Profile Applicability:

  • Level 1

Description:

AWS GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior in your AWS environment. It analyzes data from various AWS resources, including VPC flow logs, CloudTrail logs, and DNS logs, to identify potential threats. GuardDuty RDS Protection specifically protects Amazon RDS (Relational Database Service) resources, detecting threats such as unauthorized access attempts, unusual database activity, or misconfigurations.

Ensuring that GuardDuty RDS protection is enabled allows you to protect your RDS instances from potential security risks and ensures that all suspicious or malicious activities related to RDS are automatically detected and alerted.

Rationale:

Enabling GuardDuty RDS protection is crucial for:

  • Security: Detects potential threats targeting your RDS databases, such as brute-force attacks or unauthorized access.

  • Compliance: Helps meet compliance requirements for database security, as it ensures that monitoring and threat detection are in place for RDS resources.

  • Proactive Threat Detection: Identifies risks and vulnerabilities related to RDS databases, allowing you to act before they become a bigger issue.

  • Operational Awareness: Provides continuous monitoring and alerts, keeping your team informed of any suspicious activity in real-time.

Impact:

Pros:

  • Improved Database Security: Provides automated detection of threats and vulnerabilities targeting RDS databases.

  • Operational Efficiency: Reduces the need for manual security monitoring, automatically detecting and alerting the team of malicious activity.

  • Compliance: Helps you meet security standards by ensuring that GuardDuty RDS protection is active for RDS resources.

Cons:

  • Cost: GuardDuty incurs charges based on the volume of data analyzed. Enabling RDS protection may add to the costs, depending on usage.

  • False Positives: Some legitimate activities might trigger alerts, so the team should regularly review findings and tune detection criteria.

Default Value:

By default, GuardDuty does not automatically enable RDS protection. You must explicitly enable GuardDuty and configure it to monitor RDS instances for threats.

Pre-requisite:

  • AWS IAM Permissions:

    • guardduty:ListDetectors

    • guardduty:GetDetector

    • guardduty:UpdateDetector

  • AWS CLI installed and configured.

  • Amazon GuardDuty must be enabled in your AWS environment.

  • RDS instances must be running in the environment for GuardDuty to protect.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to GuardDuty under Services.

  3. In the GuardDuty Dashboard, check if GuardDuty is enabled in your region.

  4. Go to Settings and ensure that RDS Protection is enabled for your environment:

    • Under General settings, look for RDS Protection.

    • Confirm that RDS protection is active.

  5. Verify that GuardDuty is monitoring RDS resources and that alerts are being generated for potential threats related to RDS instances.

Using AWS CLI:

To list the GuardDuty detectors and check if it is enabled, run:

aws guardduty list-detectors

To describe the GuardDuty detector and check if RDS protection is enabled, run:

aws guardduty get-detector --detector-id <detector-id>

Check the RdsProtectionEnabled field in the output. It should be set to true if RDS protection is enabled.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to GuardDuty.

  2. Under Settings, ensure that RDS Protection is enabled.

  3. If RDS Protection is not enabled, click Edit settings and enable it.

  4. Save the settings to enable RDS Protection for GuardDuty.

Using AWS CLI:

If GuardDuty is not enabled, run the following command to enable it:

aws guardduty create-detector --enable

To enable RDS protection on an active GuardDuty detector, run:

aws guardduty update-detector --detector-id <detector-id> --enable

Confirm that RDS protection is enabled by describing the detector:

aws guardduty get-detector --detector-id <detector-id

Backout Plan:

If enabling GuardDuty RDS Protection causes issues (e.g., excessive alerts or misconfigurations):

Identify the misconfigured detector or RDS protection setting.

Disable RDS Protection by running the following command:

aws guardduty update-detector --detector-id <detector-id> --disable

Verify that RDS protection has been disabled by describing the detector again:

aws guardduty get-detector --detector-id <detector-id>


Note:

  • Alert Tuning: Review and fine-tune the GuardDuty settings to reduce false positives for RDS-related findings. Adjust the severity levels and set up filtering for more granular control over alerts.

  • Automation: Consider automating response actions to GuardDuty findings, such as triggering Lambda functions or sending SNS notifications when critical findings are detected for RDS instances.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.