DEV Community

Cover image for All You Need To Know About Amazon GuardDuty
Sena Yakut
Sena Yakut

Posted on

All You Need To Know About Amazon GuardDuty

Amazon GuardDuty is one of the security services that AWS launches in November of 2017. In this blog, we’ll learn the main points about Amazon GuardDuty. After reading this, you want to use this service if you have not enabled it yet. Let’s start with “What is Amazon GuardDuty?”

What is Amazon GuardDuty?
Amazon GuardDuty is a regional intelligent threat detection service. It detects unusual or unexpected behavior in your AWS environment. It’s not focused on only one AWS service or threat case, it detects all threats based on your AWS environment. Amazon GuardDuty provides automatic security analysis for your potential threats. For data sources for analysis, it uses AWS CloudTrail Event Logs, VPC Flow Logs, and DNS Logs in your AWS account. To provide automatic security analysis, it uses machine learning algorithms. We’ve learned your infrastructure is continuously analyzed and monitored with GuardDuty. Once enabled, Amazon GuardDuty learns about your environment and possible threats with behavioral modeling using machine learning algorithms. It’s also so easy to enable and use, with just one click.
Cyber Threat
Unlike other threat detection services, you do not need to install or deploy any agents/software to your AWS resources. Amazon GuardDuty is a fully AWS service, your resources do not encounter any performance issues.

Features of Amazon GuardDuty

- List Management: You can add trusted and threat IP lists to Amazon GuardDuty. You can add trusted IPs for eliminating false positive findings such as your company network IP list for testing some cases. You can add known malicious IP addresses or networks to your threat IP list for generating and analyzing findings that are coming from them.

- S3 Protection: One of the important storage services is AWS S3. Attackers love to find credentials and config files in publicly accessible buckets. Enabling S3 protection provides monitoring of suspicious access or activities in your AWS S3 buckets. AWS CloudTrail management and S3 data events are used for detection. AWS strongly recommends enabling S3 protection in GuardDuty. In below, you can see an example S3 finding:
GuardDuty AWS S3 Finding

- Kubernetes Protection: Amazon GuardDuty detects suspicious and potential compromises of your AWS EKS. It uses Kubernetes audit logs for monitoring and generating findings. It detects lots of different threat cases such as granted admin privileges, anonymous user access, and invokes from known malicious IP addresses or your threat list.
GuardDuty Kubernetes Protection
- Malware Protection: It’s a new feature that is announced in ReInforce:2022. GuardDuty detects your EC2 instances or container workloads that have been compromised by malware. You do not need to install, update, or maintain any agents to your resources, GuardDuty handles all scans agentless with zero impact on performance.

Amazon GuardDuty Malware Protection
- Managing Multiple Accounts: If you have more than one AWS account, you want to view all findings in a central place. GuardDuty provides multiple account control from one centralized security account. You need to add your account as a member to the master account. Member accounts should accept the invitation. Master accounts do not disable or suspend GuardDuty that belongs to member accounts. It only has view access.

Managing Multiple Accounts

Understanding the GuardDuty Findings
Let’s analyze an example finding in the following:

Understanding the GuardDuty Findings
We can easily see the details about “PortSweep” threat that is affected our EC2 list with the resource id. GuardDuty provides us an overview of the finding for understanding impact and possible attack scenarios. We also have a severity “HIGH” that indicates the resources is compromised or actively being used for attack purposes. Severity levels helps us prioritize our responses to potential threats. We’ve also resource affected, action, target, and additional information parts about every finding. You can easily write queries to filter your findings using severity, account id, resource type etc. You can find full list here.
Understanding the GuardDuty Findings
Finding Remediations
As you know, GuardDuty does not remediate any finding if you do not implement a custom solution. It is only responsible for analyzing and monitoring your infrastructure. Also, Amazon GuardDuty does not alarm you if you do not have any notification process. You can design and automate remediation actions based on your findings and resources.
For example, let’s assume that we need an automated remediation solution if we get findings about EC2 servers from GuardDuty. From an incident response perspective, if your EC2 servers are under attack, you need to move them to an isolated place (a security group with a no inbound & outbound rule), get a snapshot of them, and send a notification to the security team with a detailed message. We can implement this solution in the following:
Automated remediation Amazon GuardDuty
AWS provides us a free 30-day trial, you can see if Amazon GuardDuty it’s a good fit for you. Believe me, it’s a good fit for lots of infrastructures. The pricing is based on your AWS log data. The more log data GuardDuty analyzes, the more you pay. You can see all price calculations here.

Thanks for reading! Stay safe in the cloud! ☁️☁️

Top comments (0)