Description: 

Amazon GuardDuty is a continuous security monitoring service that analyses and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. It is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.


Rationale: 

GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin. It also monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments, instances deployed in a Region that has never been used, or unusual API calls, like a password policy change to reduce password strength.


Impact:

Enabling GuardDuty can generate findings of unauthorized or unusual activity even in Regions that you are not actively using. This also allows GuardDuty to monitor AWS CloudTrail events for global AWS services such as IAM. 


Default Value: 

By default, GuardDuty is not enabled on your AWS Infrastructure.


Audit:

  1. Sign in to the AWS Console

  2. Go to the region you want to check

  3.  Go to the GuardDuty Service by clicking on the link console.aws.amazon.com/guardduty/home

  4. In the GuardDuty home page if it shows “GET STARTED” in the GuardDuty HOME page, it means that it has not enabled in that region

  5. Repeat this step 1 to 4 for all AWS REGIONS


Remediation:

Pre-Requisite:

Amazon GuardDuty is Region dependent and must be enabled in all regions where you have resources, to monitor AWS CloudTrail events for global AWS Services like IAM.

Implementation Steps:

  1. Sign in to the AWS Console

  2. Change the region to where you want to deploy GuardDuty

  3.  Go to the GuardDuty Service by clicking on the link console.aws.amazon.com/guardduty/home

  4. Click on get started

  5. Click on “Enable GuardDuty”


  6. Repeat the steps 2 to 5 on the regions where you want to deploy GuardDuty


Backout Plan:

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

  2. In the navigation pane, under Settings, choose General.

  3. Choose either Suspend GuardDuty or Disable GuardDuty

  4. Then choose Save settings.


Note

  •  GuardDuty findings can be export to an S3 bucket

  • Amazon GuardDuty can integrate closely with AWS Security Hub for an all-around picture of your security posture within your AWS accounts.

  • GuardDuty can export active findings to CloudWatch Events (automation) or Amazon S3 buckets (auditing). Remember, this is a regional setting and is not enabled by default!

  • Each GuardDuty finding has an assigned severity level and value that reflects the potential risk the finding could have to your network as determined by our security engineers. The value of the severity can fall anywhere within the 0.1 to 8.9 range, with higher values indicating greater security risk. To help you determine a response to a potential security issue that is highlighted by a finding, GuardDuty breaks down this range into, High, Medium, and Low severity levels. 


Reference: