iCompaas Support

 Profile Applicability:

•  Level 2

Description:

Endpoint Detection and Response (EDR) solutions on AWS detect and respond to advanced threats targeting endpoints such as EC2 instances. Ensuring that your EDR solution is fully deployed, actively monitoring, and integrated with AWS resources is essential for threat visibility and incident response.

Rationale:

Ensuring EDR functionality guarantees:

• Active threat detection across AWS workloads
  

• Prompt response to suspicious or malicious activity
  

• Integration with CloudWatch, Security Hub, and other monitoring services
  

• Visibility into endpoint-level behavior across the AWS environment
  

Default Value:

EDR solutions (e.g., GuardDuty, CrowdStrike, SentinelOne) must be manually deployed and configured. AWS does not enable EDR by default.

Impact:

Pros:
 • Enables proactive threat detection and response
• Improves visibility into EC2-level activity
 • Supports audit and compliance readiness

Cons:
 • May introduce additional costs depending on the vendor
• Requires integration, testing, and tuning
 • May generate false positives if not properly configured

Pre-requisites:

IAM Permissions Required:
 guardduty:* (if using AWS-native EDR)
 s3:GetObject, logs:CreateLogGroup, cloudwatch:*, sns:Publish
 EDR vendor access and deployment documentation (for third-party tools)

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the AWS Management Console
2. Navigate to your EDR solution (e.g., Amazon GuardDuty, Security Hub, or third-party console)
3.  Confirm that:
4. Agents are installed on all required EC2 instances
   

• Alerts and findings are being generated
  

• The solution is integrated with CloudWatch or AWS Security Hub
  • Generate a test threat (e.g., use AWS GuardDuty sample findings) to verify detection
  

Using AWS CLI:

aws guardduty list-detectors
aws guardduty get-findings \
  --detector-id <detector-id> \
  --finding-ids <finding-id>
aws guardduty list-members \
  --detector-id <detector-id>

Implementation Plan:

Using AWS Console:

1. Navigate to Amazon GuardDuty (or your chosen EDR solution)
2. Enable the service and create a detector if not already set up
3. Deploy agents or configure detection for supported instance types
4. Enable integration with AWS Security Hub, CloudWatch, and SNS
5. Confirm findings and alerts appear in the EDR dashboard

Using AWS CLI:

aws guardduty create-detector \
  --enable
aws guardduty update-detector \
  --detector-id <detector-id> \
  --enable
aws guardduty list-findings \
  --detector-id <detector-id>
aws guardduty get-findings \
  --detector-id <detector-id> \
  --finding-ids <finding-id>

Backout Plan:

Using AWS Console:

1.  Disable the detector in Amazon GuardDuty
2. Remove or uninstall EDR agents from EC2 instances
3. Disconnect integrations with CloudWatch or Security Hub if no longer required

Using AWS CLI:

aws guardduty delete-detector \
  --detector-id <detector-id>
aws ec2 describe-instances \
  --filters "Name=tag:EDR,Values=true"

• Then manually remove the EDR agent or tag from listed instances.
  

References:

• https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
• https://docs.aws.amazon.com/cli/latest/reference/guardduty/
• https://aws.amazon.com/blogs/security/category/security-identity-compliance/amazon-guardduty/