[AWS] Amazon GuardDuty

GuardDuty is an intelligent threat (anomaly) detection service.

Intelligent threat detection – Amazon GuardDuty – Amazon Web Services

Mechanism

GuardDuty continuously monitors your AWS accounts and workloads, and detects any unauthorized behavior using machine learning.

  • GuardDuty uses machine learning for threat detection.
  • It takes 7~14 days to set a baseline (normal behavior).
  • GuardDuty updates a database of known malicious domains or IPs using external feeds from third parties.

Features

  • It has Built-in detection for EC2, S3, and IAM.
  • It monitors:
    • CloudTrail (API calls)
    • VPC Flow Logs
    • DNS logs.
  • Alerts appear in the GuardDuty console and events via EventBridge.
  • What to detect?
    • Unusual API calls
    • API calls from known malicious domains or IPs
    • Unauthorized deployments
    • Port Scanning
    • Crypto-currency mining

Multi-Account Management

  • You can manage multiple accounts in GuardDuty using AWS Organizations.
  • You can assign any member account as a GuardDuty delegated administrator account, which does not need to be the same as the AWS Organization admin account.
  • The Admin account can
    • add or remove member accounts
    • manage GuardDuty within associated member accounts.

Automated Responses

You can automatically handle GuardDuty findings via events.

  • Integrate GuardDuty findings with EventBridge
  • Send a notification or call the lambda function to handle the event

CloudFormation Integration

  • You can enable GuardDuty using CloudFormation template.
  • If the GuardDuty is already enabled, the stack deployment will fail.
    • You can use the CloudFormation Custom Resource (Lambda function) to conditionally enable GuardDuty.
Unknown's avatar

Published by Pyongwon Lee

IT (Cloud, Web) Development, Philosophy, Economics.

Leave a Comment