DEV Community

Cover image for Setup Amazon GuardDuty and understand its feature
Md Mohaymenul Islam (Noyon)
Md Mohaymenul Islam (Noyon)

Posted on

Setup Amazon GuardDuty and understand its feature

GuardDuty is a great tools to maintain your AWS infrastructure securely.

Amazon GuardDuty

Amazon GuardDuty will continue monitoring your AWS services. It will analyze & process VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, andDNS logs data sources.

You do not need to enable AWS CloudTrail, Amazon S3 data events, VPC Flow Logs, and DNS logs before starting GuardDuty. Amazon GuardDuty pulls independent streams of data directly from those services.

It uses threat intelligence feeds & machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment.

For example:

  • GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin.

  • It also monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments, like instances deployed in a Region that has never been used, or unusual API calls, like a password policy change to reduce password strength

Enable GuardDuty in a standalone account

  1. Open the GuardDuty console. and click Get Started button:

Image description

  1. Then click Enable GuardDuty button:

Image description

Once enabled, GuardDuty will immediately begin to monitor for security threats in the current region.

Enable GuardDuty in Multi-account (Organization) environment

  1. Log in to the AWS organization's management account and Open the AWS Organizations console.

  2. From the Services tab open Amazon GuardDuty and click Enable trusted access

Image description

It will enable the GuardDuty for all of the Organization's member accounts as well as the management account (Root account).

Note: Management account will be the Delegated Administrator for the GuardDuty by default. You can remove and add another Delegated Administrator at any time.

When GuardDuty is Enabled, it creates a service-linked role for your account called AWSServiceRoleForAmazonGuardDuty. This role includes the permissions and the trust policies that allow GuardDuty to consume and analyze events directly from AWS CloudTrail, VPC Flow logs, and DNS logs in order to generate security findings
.

GuardDuty Features

Findings: A potential security issue discovered by GuardDuty. Findings are displayed in the GuardDuty console and contain a detailed description of the security issue.

Image description

The beauty of GuardDuty findings is if you click one of the findings it will show you details information in the side tab. You will find everything which has caused these findings:

Image description

Settings: Settings setting will only enable for the Delegated Administrator account. You can Disable or Suspend GuardDuty from here. You can Configure S3 bucket from here. You can change Delegated Administrator from here:

Image description

List: You can add Trusted IP list and Threat list from here:

  • Trusted IP list: A list of trusted IP addresses for highly secure communication with your AWS environment. GuardDuty does not generate findings based on trusted IP lists.

  • Threat list: A list of known malicious IP addresses. GuardDuty generates findings based on threat lists.

Image description

S3 Protection: You can enable/disable S3 protection from here:

Image description

Kubernetes Protection: For Enable/Disable Kubernetes Audit Logs Monitoring:

Image description

Accounts: You can add accounts, enable GuardDuty for region, Auto-Enable from here:

Image description

On Auto-enable

Image description

Enable GuardDuty for this region

Image description


GuardDuty is a Regional service, meaning any of the configuration procedures you follow on this page must be repeated in each region that you want to monitor with GuardDuty. It is highly recommended that you enable GuardDuty in all supported AWS Regions.

Summary

GuardDuty is a monitoring service that analyzes AWS CloudTrail management and Amazon S3 data events, VPC Flow Logs, and DNS logs to generate security findings for your account. Once GuardDuty is enabled, it starts monitoring your environment immediately. GuardDuty can be disabled at any time to stop it from processing all AWS CloudTrail events, VPC Flow Logs, and DNS logs.

To learn more, read the Amazon GuardDuty documentation.

Thanks for reading! Happy Cloud Computing!

Connect with me: Linkedin

Top comments (0)