AWS-GuardDuty

20 July 2023

While transitioning to the cloud offers numerous benefits, it is crucial to adopt new tools that can effectively safeguard your cloud environment. Enter AWS GuardDuty, a powerful security service offered by AWS. GuardDuty leverages machine learning to provide real-time detection of threats in AWS.

Description of GuardDuty

Activating GuardDuty is pretty straightforward, you simply need to search GuardDuty select in which region you want to enable it, and activate it. Once activated, GuardDuty will automatically scan your account.

GuardDuty operates by continuously monitoring your account for potential threats. Whenever suspicious activity is detected, it will generate findings. These findings can provide valuable insights into potential security issues within your AWS environment.

To further enhance your security posture, you can integrate GuardDuty findings with AWS Security Hub. This integration allows for centralized security management, enabling you to consolidate and analyze security alerts from various AWS services in a single location.

GuardDuty relies on logs from various sources to generate findings. These log sources can be configured based on your infrastructure requirements. There are multiple types of data sources that GuardDuty supports:

  • Foundational data sources
    • CloudTrail: GuardDuty can identify suspicious API calls made to your AWS account, such as resource brute-forcing attempts.
    • VPC Flow Logs: GuardDuty can detect suspicious traffic within your VPC, including port brute-forcing and communication with malicious IP addresses.
    • DNS logs: GuardDuty can identify the resolution of malicious domains in Route 53, flagging URLs related to cryptojacking or other malicious activities.

In addition to these foundational data sources, GuardDuty offers additional features that provide specialized protection called features:

  • Malware protection: GuardDuty can detect the execution of malicious files on resources within your AWS account.
  • Lambda protection: GuardDuty monitors Lambda network activity logs generated when a Lambda function associated with your account is invoked. It analyzes both internal and external traffic, even beyond your VPC boundaries.
  • RDS protection: GuardDuty watches for login attempts to your RDS instances and raises alerts if suspicious activity is detected. For example, a strange number of failed attempts can raise a finding.
  • S3 Protection: GuardDuty monitors specific API calls related to S3 buckets via CloudTrail. It generates findings if any suspicious activity is detected. For example, if an attacker is trying to list all resources in a bucket, GuardDuty can detect it and raise a finding.

💡 When you activate a data source in GuardDuty, a parallel log source is automatically generated. There is no need to activate it separately within your AWS account.

GuardDuty generates findings whenever an alert is triggered based on the logs you are monitoring. You can find a comprehensive list of all finding types in AWS documentation. On all my projects where GuardDuty was used, I never encountered a false positive.

The generated findings can be sent to CloudWatch using EventBridge and then forwarded to your Security Operations Center (SOC) for further analysis and response.

The cost of GuardDuty is directly proportional to the volume of logs analyzed. For small accounts, it can be highly affordable, but for accounts with substantial traffic, it may become expensive.

Notably, S3 logs and VPC flow logs tend to be the most costly sources, while CloudTrail and DNS logs are more economical. To better estimate the cost, it is advisable to take advantage of the 30-day free trial offered by GuardDuty. Take the time to determine where the risk is the most important for you with a risk matrix, for example.

This trial period allows you to evaluate the service and gauge the expected price you would pay based on your specific usage and requirements.

Activate GuardDuty with Terraform

GuardDuty is a regional service, which means it should be deployed in each region where you have workloads. To activate it in a simple account using Terraform, you can add the following resource to your Terraform codebase:

resource "aws_guardduty_detector" "MyDetector" {
  enable = true
}

However, please note that it is currently impossible to activate the features data sources through Terraform. You will need to manually activate those data sources by following the instructions provided in the documentation.

If you are using the organization feature in AWS, you have the option to centralize GuardDuty findings in a single account. First, if necessary, you can create a delegated administrator account using the following resource:

resource "aws_guardduty_organization_admin_account" "this" {
  admin_account_id = "123456578912"
}

Once the delegated administrator account is set up, you can define the GuardDuty configuration in each account using the following resource:

resource "aws_guardduty_organization_configuration" "this" {
  auto_enable = true
  detector_id = var.detector_id # Detector id from the aws_guardduty_detector resource

  datasources {
    s3_logs {
      auto_enable = false
    }
    kubernetes {
      audit_logs {
        enable = false
      }
    }
    malware_protection {
      scan_ec2_instance_with_findings {
        ebs_volumes {
          auto_enable = false
        }
      }
    }
  }
}

Finally, you can add each account as a member using the following Terraform code:

data "aws_caller_identity" "current" {}

data "aws_organizations_organization" "this" {
  provider = aws.root
}

locals {
  account_list = [
    for x in data.aws_organizations_organization.this.accounts :
    x if x.id != data.aws_caller_identity.current.id
  ]
}

resource "aws_guardduty_member" "member" {
  for_each    = { for account in local.account_list : account.id => account }
  account_id  = each.value.id
  email       = each.value.email
  detector_id = var.detector_id
  invite      = true

  # Bug on email field, similar to https://github.com/hashicorp/terraform-provider-aws/issues/13906
  lifecycle {
    ignore_changes = [
      email
    ]
  }
}

Once these configurations are activated, each account will be linked to the delegated administrator account, and all findings will be consolidated in that account.

⚠️ Please note that it is not yet possible to fully configure all data sources in GuardDuty using Terraform. The activation of the feature data sources still needs to be done manually.

Conclusion

In conclusion, GuardDuty is a powerful tool for detecting intrusions and potential threats in your AWS account. It offers real-time monitoring, analysis, and detection capabilities using machine learning algorithms and threat intelligence. By activating GuardDuty, you can quickly enhance your security posture and adhere to standard security practices like CIS or PCIDSS.