Amazon GuardDuty

Amazon GuardDuty is a managed threat detection service that continuously monitors your AWS environment for malicious activity, unauthorized access, and other security threats. By analyzing AWS data sources like VPC flow logs, AWS CloudTrail management events, and DNS logs, GuardDuty helps identify potential security threats and generates actionable alerts. Here’s what you need to know about Amazon GuardDuty:

1. Core Functionality

Threat Detection: GuardDuty uses machine learning, anomaly detection, and integrated threat intelligence to identify malicious or unauthorized behavior. It detects a variety of threats, such as:
- Unusual API calls or unauthorized access to resources.
- Cryptocurrency mining.
- Data exfiltration.
- Reconnaissance activities.
- Account compromise.
Data Sources: GuardDuty analyzes data from multiple AWS sources:
- VPC Flow Logs: Monitors network traffic within your Virtual Private Cloud (VPC).
- DNS Logs: Checks DNS queries for domains associated with malicious activities.
- AWS CloudTrail Logs: Analyzes management and S3 data events for suspicious API activities, account reconnaissance, or unusual data access.

2. Managed Threat Intelligence

Built-In Threat Intelligence: GuardDuty integrates threat intelligence feeds from AWS, including AWS Security Hub and third-party providers like CrowdStrike and Proofpoint. This integration enables GuardDuty to identify known malicious IP addresses, domains, and unusual activities based on established threat patterns.
Machine Learning: GuardDuty uses machine learning to understand baseline behavior within your AWS environment, such as normal API calls, network traffic patterns, and login activities. It then identifies deviations from these baselines as potential threats.

3. Findings

Severity Levels: GuardDuty findings are classified into three severity levels:
- Low: Indicates suspicious activity that might not pose an immediate risk, such as a failed login attempt.
- Medium: Represents potentially malicious activity that may require investigation, like a login attempt from a suspicious location.
- High: Denotes confirmed or highly likely malicious activity, such as data exfiltration or cryptocurrency mining.
Finding Types: GuardDuty findings are categorized into various types, including:
- Recon: Scanning activities or enumeration of resources, indicating reconnaissance attempts.
- Unauthorized Access: Signs of unauthorized access to AWS services or resources.
- Anomalous Behavior: Behavior that deviates from normal patterns, like sudden spikes in API calls.
- Cryptocurrency Mining: Detection of mining activities that can indicate resource misuse.
Actionable Alerts: Findings include details such as the affected resource (e.g., EC2 instance, IAM user), timestamps, and recommended actions. This information is crucial for incident response and remediation.

4. Data Protection for S3

S3 Protection: GuardDuty provides specific monitoring for Amazon S3, including:
- Unusual data access patterns.
- Unfamiliar or unauthorized API calls on S3 buckets (e.g., GetObject, PutObject).
Malicious Data Exfiltration: Detects attempts to access or extract data from S3 using known malicious IP addresses, Tor nodes, or unusual geographic locations.

5. Multi-Account Support

GuardDuty in AWS Organizations: GuardDuty integrates with AWS Organizations, allowing centralized management across multiple accounts. The delegated administrator can enable and manage GuardDuty for member accounts, view findings, and set up automated responses.
Cross-Account Findings: In multi-account environments, findings from all member accounts are aggregated in the master account, enabling a holistic view of potential threats across your organization.

6. Automated Response and Integration

AWS CloudWatch Events: GuardDuty findings are sent to Amazon EventBridge (formerly CloudWatch Events) in real-time. You can create rules to trigger automated responses, such as invoking AWS Lambda functions for remediation, sending alerts via Amazon SNS, or updating an AWS Security Hub.
Security Hub Integration: GuardDuty integrates with AWS Security Hub, providing a consolidated view of security findings from multiple AWS services. This enables correlation of findings and helps prioritize remediation efforts.
Automated Remediation: Use services like AWS Lambda to create automated responses to specific GuardDuty findings, such as isolating compromised EC2 instances, revoking suspicious access keys, or blocking IP addresses in security groups.

7. Setup and Management

Simple Enablement: Enabling GuardDuty is a one-click process in the AWS Management Console. It does not require agents, network sensors, or complex configurations, making it easy to set up and start receiving findings.
No Impact on Performance: GuardDuty uses independent, off-host monitoring, meaning it does not affect the performance of your AWS resources or require additional software installation.
Continuous Monitoring: GuardDuty continuously monitors your environment and updates threat detection capabilities without requiring manual updates or maintenance.

8. Cost Management

Pricing: GuardDuty pricing is based on the volume of data analyzed. The costs include:
- VPC Flow Logs: Charged per gigabyte of data analyzed.
- DNS Logs: Charged per million DNS queries analyzed.
- CloudTrail Management Events: Charged per million events analyzed.
Cost Optimization: GuardDuty provides an estimate of costs in the console. To optimize costs, you can use GuardDuty's Suppression Rules to filter out low-risk findings or data sources that are not relevant to your environment.

9. Suppression Rules

Custom Filters: Create suppression rules to filter out specific findings that are not relevant or pose minimal risk. For example, you can suppress findings related to certain IP addresses, accounts, or specific types of activity that you’ve deemed safe.
Reduce Noise: Suppression rules help reduce false positives and alert fatigue by focusing on critical findings that require immediate action.

10. Data Privacy

Data Privacy: GuardDuty does not store or retain the content of network traffic, DNS queries, or API calls. It only analyzes metadata for security threats, ensuring that sensitive information in your data remains private.

11. Compliance and Best Practices

Compliance Standards: GuardDuty helps meet compliance requirements by continuously monitoring your AWS environment for threats. It can aid in maintaining compliance with standards like PCI DSS, HIPAA, GDPR, SOC, and ISO.
Best Practices:
- Review Findings Regularly: Regularly monitor and investigate GuardDuty findings. High-severity findings often require immediate action.
- Automate Responses: Set up automated remediation for common threats (e.g., automatically revoking access keys or isolating compromised instances) to reduce the impact of potential security incidents.
- Integrate with Security Hub: Use AWS Security Hub to aggregate, prioritize, and manage security findings from GuardDuty and other AWS services in one centralized location.
- Enable S3 Protection: Ensure that S3 Protection is enabled in GuardDuty for real-time monitoring of unusual data access patterns on S3 buckets.

12. Finding Classifications

Finding Confidence: Each finding in GuardDuty has a confidence level indicating the likelihood that the detected activity is malicious. High-confidence findings usually require immediate investigation.
Finding Type Prefixes:
- Recon: Activities indicating reconnaissance, such as port scanning (Recon:EC2/Portscan).
- Unauthorized Access: Attempts to access resources or services without proper authorization (UnauthorizedAccess:IAMUser/ConsoleLogin).
- Anomalous Behavior: Deviations from established usage patterns, such as an unusual number of API calls (Behavior:API/AnomalousBehavior).
- CryptoCurrency: Activities related to unauthorized cryptocurrency mining (CryptoCurrency:EC2/BitcoinTool).

13. Integration with Other AWS Services

VPC Traffic Mirroring: While GuardDuty does not directly use VPC Traffic Mirroring, you can use this feature to send network traffic to partner solutions if more in-depth analysis is needed.
AWS Organizations: In multi-account environments, use AWS Organizations to manage GuardDuty centrally. This allows for unified threat detection and response across all accounts within the organization.

14. Testing GuardDuty

Simulate Findings: AWS provides a set of sample findings to help test and validate your GuardDuty configurations. Use these sample findings to verify that your detection and response mechanisms are working as expected.

15. Actionable Insights

Actionable Recommendations: GuardDuty provides suggested remediation actions for each finding, such as blocking an IP address, revoking IAM credentials, or investigating resource behavior. These recommendations guide your incident response process.

1. Core Functionality​

2. Managed Threat Intelligence​

3. Findings​

4. Data Protection for S3​

5. Multi-Account Support​

6. Automated Response and Integration​

7. Setup and Management​

8. Cost Management​

9. Suppression Rules​

10. Data Privacy​

11. Compliance and Best Practices​

12. Finding Classifications​

13. Integration with Other AWS Services​

14. Testing GuardDuty​

15. Actionable Insights​