GuardDuty

Table of Contents

GuardDuty is a security service that looks at your VPC FlowLogs, CloudTrail Events, and VPC DNS Resolver to identify threats in your AWS Account.

From the AWS Service Description:

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. With the cloud, the collection and aggregation of account and network activities is simplified, but it can be time consuming for security teams to continuously analyze event log data for potential threats. With GuardDuty, you now have an intelligent and cost-effective option for continuous threat detection in the AWS Cloud. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs. With a few clicks in the AWS Management Console, GuardDuty can be enabled with no software or hardware to deploy or maintain. By integrating with Amazon CloudWatch Events, GuardDuty alerts are actionable, easy to aggregate across multiple accounts, and straightforward to push into existing event management and workflow systems. (source)

Service Summary

Service Name: Amazon Guard​Duty
Service Family: Security, Identity, & Compliance
Supports Resource Policies: No
Service Pricing: Moderate
Service Webpage: https://aws.amazon.com/guardduty/

Security Risks

GuardDuty is a regional service, and must be enabled in all regions in order to provide threat detection of CloudTrail events from other regions. GuardDuty events can be aggregated across AWS Accounts in an organization, but not across regions, so however you’re alerting on the GuardDuty events must be done in every region. Also, GuardDuty is not a launch requirement for new AWS Regions, so you cannot rely on GuardDuty being available in all regions (it took 6 months from the launch of the Stockholm region for GuardDuty support to be available). The list of regions that support GuardDuty is here.

Effectively Leveraging Guard​Duty

As of April 2020, GuardDuty supports AWS Organization management of GuardDuty. This allows you to enable and manage GuardDuty for an entire AWS Organization. When GuardDuty’s ML-magic detects a potential threat it generates a Finding. These Findings can be retrieved from CloudWatch Events and sent to your SEIM of Slack of choice.

CloudTrail events of significance

Comming Soon

Related Commercial & OpenSource tools

Comming Soon