Use the Conformity Knowledge Base AI to help improve your Cloud Posture

GuardDuty Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: GD-001

Ensure that Amazon GuardDuty service is currently enabled in all regions in order to protect your AWS environment and infrastructure (AWS accounts and resources, IAM credentials, guest operating systems, applications, etc) against security threats. AWS GuardDuty is a managed threat detection service that continuously monitors your VPC flow logs, AWS CloudTrail event logs and DNS logs for malicious or unauthorized behavior. The service monitors for activity such as unusual API calls, potentially compromised EC2 instances or potentially unauthorized deployments that indicate a possible AWS account compromise. AWS GuardDuty operates entirely on Amazon Web Services infrastructure and does not affect the performance or reliability of your applications. The service does not require any software agents, sensors or network appliances.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

GuardDuty uses threat intelligence feeds such as lists of malicious IPs or domains and advanced machine learning algorithms to identify unexpected, potentially unauthorized and malicious activity within your AWS environment. For example, the service can detect when an AWS EC2 instance might be compromised due to traffic from a known set of malicious IP addresses. Once the compromised EC2 instance is detected, you can take immediate action to restrict outbound traffic for that instance, which stops loss of data until a security engineer can assess exactly what has occurred. AWS GuardDuty can also detect unauthorized infrastructure deployments such as EC2 instances deployed in an AWS region that has never been used before or unusual API calls such as an IAM user password policy change that reduces the password strength. Ultimately, AWS GuardDuty can detect compromised instances used by malicious individuals for cryptocurrency mining and serving malware.
When the service detects a suspicious or unexpected behavior in your AWS environment, it generates a finding. An AWS GuardDuty finding is a notification that contains the details about a potential security threat identified by the service. The finding details include information about what happened, what AWS resources were involved in the suspicious activity, when the activity was initiated, the finding actor and so on. Few examples of AWS GuardDuty findings:

Recon:EC2/PortProbeUnprotectedPort – the finding that informs you that somewhere within your AWS environment an EC2 instance has an unprotected port that a potential attacker is probing.

UnauthorizedAccess:EC2/SSHBruteForce – this finding informs you that an EC2 instance has been involved in SSH brute-force attack, aimed to obtain SSH credentials on Linux-based systems.

UnauthorizedAccess:IAMUser/MaliciousIPCaller – this informs you that an API operation (e.g. an attempt to launch an EC2 instance, the creation of a new IAM user or role, etc) has been invoked from a known malicious IP address.

The findings are presented to you at one of three levels (low, medium or high) and are accompanied by detailed evidence and recommendations for remediation/resolution. These are also available within your Cloud Conformity account as result of the Real-Time Threat Monitoring and Analysis (RTMA) feature integration with AWS GuardDuty service. With RTMA - GuardDuty integration you can receive finding alerts on Cloud Conformity dashboard in real-time. The communication channels for sending finding alert notifications can be easily configured within your Cloud Conformity account. The list of supported communication channels are Email, Slack, JIRA, SML, PagerDuty and ServiceNow.

With Amazon GuardDuty service in use, you receive intelligent and centralized threat detection without the heavy lifting of additional security software or infrastructure to deploy and maintain. The service monitors, manages and remediates security issues across your AWS infrastructure, applications and data.

Note: When you enable Amazon GuardDuty for the first time, your AWS account is automatically enlisted in a 30-day GuardDuty free trial, therefore you are not charged for using the service until your free trial ends. For more information about the pricing, visit AWS GuardDuty Pricing.
Cloud Conformity recommends customers enable GuardDuty in all regions. The cost of running GuardDuty is a charge per event. There should be near 0 events in inactive regions, therefore, the cost of running it in inactive regions is very minimal. Any events in a "non-active" region are arguably suspicious and should be checked by GuardDuty.


Audit

To determine if Amazon GuardDuty is enabled within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS GuardDuty home page at https://console.aws.amazon.com/guardduty. If you are being redirected to the service Get started page:

Amazon Guard Duty

Amazon GuardDuty is not currently enabled within the selected AWS region, therefore your AWS environment and infrastructure is not protected against security threats.

03 Change the AWS region from the navigation bar and repeat the audit process for other regions.

04 Repeat steps no. 1 – 3 for each AWS account that you want to examine.

Using AWS CLI

01 Run list-detectors command (OSX/Linux/UNIX) using custom query filters to list the IDs of all the existing Amazon GuardDuty detectors. A detector is an object that represents the AWS GuardDuty service. A detector must be created in order for GuardDuty to become operational:

aws guardduty list-detectors
	--region us-east-1
	--query 'DetectorIds'

02 The command output should return an array with the requested detector ID(s):

[]

If the list-detectors command output returns an empty array (as shown in the example above), there are no GuardDuty detectors available, therefore the Amazon GuardDuty service is not enabled within your AWS account.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

04 Repeat steps no. 1 – 3 for each AWS account that you want to examine using AWS CLI.

Remediation / Resolution

To enable Amazon GuardDuty in order to benefit from protection against security threats, you need to perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS GuardDuty home page at https://console.aws.amazon.com/guardduty.

03 Click the Get started button to initiate the setup process.

04 On the Enable GuardDuty page, within Service permissions section, click View service role permissions to view the access policy with the permissions that GuardDuty service requires to generate findings for your AWS environment, then click Enable GuardDuty to activate the service. Once the service is enabled, it should immediately start to pull and analyze independent streams of data from AWS CloudTrail, VPC flow logs and DNS logs in order to generate findings.

05 (Optional) To help you visualize and analyze the finding types that AWS GuardDuty generates, you can create sample findings. To generate sample findings, select General, under Settings, within the left navigation panel, and click Generate sample findings button. Once generated, click on a finding to learn more about the AWS GuardDuty findings.

06 Change the AWS region from the navigation bar and repeat step no. 4 to enable the service for other regions.

07 Repeat steps no. 1 – 6 for each AWS account that you want to protect with Amazon GuardDuty.

Using AWS CLI

01 Run create-detector command (OSX/Linux/UNIX) to create an Amazon GuardDuty detector. A detector is an object that represents the AWS GuardDuty service. A detector must be created in order for GuardDuty to become operational in the selected AWS region. The --enable parameter specifies that the detector is automatically enabled after creation:

aws guardduty create-detector
	--region us-east-1
	--enable

02 The command output should return the unique ID of the newly created GuardDuty detector:

{
    "DetectorId": "aaabbbcccdddeeefff01234567890123"
}

Once the service is enabled, it should immediately start to pull and analyze independent streams of data from AWS CloudTrail, VPC flow logs and DNS logs in order to generate findings.

03 (Optional) To help you visualize and analyze the finding types that AWS GuardDuty generates, run create-sample-findings command (OSX/Linux/UNIX) using the ID of the detector returned at the previous step as identifier, to create AWS GuardDuty sample findings (the command does not produce an output):

aws guardduty create-sample-findings
	--region us-east-1
	--detector-id aaabbbcccdddeeefff01234567890123

04 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to enable the service for other regions.

05 Repeat steps no. 1 – 4 for each AWS account that you want to protect with Amazon GuardDuty.

References

Publication date Dec 13, 2017