Profile Applicability:
Level 1
Description:
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior in your AWS environment. GuardDuty Malware Protection for EC2 is a feature of GuardDuty that specifically helps detect and prevent malware and suspicious activity targeting your EC2 instances.
When GuardDuty Malware Protection for EC2 is enabled, it provides additional security monitoring by analyzing EC2 instances for potential malware, unauthorized processes, and suspicious activity. This includes scanning for signs of compromised instances or malware infections in EC2 instances running in your environment. Enabling this feature ensures that potential security threats are detected and can be mitigated before they escalate.
Rationale:
Enabling GuardDuty Malware Protection for EC2 is critical for:
- Proactive Threat Detection: Automatically detects malware and suspicious activity within EC2 instances in real-time, allowing for faster response to security incidents.
- Enhanced EC2 Security: Provides an additional layer of security by monitoring for signs of compromise in EC2 instances, which are critical to your infrastructure.
- Compliance: Helps meet security and compliance requirements by ensuring malware detection and monitoring is in place for EC2 instances.
- Reduced Risk: Early detection of malware or compromised instances reduces the potential impact on your applications and services.
Impact:
Pros:
- Early Malware Detection: Identifies and alerts on malware infections, preventing further damage or data exfiltration.
- Continuous Monitoring: Provides continuous, automated malware monitoring without requiring manual intervention.
- Compliance: Helps satisfy security controls required by various compliance frameworks (e.g., SOC 2, ISO 27001, PCI-DSS).
Cons:
- Cost: Enabling GuardDuty Malware Protection incurs additional costs based on the number of monitored EC2 instances.
- False Positives: Malware alerts may trigger false positives in some instances, requiring review and tuning of detection settings.
- Resource Usage: Scanning EC2 instances for malware can introduce some overhead in terms of resource usage and performance, though typically minimal.
Default Value:
By default, GuardDuty Malware Protection for EC2 is not enabled. It must be manually activated within GuardDuty to begin monitoring and detecting malware on EC2 instances.
Pre-requisite:
- AWS IAM Permissions:
guardduty:UpdateDetector
guardduty:GetDetector
guardduty:ListDetectors
guardduty:EnableMalwareProtection
- AWS CLI installed and configured.
- GuardDuty should be enabled in the account for the malware protection feature to be used.
- Existing EC2 instances must be present for the feature to be enabled and active.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to GuardDuty under Services.
In the GuardDuty Dashboard, check if GuardDuty is enabled in your account and if Malware Protection for EC2 is active.
Go to the Settings section within GuardDuty.
Ensure that Malware Protection for EC2 is enabled under Threat Intelligence Settings.
Verify that Malware Protection is configured to monitor and detect malware activity in EC2 instances.
Using AWS CLI:
To list the GuardDuty detectors and check if GuardDuty Malware Protection for EC2 is enabled, run:
aws guardduty list-detectors
To check if Malware Protection is enabled for your GuardDuty detector, run:
aws guardduty get-detector --detector-id <detector-id>
In the output, ensure that MalwareProtection is listed and set to enabled.
To enable Malware Protection for EC2 if it’s not already enabled, run:
aws guardduty update-detector --detector-id <detector-id> --enable-malware-protection
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to GuardDuty.
In the GuardDuty Dashboard, go to Settings.
Under Malware Protection, enable Malware Protection for EC2.
Ensure that GuardDuty is actively monitoring EC2 instances for malware and suspicious activity.
Review the findings generated by GuardDuty for malware threats or abnormal behaviors in EC2 instances.
Using AWS CLI:
To enable Malware Protection for EC2, run:
aws guardduty update-detector --detector-id <detector-id> --enable-malware-protection
To verify that Malware Protection is enabled, run:
aws guardduty get-detector --detector-id <detector-id>
Review the findings by running:
aws guardduty list-findings --detector-id <detector-id>
Check for any active malware-related findings from your EC2 instances.
Backout Plan:
If enabling GuardDuty Malware Protection causes issues (e.g., performance degradation or false positives):
Identify the affected EC2 instances or misconfigured findings.
To disable Malware Protection for EC2, run the following command:
aws guardduty update-detector --detector-id <detector-id> --disable-malware-protection
Recheck the GuardDuty detector and findings to ensure that Malware Protection has been properly disabled and no further alerts are triggered for EC2.
Note:
Alerting and Notifications: Configure SNS topics or CloudWatch alarms to receive real-time notifications when GuardDuty generates malware findings for EC2 instances.
Integration with Lambda: Automate remediation for certain findings using AWS Lambda to trigger responses like isolating compromised instances or initiating further scans.
References:
Amazon GuardDuty Documentation