Amazon GuardDuty is a continuous security monitoring service that analyses and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. It is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.
GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin. It also monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments, instances deployed in a Region that has never been used, or unusual API calls, like a password policy change to reduce password strength.
Enabling GuardDuty can generate findings of unauthorized or unusual activity even in Regions that you are not actively using. This also allows GuardDuty to monitor AWS CloudTrail events for global AWS services such as IAM.
By default, GuardDuty is not enabled on your AWS Infrastructure.
Amazon GuardDuty is Region dependent and must be enabled in all regions where you have resources, to monitor AWS CloudTrail events for global AWS Services like IAM.
Using AWS CLI:
- Run list-detectors command using custom query filters to list the IDs of all the existing Amazon GuardDuty detectors. A detector is an object that represents the AWS GuardDuty service. A detector must be created for GuardDuty to become operational
aws guardduty list-detectors --region us-east-1 --query 'DetectorIds'
The command output should return an array with the requested detector ID(s):
If the list-detectors command output returns an empty array (as shown in the example above), there are no GuardDuty detectors available, therefore the Amazon GuardDuty service is not enabled within your AWS account.
- Change the AWS region by updating the --region command parameter value and repeating the above steps to perform the audit process for other regions.
Using AWS CLI:
This command is used to create a new detector, which enables GuardDuty, in the current region
aws guardduty create-detector --enable