Ensure that Amazon GuardDuty service is currently enabled in all regions in order to protect your AWS environment and infrastructure (AWS accounts and resources, IAM credentials, guest operating systems, applications, etc) against security threats. AWS GuardDuty is a managed threat detection service that continuously monitors your VPC flow logs, AWS CloudTrail event logs and DNS logs for malicious or unauthorized behavior. The service monitors for activity such as unusual API calls, potentially compromised EC2 instances or potentially unauthorized deployments that indicate a possible AWS account compromise. AWS GuardDuty operates entirely on Amazon Web Services infrastructure and does not affect the performance or reliability of your applications. The service does not require any software agents, sensors or network appliances.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
GuardDuty uses threat intelligence feeds such as lists of malicious IPs or domains and advanced machine learning algorithms to identify unexpected, potentially unauthorized and malicious activity within your AWS environment. For example, the service can detect when an AWS EC2 instance might be compromised due to traffic from a known set of malicious IP addresses. Once the compromised EC2 instance is detected, you can take immediate action to restrict outbound traffic for that instance, which stops loss of data until a security engineer can assess exactly what has occurred. AWS GuardDuty can also detect unauthorized infrastructure deployments such as EC2 instances deployed in an AWS region that has never been used before or unusual API calls such as an IAM user password policy change that reduces the password strength. Ultimately, AWS GuardDuty can detect compromised instances used by malicious individuals for cryptocurrency mining and serving malware.
When the service detects a suspicious or unexpected behavior in your AWS environment, it generates a finding. An AWS GuardDuty finding is a notification that contains the details about a potential security threat identified by the service. The finding details include information about what happened, what AWS resources were involved in the suspicious activity, when the activity was initiated, the finding actor and so on. Few examples of AWS GuardDuty findings:
Recon:EC2/PortProbeUnprotectedPort – the finding that informs you that somewhere within your AWS environment an EC2 instance has an unprotected port that a potential attacker is probing.
UnauthorizedAccess:EC2/SSHBruteForce – this finding informs you that an EC2 instance has been involved in SSH brute-force attack, aimed to obtain SSH credentials on Linux-based systems.
UnauthorizedAccess:IAMUser/MaliciousIPCaller – this informs you that an API operation (e.g. an attempt to launch an EC2 instance, the creation of a new IAM user or role, etc) has been invoked from a known malicious IP address.
The findings are presented to you at one of three levels (low, medium or high) and are accompanied by detailed evidence and recommendations for remediation/resolution. These are also available within your Cloud Conformity account as result of the Real-Time Threat Monitoring and Analysis (RTMA) feature integration with AWS GuardDuty service. With RTMA - GuardDuty integration you can receive finding alerts on Cloud Conformity dashboard in real-time. The communication channels for sending finding alert notifications can be easily configured within your Cloud Conformity account. The list of supported communication channels are Email, Slack, JIRA, SML, PagerDuty and ServiceNow.
With Amazon GuardDuty service in use, you receive intelligent and centralized threat detection without the heavy lifting of additional security software or infrastructure to deploy and maintain. The service monitors, manages and remediates security issues across your AWS infrastructure, applications and data.
Note: When you enable Amazon GuardDuty for the first time, your AWS account is automatically enlisted in a 30-day GuardDuty free trial, therefore you are not charged for using the service until your free trial ends. For more information about the pricing, visit AWS GuardDuty Pricing.
Cloud Conformity recommends customers enable GuardDuty in all regions. The cost of running GuardDuty is a charge per event. There should be near 0 events in inactive regions, therefore, the cost of running it in inactive regions is very minimal. Any events in a "non-active" region are arguably suspicious and should be checked by GuardDuty.
Audit
To determine if Amazon GuardDuty is enabled within your AWS account, perform the following:
Remediation / Resolution
To enable Amazon GuardDuty in order to benefit from protection against security threats, you need to perform the following actions:
References
- AWS Documentation
- Amazon GuardDuty
- Amazon GuardDuty FAQs
- Amazon GuardDuty Pricing
- What Is Amazon GuardDuty?
- Setting Up Amazon GuardDuty
- Setting Up Amazon GuardDuty
- AWS Command Line Interface (CLI) Documentation
- guardduty
- list-detectors
- create-detector
- create-sample-findings