DEV Community

Cover image for Understand Amazon GuardDuty Findings
Sena Yakut for AWS Community Builders

Posted on • Originally published at Medium

Understand Amazon GuardDuty Findings

Amazon GuardDuty is a threat detection service that continuously monitors our AWS accounts and environments for malicious activity and delivers all details. When you create an AWS account, it is strongly recommended to enable this cool service. It’s very easy to enable and use. In this blog, after we have enabled Amazon GuardDuty, we will discuss what we should do with the findings and how we know we’re in danger. Let’s start together!

1) Create alarms for the findings: If you’re enabled Amazon GuardDuty, it does not send you the findings alerts automatically. You need to implement a flow for your workload. You can use CloudWatch alarms or 3rd party solutions for this. It’s very important to do this, you cannot monitor GuardDuty findings every minute of every day, it’s impossible. You can see the instructions here.

Create alarms for the findings

2) Prioritize with the severity: GuardDuty has default severity for every finding. But it can be different for your environment. You need to understand the findings and impact clearly and prioritize for yourself. There are some examples of it:

- Policy: IAMUser/RootCredentialUsage: This finding’s default severity is low. But if it’s not expected from your side, it can be very critical for you. Your root credentials can be compromised and you need to take action about it. We still need to prioritize this finding from our perspective.

- Exfiltration: S3/AnomalousBehavior: This finding’s default severity is high. For this, you need to analyze the S3 bucket details. Does it have the important objects or not? Test or prod environment? Who can access this bucket normally? What is the anomalous behavior? Do we expect this? After answering them, maybe you can decrease the severity of the finding.

3) Check the actor and action: The actor, included in GuardDuty details, means the one carrying out suspicious activity. You should check and verify the actor's details. We need to know who did what and when it happened. For example, there is an IP that uses aws-cli and GetObject operation to our S3 bucket.

Example finding from GuardDuty

We need to check the IP's reputation and whether malware activities are reported or not from this IP. You can use VirusTotal and other solutions for this.
VirusTotal IP check example

If you want, you can automate this check with the APIs of VirusTotal and send notifications to yourself if the IPs are malwared. You can also automate the blocking process of these IPs from your using AWS resources such as NACLs, bucket policies, etc.

4) Control the resource logs: After checking action and actor, checking your resource logs can be very helpful in detecting some details about the threat. For example, let’s assume you have a Lambda service that accesses your S3 bucket, and the finding is related to that bucket. If you’re logging some details about the incoming requests, you can get them from CloudWatch and analyze them. Also, if you have enabled the VPC logs, ELB, or S3 access logs, you can also get details from them, which operations are blocked from the suspicious IP, which operations were rejected or allowed what endpoints were called, etc. We can clearly say logging is a serious thing for your security, in many ways.

Control the resource logs

5) Check your activities: It’s important to know what happens in your environment. Maybe one of your team members login the AWS account from vacation and GuardDuty detected this IP as an anomaly. Or maybe you have a test bucket that only your intern can access and she tries something and GuardDuty detects the different API calls as an anomaly, again. Before you panic, communicate with your team members. Visibility is everything.

6) Start malware scan: GuardDuty automatically starts a malware scan after generating a finding indicative of malware in your EC2 instance or a container workload. Also, you can start a malware scan if you suspect something or just to be sure. You can use your EC2 instance ARN for this.

On-demand malware scanning

If the malware is detected, it’s important to get a snapshot of the resource to analyze. You should enable this option if you’re not enabled yet:

Snapshot retains the malware is detected

7) Get an action: If you complete all the steps and there is a real threat, please get an action. Every resource has different actionable points, you need to check all of them. If this is an expected behavior in your environment, you can archive the findings and sleep well.

Thanks for reading! Stay safe in the cloud! 🦸🏻‍♀️

Top comments (0)