Description: 

Amazon GuardDuty is a continuous security monitoring service that analyses and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. It is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.

Rationale: 

GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin. It also monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments, instances deployed in a Region that has never been used, or unusual API calls, like a password policy change to reduce password strength.

Impact:

Enabling GuardDuty can generate findings of unauthorized or unusual activity even in Regions that you are not actively using. This also allows GuardDuty to monitor AWS CloudTrail events for global AWS services such as IAM. 

Default Value: 

By default, GuardDuty is not enabled on your AWS Infrastructure.


Pre-Requisite:

Amazon GuardDuty is Region dependent and must be enabled in all regions where you have resources, to monitor AWS CloudTrail events for global AWS Services like IAM.

Remediation:
Test Plan:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS GuardDuty home page at https://console.aws.amazon.com/guardduty.

  3. In the left navigation panel, under Findings

  4. If you find any findings in the current page

  5. Then follow the implementation steps


Using AWS CLI:

aws guardduty list-findings --detector-id 12abc34d567e8fa901bc2d34eexample 


Implementation Steps:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS GuardDuty home page at https://console.aws.amazon.com/guardduty.

  3. In the left navigation panel, under Findings,

  4. Click on the GuardDuty finding that you want to examine to expand the finding details panel.

  5. Analyze the selected AWS GuardDuty findings

  6. You can find the defect in which of your account by account no. and severity level and the remediation steps.

  7. Based on the information returned at the previous step you can analyze the selected finding and make a plan to implement the recommended fix (see Remediation/Resolution section).

  8. Repeat steps no. 4 – 6 to check and analyze other Amazon GuardDuty findings available in the current region.

  9. Change the AWS region from the navigation bar and repeat the process for all regions 


Using AWS CLI:

  1. Based on the information returned at the previous step you can analyze the selected finding and make a plan to implement the recommended fix (see Remediation/Resolution section).

    aws guardduty get-findings --detector-id 12abc34d567e8fa901bc2d34eexample --finding-id 1ab92989eaf0e742df4a014d5example


Reference:

  1. guardduty — AWS CLI 2.4.27 Command Reference 

  2. Understanding Amazon GuardDuty findings - Amazon GuardDuty 

  3. Finding types - Amazon GuardDuty