Profile Applicability:

  • Level 1

Description:

Amazon GuardDuty is a threat detection service that continuously monitors your AWS environment for malicious activity, unauthorized behavior, and security vulnerabilities. GuardDuty S3 Protection is a feature within GuardDuty that specifically monitors Amazon S3 buckets for any unauthorized access or unusual activity. This includes detecting anomalous access patterns, potential data exfiltration, or attempts to compromise the integrity of your S3 buckets.

By enabling GuardDuty S3 Protection, you ensure that any suspicious activity related to your S3 resources is automatically detected and alerted, helping to secure your sensitive data stored in S3 buckets and ensuring your AWS environment remains protected.

Rationale:

Enabling GuardDuty S3 Protection is important for:

  • Security: It helps identify any unauthorized access or malicious activity targeting your S3 buckets, preventing data theft or loss.

  • Compliance: Helps organizations meet compliance requirements for monitoring and securing S3 data (e.g., PCI-DSS, SOC 2, ISO 27001).

  • Proactive Threat Detection: Automatically detects threats related to S3 buckets before they can cause significant damage.

  • Data Integrity: Ensures the integrity of data stored in S3 buckets by preventing unauthorized modifications.

Impact:

Pros:

  • Increased Security: Identifies and alerts on suspicious or unauthorized access to S3 buckets, reducing the risk of data breaches.

  • Compliance: Meets regulatory requirements for monitoring data access and protecting sensitive information in S3.

  • Early Threat Detection: Enables rapid response to threats targeting your S3 buckets by providing alerts in real-time.

Cons:

  • Additional Costs: Enabling GuardDuty S3 Protection incurs additional charges, depending on the volume of data monitored.

  • False Positives: Some legitimate activity might be flagged as suspicious, which will require investigation and potentially tuning of detection thresholds.

Default Value:

By default, GuardDuty does not enable S3 Protection. You need to manually enable this feature for it to start monitoring and detecting threats related to S3 buckets.

Pre-requisite:

  • AWS IAM Permissions:

    • guardduty:ListDetectors

    • guardduty:GetDetector

    • guardduty:UpdateDetector

    • guardduty:EnableS3Protection

  • AWS CLI installed and configured.

  • GuardDuty should be enabled in your account.

  • Ensure that S3 buckets are present and active in your environment.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to GuardDuty under Services.

  3. In the GuardDuty Dashboard, go to Settings.

  4. Check if S3 Protection is enabled by looking at the S3 Protection section.

  5. If S3 Protection is enabled, the status will show as "Enabled". If it is not, enable it by clicking Enable S3 Protection.

Using AWS CLI:

To check if GuardDuty S3 Protection is enabled, run:

aws guardduty get-detector --detector-id <detector-id>

Check for the "S3ProtectionEnabled": true in the output. If the value is false or missing, it means S3 Protection is not enabled.

To enable GuardDuty S3 Protection if it is not already enabled, run:

aws guardduty update-detector --detector-id <detector-id> --enable-s3-protection

To verify that S3 Protection has been enabled, run:

aws guardduty get-detector --detector-id <detector-id>


Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to GuardDuty.

  2. In the GuardDuty Dashboard, go to Settings.

  3. Under the S3 Protection section, ensure it is set to Enabled.

  4. If not, enable S3 Protection by clicking the Enable button.

  5. Confirm that GuardDuty will start monitoring S3 buckets for potential threats.

Using AWS CLI:

Run the following command to check if GuardDuty S3 Protection is enabled:

aws guardduty get-detector --detector-id <detector-id>

If the response shows that S3 Protection is not enabled, run:

aws guardduty update-detector --detector-id <detector-id> --enable-s3-protection

Verify that S3 Protection is now enabled by running:

aws guardduty get-detector --detector-id <detector-id>


Backout Plan:

If enabling GuardDuty S3 Protection causes issues (e.g., excessive alerts or performance concerns):

Identify the misconfigured detection or affected resources.

To disable S3 Protection, run:

aws guardduty update-detector --detector-id <detector-id> --disable-s3-protection

Verify that S3 Protection has been disabled by running:

aws guardduty get-detector --detector-id <detector-id>

Revisit the GuardDuty findings to ensure no critical actions are missed or caused by this change.


Note :

  • Alerting: Set up SNS topics or CloudWatch Alarms to notify you when GuardDuty detects any potential threats related to S3.

  • Fine-tuning: You may need to adjust the severity thresholds for findings if legitimate activity is frequently flagged as suspicious.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.