In this article, you will learn:
With the cloud, the collection and aggregation of accounts and network logs is simplified, but the security team's continuous analysis and inspection of event log data for potential threats can be difficult and time-consuming. AWS (Amazon Web Services) offers a service in the form of Amazon GuardDuty, which helps with automation and analysis of a vast amount of CloudTrail events and VPC, S3, and DNS Query logs.
What is Amazon GuardDuty?
Amazon GuardDuty uses intelligent and continuous threat detection of your AWS accounts, data stored in Amazon S3, and workloads to reduce risk.
It's essentially a security service that keeps an eye on everything happening in your account at an infrastructure level, alerting you to any undesirable behavior.
Enable GuardDuty and start monitoring:
Abnormal API activity: monitor for unusual API calls coming from an unknown malicious IP or domain.
Attempts to disable AWS CloudTrail logging: the attacker is trying to cover their tracks by disabling logging so you can't see where the attackers come from or exactly what they've done.
Potential unauthorized deployment and compromised instances: an attacker launching an EC2 instance into your VPC that could actually be a backdoor into your VPC.
S3 bucket compromise: activity indicating an S3 bucket compromise, such as suspicious patterns indicating credential misuse, unusual S3 API activity, unauthorized S3 access from known malicious IP addresses, and API calls to retrieve data in S3 buckets.
Amazon Elastic Kubernetes Service (Amazon EKS) clusters: continuously identify malicious behavior that threats container workloads. Amazon GuardDuty for EKS analyzes Kubernetes audit logs from existing and new Amazon EKS clusters in your accounts.
Protect your compute workloads: detect when your EC2 instance is used to mine cryptocurrency or communicate with IP addresses and domains associated with known malicious actors.
Protect your AWS credentials: detect when your AWS credentials are used in a suspicious way, such as from IP addresses associated with known malicious actors, or in a way that deviates from their expected behavior.
Protect your data stored in Amazon S3 buckets: detect when data stored in your Amazon S3 buckets are accessed in a highly suspicious manner, such as when an unusual volume of objects is retrieved from an unusual location, or when the S3 bucket is accessed from IP addresses associated with known malicious actors.
GuardDuty machine learning
GuardDuty uses machine learning to detect anomalies in the behavior of your account. So when you first set up GuardDuty it takes between seven and 14 days to set a baseline as it needs to establish what is normal behavior in your account. Once the baseline has been created GuardDuty can then actively begin monitoring your account. When active, you will only see findings if GuardDuty detects behavior that it considers a threat.
Amazon GuardDuty implementation
Implementation in the AWS Management Console
Set up and log into AWS account.
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/
Click on the “Get Started” button.
You are able to use GuardDuty and its threat detection with a 30-day free trial.
Amazon GuardDuty is possible to integrate with AWS Security Hub, learn more about it in our blog post: What is AWS Security Hub? Definition, Benefits & Pricing
Amazon GuardDuty findings
The GuardDuty findings represent potential security issues detected in your AWS environment. You can view and manage your GuardDuty results on the "Findings" page of the GuardDuty console or using the GuardDuty CLI or API operations.
Severity levels for GuardDuty findings
Each GuardDuty finding has an assigned severity level (Low, Medium, and High) and value (0.1 to 8.9) that reflects the potential risk.
A “Low” (0.1 – 3.9) level indicates suspicious or malicious activity that was blocked before it compromised your resource.
A “Medium” (4 – 6.9) level indicates suspicious activity. For example, a large amount of traffic is being returned to a remote host that is hiding behind a network.
A “High” (7 – 8.9) level indicates that the resource in question (e.g. an EC2 instance or a set of IAM user credentials) is compromised and used for unauthorized purposes.
Where to locate findings
Use the following procedure to view and analyze your GuardDuty findings.
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/
Choose Findings and then select a specific finding to view its details.
The details for each finding will depend on the Finding type, resources involved, and nature of the activity.
Testing Amazon GuardDuty
If you want to test Amazon GuardDuty, try the following and generate findings.
1. AWS GuardDuty tester tool for Linux
You can find the CloudFormation template for GuardDuty tester on AWS lab GitHub page with everything prepared: https://github.com/awslabs/amazon-guardduty-tester.
Just follow the basic steps for creating an AWS environment with EC2 instances, VPC and everything will be set up for you. Then you will connect to one of the EC2 instances and start the script.
There are six tests provided that will be started by the guardduty_tester.sh script:
Internal port scanning
SSH Brute Force with Compromised Keys
RDP Brute Force with Password List
CryptoCurrency Mining Activity
Fake domain to prove that GuardDuty is working
After running this script a couple of times, we got these results in the GuardDuty Findings:
2. Generate sample Findings in GuardDuty Console
You can find the sample findings function in the GuardDuty console to help visualize the different Findings types that GuardDuty generates.
Sample findings can also be used to test notifications or automation that you have configured for findings.
After using this function, we got these results in the GuardDuty findings.
Comparison of Amazon GuardDuty
Is Amazon GuardDuty an IDS or IPS?
No, it is not an Intrusion Prevention System (IPS) since it only alerts about an activity. You could build your actions on top of GuardDuty alerts with AWS Lambda, but it is not part of the service itself.
And it is not an intrusion detection system (IDS) either. IDS are usually aware of what is happening on the virtual instances and the better ones are even application-aware. GuardDuty only acts on Cloudtrail logs, VPC flow logs, and DNS query logs. It has no idea what is running on your instances and has no understanding of what is normal behavior for you or your business.
What is the difference between Amazon Inspector and Amazon GuardDuty?
Amazon Inspector provides you with security assessments of your applications settings and configurations on your EC2 instances while Amazon GuardDuty helps with analyzing your entire AWS environment for potential threats.
Inspector only covers EC2 at the moment. GuardDuty, on the other hand, will continuously monitor your “AWS accounts, workloads, and data stored in Amazon S3” and alert you.
Amazon GuardDuty vs Amazon Macie
GuardDuty is different from Amazon Macie. Macie only looks into S3 buckets and intelligently classifies data to help you ensure the proper access controls are applied to those data.
Amazon GuardDuty pricing
You get the first 30 days for free so you can try out every function. After this period is up, you’ll be charged based on the quantity of CloudTrail Events and also on the volume of DNS Logs and Flow Logs as well. You only have to pay for the detection capacity you use, when you use it.
Find more about GuardDuty pricing on the AWS official page.
You can find your current estimated total daily costs on the “Usage“ page in the GuardDuty Console.
Pricing example per month in the EU Central (Frankfurt) region:
StormIT team helps organizations protect their websites and applications against all commonly known attacks and exploits by leveraging the protection of AWS Edge Services.