The GuardDuty Dashboard provides an overview of the security findings and the current status of GuardDuty in your account. It shows summary statistics of detected threats and security findings.
Findings:
In the left-hand menu, click on Findings to see a detailed list of security threats that GuardDuty has detected. You can filter these findings based on severity, type, and time to understand current security issues.
Settings:
Click on Settings in the left-hand menu to review the configuration, including General settings, Data sources, and Trusted IP lists and Threat lists.
3. Exploring the AWS Well-Architected Framework Pillars
Under Findings, review the details and status of each finding. Regularly monitoring and responding to these findings is essential for maintaining the operational health of your environment.
Automated Response:
Check if GuardDuty findings are integrated with AWS Security Hub or AWS CloudWatch for automated responses and notifications. This setup supports operational excellence by automating threat detection and incident response workflows.
Data Source Management:
In the Settings section, review the Data Sources enabled for GuardDuty, such as VPC Flow Logs, CloudTrail event logs, and DNS logs. Ensuring these data sources are properly configured and monitored helps maintain a comprehensive operational view of your environment.
Review the findings under the Findings section to identify potential security threats, such as unauthorized access, reconnaissance activities, or malware infections. The detailed information provided by GuardDuty allows for timely threat detection and remediation.
Data Sources:
In Settings, check that VPC Flow Logs, CloudTrail logs, and DNS logs are enabled as data sources for GuardDuty. These data sources provide a broad set of data points to detect suspicious activities and potential security breaches.
Trusted IP List:
In Settings, explore the Trusted IP list configuration. Trusted IP lists contain IP addresses that GuardDuty will not flag as suspicious, which helps to reduce false positives and focus on genuine threats.
Threat Intelligence:
Review the Threat lists section in Settings to see if custom threat lists are being used in addition to the default GuardDuty intelligence sources. Customizing threat lists helps enhance security by monitoring for known malicious IPs.
GuardDuty automatically and continuously monitors your environment for potential threats. Regularly review the Findings to identify and respond to any detected threats, which contributes to the reliability and security of your AWS infrastructure.
Severity-Based Action:
Filter findings based on severity (e.g., Low, Medium, High) to prioritize investigation and remediation efforts. Addressing high-severity issues first ensures that critical threats are mitigated promptly, enhancing overall reliability.
Audit Trail:
In Settings, ensure CloudTrail is enabled as a data source. This provides a detailed audit trail of user and service actions within your AWS account, supporting investigations and maintaining system reliability in case of suspicious activities.
In the Settings section, review the regions in which GuardDuty is enabled. Running GuardDuty in only the necessary regions can help optimize costs by avoiding charges for unnecessary threat detection in unused regions.
Review Findings:
Regularly review the Findings to understand which types of events are being detected most frequently. This analysis can help optimize the use of other security services (e.g., AWS WAF) to reduce potential incidents and associated GuardDuty costs.
Threat Intelligence Sources:
In Settings, check if custom Threat lists are used. While this feature can enhance security, using only relevant and necessary threat lists can help minimize processing costs.
Verify if GuardDuty is integrated with AWS Security Hub, Amazon EventBridge, or AWS Lambda to automate responses to specific findings. Integrating GuardDuty with these services can improve the efficiency of your threat response processes.
Accurate and Up-to-Date Threat Intelligence:
In Settings, review the use of Threat lists and Trusted IP lists to ensure they are up-to-date. Keeping these lists current helps optimize the performance of GuardDuty's threat detection capabilities by focusing on relevant and genuine threats.
Event Analysis:
Use the Findings page to analyze event patterns over time. Identifying recurring threats or common vulnerabilities allows you to optimize security practices and improve your environment's performance by reducing unnecessary detection workload.
If GuardDuty is integrated with CloudWatch or AWS Security Hub, navigate to these services to explore additional monitoring and compliance features. This helps maintain a consolidated view of security events across your environment.
AWS Config:
Use AWS Config (if enabled) to review compliance rules related to GuardDuty, such as ensuring that GuardDuty is enabled across all AWS accounts in an organization.