DEV Community

Cover image for AWS GuardDuty In A Nutshell 🌰
Charbel El Kahwaji
Charbel El Kahwaji

Posted on • Updated on

AWS GuardDuty In A Nutshell 🌰

Introduction:

In this blog, I will be talking briefly about GuardDuty and its importance. This quick overview will help you understand the overall functionality of GuardDuty and will help you answer questions in the AWS Security Specialty Exam.

GuardDuty is an intelligent threat detection service that continuously monitors your AWS accounts, Amazon Elastic Compute Cloud (EC2) instances, Amazon Elastic Kubernetes Service (EKS) clusters, and data stored in Amazon Simple Storage Service (S3) for malicious activity without the use of security software or agents. If potential malicious activity, such as anomalous behavior, credential exfiltration, or command and control infrastructure (C2) communication is detected, GuardDuty generates detailed security findings that can be used for security visibility and assisting in remediation. Additionally, using the Amazon GuardDuty Malware Protection feature helps to detect malicious files on Amazon Elastic Block Store (EBS) volumes attached to an EC2 instance and container workloads.
I took this paragraph straight from the Amazon GuardDuty FAQs which I highly recommend reading as it answers a lot of questions about this service.
As a matter of fact, all of what is stated in this blog are from AWS references that I went through to make it easier to understand and shorten your reading time

How it works:

As mentioned, GuardDuty generates security findings. But how? By using the power of ML and analyzing events such as Amazon CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs based on a threat list.

A threat list (not to be confused with a trust list) is a list of IP addresses that GuardDuty will consider as harmful and generate its findings based on it. Adding IP addresses to a trust list tells GuardDuty not to investigate events generated from this IP and therefore not raise findings from this trusted IP.

GuardDuty Integrates directly with Cloudwatch Events which is extremely helpful when you want to respond to a threat detection rapidly.

The first step to using GuardDuty is to enable it in your account. Once enabled, GuardDuty will
immediately begin to monitor for security threats in the current region.

You can manage GuardDuty findings for other accounts within your organization as a GuardDuty
administrator, you must add member accounts and enable GuardDuty for them as well:

  • You can invite other AWS accounts to enable GuardDuty and become associated with your account.

  • Once accepted, the inviting account becomes the master account, and the accounts that accepted the invitation become the member accounts.

  • One AWS account cannot be both a Master and member account at the same time. One membership invitation can be accepted by One AWS account.

  • A master account can have up to 1000 members/region

Comparison between users in Master account and users in Member accounts.

Going to the specialty exam you have to know the different actions users in the Master account can do either in their actual account or in the associated members' account. The same goes for users in the member account. Obviously, they can't do anything in the master account

Image description

In this Image, I simplified the actions that can be done respectively. Click here if you want to read more about the relationship between the GuardDuty administrator and member account.

Note:
Lists uploaded by the Master account will be imposed on GD functionality in all member accounts. Therefore, findings will be generated based on the threat list of the master account. (I believe the 4th row in the table now makes sense doesn't it ?)

The exam might test you on these actions and is expecting you to know the difference! Good Luck!

Top comments (0)