Description: 

Amazon GuardDuty is a continuous security monitoring service that analyses and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. It is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.


Rationale: 

GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin. It also monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments, instances deployed in a Region that has never been used, or unusual API calls, like a password policy change to reduce password strength.


Impact:

Enabling GuardDuty can generate findings of unauthorized or unusual activity even in Regions that you are not actively using. This also allows GuardDuty to monitor AWS CloudTrail events for global AWS services such as IAM. 


Default Value: 

By default, GuardDuty is not enabled on your AWS Infrastructure.

Pre-Requisite:

Amazon GuardDuty is Region dependent and must be enabled in all regions where you have resources, to monitor AWS CloudTrail events for global AWS Services like IAM.

Remediation:


Test Plan:

  1. Sign in to the AWS Console

  2. Go to the region you want to check

  3.  Go to the GuardDuty Service by clicking on the link console.aws.amazon.com/guardduty/home

  4. On the GuardDuty home page if it shows “GET STARTED” on the GuardDuty HOME page, it means that it has not been enabled in that region

  5. Repeat this step 1 to 4 for all AWS REGIONS


Using AWS CLI:

  • Run list-detectors command using custom query filters to list the IDs of all the existing Amazon GuardDuty detectors. A detector is an object that represents the AWS GuardDuty service. A detector must be created for GuardDuty to become operational
aws guardduty list-detectors  --region us-east-1 --query 'DetectorIds'
  • The command output should return an array with the requested detector ID(s): []

    If the list-detectors command output returns an empty array (as shown in the example above), there are no GuardDuty detectors available, therefore the Amazon GuardDuty service is not enabled within your AWS account.


  • Change the AWS region by updating the --region command parameter value and repeating the above steps to perform the audit process for other regions.


Implementation Steps:

  1. Sign in to the AWS Console

  2. Change the region to where you want to deploy GuardDuty

  3.  Go to the GuardDuty Service by clicking on the link console.aws.amazon.com/guardduty/home

  4. Click on get started

  5. Click on “Enable GuardDuty”


  6. Repeat the steps 2 to 5 on the regions where you want to deploy GuardDuty


Using AWS CLI:

This command is used to create a new detector, which enables GuardDuty, in the current region 

aws guardduty create-detector --enable

Backout Plan:

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

  2. In the navigation pane, under Settings, choose General.

  3. Choose either Suspend GuardDuty or Disable GuardDuty

  4. Then choose Save settings.


Note

  •  GuardDuty findings can be exported to an S3 bucket

  • Amazon GuardDuty can integrate closely with AWS Security Hub for an all-around picture of your security posture within your AWS accounts.

  • GuardDuty can export active findings to CloudWatch Events (automation) or Amazon S3 buckets (auditing). Remember, this is a regional setting and is not enabled by default!

  • Each GuardDuty finding has an assigned severity level and value that reflects the potential risk the finding could have to your network as determined by our security engineers. The value of the severity can fall anywhere within the 0.1 to 8.9 range, with higher values indicating greater security risk. To help you determine a response to a potential security issue that is highlighted by a finding, GuardDuty breaks down this range into, High, Medium, and Low severity levels. 


Reference: