
Using AWS CLI:
This command is used to create a new detector, which enables GuardDuty, in the current region
aws guardduty create-detector --enable
Backout Plan:
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
In the navigation pane, under Settings, choose General.
Choose either Suspend GuardDuty or Disable GuardDuty.
Then choose Save settings.
Note
GuardDuty findings can be exported to an S3 bucket
Amazon GuardDuty can integrate closely with AWS Security Hub for an all-around picture of your security posture within your AWS accounts.
GuardDuty can export active findings to CloudWatch Events (automation) or Amazon S3 buckets (auditing). Remember, this is a regional setting and is not enabled by default!
Each GuardDuty finding has an assigned severity level and value that reflects the potential risk the finding could have to your network as determined by our security engineers. The value of the severity can fall anywhere within the 0.1 to 8.9 range, with higher values indicating greater security risk. To help you determine a response to a potential security issue that is highlighted by a finding, GuardDuty breaks down this range into, High, Medium, and Low severity levels.
Reference:
