GuardDuty
is a great tools to maintain your AWS infrastructure securely.
Amazon GuardDuty
Amazon GuardDuty will continue monitoring your AWS services. It will analyze & process VPC Flow Logs
, AWS CloudTrail management event logs
, CloudTrail S3 data event logs
, EKS audit logs
, andDNS logs
data sources.
You do not need to enable AWS CloudTrail, Amazon S3 data events, VPC Flow Logs, and DNS logs before starting GuardDuty. Amazon GuardDuty pulls independent streams of data directly from those services.
It uses threat intelligence feeds & machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment.
For example:
GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin.
It also monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments, like instances deployed in a Region that has never been used, or unusual API calls, like a password policy change to reduce password strength
Enable GuardDuty in a standalone account
- Open the GuardDuty console. and click
Get Started
button:
- Then click
Enable GuardDuty
button:
Once enabled, GuardDuty will immediately begin to monitor for security threats in the current region.
Enable GuardDuty in Multi-account (Organization) environment
Log in to the AWS organization's management account and Open the
AWS Organizations
console.From the
Services
tab openAmazon GuardDuty
and clickEnable trusted access
It will enable the GuardDuty for all of the Organization's member accounts as well as the management account (Root account).
Note: Management account will be the
Delegated Administrator
for the GuardDuty by default. You can remove and add anotherDelegated Administrator
at any time.When GuardDuty is Enabled, it creates a service-linked role for your account called
AWSServiceRoleForAmazonGuardDuty
. This role includes the permissions and the trust policies that allow GuardDuty to consume and analyze events directly from AWS CloudTrail, VPC Flow logs, and DNS logs in order to generate security findings
.
GuardDuty Features
Findings: A potential security issue discovered by GuardDuty. Findings are displayed in the GuardDuty console and contain a detailed description of the security issue.
The beauty of GuardDuty findings is if you click one of the findings it will show you details information in the side tab. You will find everything which has caused these findings:
Settings: Settings setting will only enable for the Delegated Administrator
account. You can Disable or Suspend GuardDuty
from here. You can Configure S3 bucket
from here. You can change Delegated Administrator
from here:
List: You can add Trusted IP list
and Threat list
from here:
Trusted IP list: A list of trusted IP addresses for highly secure communication with your AWS environment. GuardDuty does not generate findings based on trusted IP lists.
Threat list: A list of known malicious IP addresses. GuardDuty generates findings based on threat lists.
S3 Protection: You can enable/disable S3 protection from here:
Kubernetes Protection: For Enable/Disable
Kubernetes Audit Logs Monitoring:
Accounts: You can add accounts
, enable GuardDuty for region
, Auto-Enable
from here:
On Auto-enable
Enable GuardDuty for this region
GuardDuty
is a Regional service, meaning any of the configuration procedures you follow on this page must be repeated in each region that you want to monitor with GuardDuty. It is highly recommended that you enable GuardDuty in all supported AWS Regions.
Summary
GuardDuty is a monitoring service that analyzes AWS CloudTrail management and Amazon S3 data events, VPC Flow Logs, and DNS logs to generate security findings for your account. Once GuardDuty is enabled, it starts monitoring your environment immediately. GuardDuty can be disabled at any time to stop it from processing all AWS CloudTrail events, VPC Flow Logs, and DNS logs.
To learn more, read the Amazon GuardDuty documentation.
Thanks for reading! Happy Cloud Computing!
Connect with me: Linkedin
Top comments (0)