GuardDuty

avatar
Created by
Ivan

Subdecks (1)

Cards (46)

  • Amazon GuardDuty provides intelligent threat discovery to protect your AWS Account.
  • Amazon GuardDuty uses Machine Learning algorithms, anomaly detection, and 3rd party data to identify threats.
  • Amazon GuardDuty can be enabled with a single click, and there is no need to install software.
  • Input data for Amazon GuardDuty includes CloudTrail Events Logs, which record unusual API calls and unauthorized deployments.
  • CloudTrail Management Events, which record the creation of VPC subnets and trails, are also an input for Amazon GuardDuty.
  • CloudTrail S3 Data Events, which record get object, list objects, and delete object operations, are another input for Amazon GuardDuty.
  • VPC Flow Logs, which record unusual internal traffic and unusual IP addresses, are an input for Amazon GuardDuty.
  • DNS Logs, which record compromised EC2 instances sending encoded data within DNS queries, are an input for Amazon GuardDuty.
  • The optional feature for Amazon GuardDuty includes EKS Audit Logs, RDS & Aurora, EBS, Lambda, and S3 Data Events.
  • It's best practice to enable GuardDuty even if Regions you don't use.
  • GuardDuty can generate findings for the Recon:EC2/Portscan and UnauthorizedAccess:EC2/SSHBruteForce finding types.
  • Amazon GuardDuty provides Suppression Rules, which are a set of criteria that automatically filter and archive new findings.
  • The Threat IP List is a list of known malicious IP addresses and CIDR ranges, and GuardDuty generates findings based on these threat lists.
  • If GuardDuty is suspended or disabled, then no finding types are generated.
  • Suppressed findings are not sent to Security Hub, S3, Detective, or EventBridge.
  • Suppressed findings can be still viewed in the Archive.
  • The UnauthorizedAccess:EC2/SSHBruteForce finding type is triggered when SSH Brute Force attacks are targeting Bastion Hosts EC2 instances.
  • Suppression Rules can suppress entire findings types or define more granular criteria (e.g., suppress only specific EC2 instances).
  • Amazon GuardDuty works only for public IP addresses.
  • The Recon:EC2/Portscan finding type is triggered when there is a port scan on a specific EC2 instance, such as running a vulnerability assessment.
  • In a multi-account GuardDuty setup, only the GuardDuty administrator account can manage those lists.
  • The Trusted IP List is a list of IP addresses and CIDR ranges that you trust, and GuardDuty doesn't generate findings for these trusted lists.
  • Amazon GuardDuty can protect against CryptoCurrency attacks, which it has a dedicated "finding" for.
  • Sample findings can be generated in GuardDuty to test your automations.
  • Amazon GuardDuty provides RDS Protection Finding Types like CredentialAccess:RDS/ AnomalousBehaviorSuccessfulLogin.
  • Amazon GuardDuty findings are potential security issues for malicious events happening in your AWS account.
  • Amazon GuardDuty provides S3 Finding Types like Policy: S 3/AccountBlockPublicAccess.
  • In an AWS Organization, you can specify a member account as the Organization's delegated administrator for GuardDuty.
  • Each finding in GuardDuty has a severity value between 0.1 to 8+ (High, Medium, Low).
  • The Administrator account in Amazon GuardDuty can add and remove member accounts, manage GuardDuty within the associated member accounts, manage findings, suppression rules, trusted IP lists, threat lists.
  • Automate response to security issues revealed by GuardDuty Findings using EventBridge.
  • Amazon GuardDuty provides Kubernetes Audit Logs Finding Types like CredentialAccess:Kubernetes/MaliciouslPCaller.
  • GuardDuty pulls independent streams of data directly from CloudTrail logs, VPC Flow Logs or EKS logs.
  • Amazon GuardDuty rules can target AWS Lambda or SNS.
  • Amazon GuardDuty can be set up to be notified in case of findings.
  • In a multi-account strategy for Amazon GuardDuty, you can manage multiple accounts and associate the Member accounts with the Administrator account.
  • Amazon GuardDuty provides EC2 Finding Types such as UnauthorizedAccess:EC2/SSHBruteForce, CryptoCurrency:EC2/BitcoinTool.BIDNS.
  • Events from GuardDuty findings are published to both the administrator account and the member account that it is originated from.
  • The naming convention for GuardDuty findings is ThreatPurpose:ResourceTypeAffected/ThreatFamilyName/DetectionMechanism/Artifact.
    • E.g. UnauthorizedAccess:EC2/SSHBruteForce
  • GuardDuty uses AWS Config Rules to detect misconfigurations on EC2 instances.