Check for AWS GuardDuty findings and resolve them step by step to ensure that your AWS infrastructure is protected against security threats. Amazon GuardDuty is a managed threat detection service that continuously monitors your VPC flow logs, CloudTrail event logs and DNS logs for malicious or unauthorized behavior. When GuardDuty detects a suspicious or unexpected behavior in your AWS account, it generates a finding. A finding is a notification that contains information about a potential security threat identified by the GuardDuty service. The finding details includes data about the finding actor, the AWS resource(s) involved in the suspicious activity, the time when the activity occurred and so on. The GuardDuty findings are available within your Cloud Conformity account as result of Real-Time Threat Monitoring and Analysis (RTMA) integration with Amazon GuardDuty service. With RTMA - GuardDuty integration, the findings are highlighted on your Cloud Conformity dashboard and alert notifications are sent (based on the severity level) via established communication channels in real-time. The communication channels for sending finding alert notifications can be easily configured within your Cloud Conformity account. The list of supported communication channels are Email, SMS, Slack, JIRA, PagerDuty and ServiceNow.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
With GuardDuty findings you can evaluate your AWS infrastructure (AWS accounts and resources, IAM user passwords, API keys, guest operating systems, applications, etc) in an automated way, without the heavy lifting of additional security hardware or software to deploy and maintain.
Note: As example, this conformity rule will demonstrate how to analyze and solve a Recon:EC2/PortProbeUnprotectedPort type finding. This type of finding informs you that somewhere in your AWS environment an EC2 instance has an unprotected port that a potential attacker is probing. The unprotected port is port 22 (SSH) and the remediation consists of limiting exposure by allowing access only to IP addresses from a trusted network IP address space.
Audit
To check for existing Amazon GuardDuty findings within your AWS account, perform the following:
Remediation / Resolution
To solve an Amazon GuardDuty finding, perform the following actions:" note="Note: As example, this section will provide step by step instructions on how to solve the audited GuardDuty finding (i.e. "unprotected port on EC2 instance i-012345678aabbccdd is being probed") by updating the inbound configuration of the security group associated with the compromised EC2 instance in order to restrict SSH access to specific (trusted) IP address or IP range.
References
- AWS Documentation
- Amazon GuardDuty FAQs
- Amazon GuardDuty Findings
- Amazon GuardDuty Finding Types
- Remediating Security Issues Discovered by Amazon GuardDuty
- Authorizing Inbound Traffic for Your Linux Instances
- AWS Command Line Interface (CLI) Documentation
- guardduty
- list-detectors
- list-findings
- get-findings
- ec2
- revoke-security-group-ingress
- authorize-security-group-ingress