What is AWS GuardDuty?

Some best practices when it comes to using GuardDuty are:

• Monitor multiple AWS accounts and regions – GuardDuty can monitor multiple AWS accounts and regions, so make sure to enable it for all the accounts and regions that you use.
• Create custom threat lists – GuardDuty allows you to create custom threat lists to monitor for specific threats that are relevant to your environment.
• Integrate with other AWS services – GuardDuty can integrate with other AWS services such as CloudWatch, Lambda, and SNS to automate responses to potential threats.
• Regularly review findings – Regularly review GuardDuty findings to ensure that potential threats are being identified and responded to appropriately.
• Train your security team – Ensure that your security team is trained on how to use GuardDuty and respond to potential threats.

How GuardDuty uses your AWS data to identify threats

AWS GuardDuty uses AWS CloudTrail logs, VPC Flow Logs, and DNS query logs to generate security findings. CloudTrail logs provide logs for API requests made within your AWS account. VPC flow logs contain network traffic relating to your VPCs (this is on a per VPC basis). Note: You are responsible for enabling logging within your AWS account, AWS GuardDuty does not enable these logging mechanisms.

GuardDuty will then use these logs to perform machine learning threat detection, malware scanning and threat intelligence to know when to notify you of a potential threat. These finding can then be integrated with AWS Lambda for automated remediation or prevention.

Examples of findings

AWS GuardDuty provides findings with 3 different severity levels; low, medium, and high. Examples of finding types are:

• Phishing domain DNS requests
• Bitcoin traffic activity
• Trojans using DNS data exfiltration
• Tor relays
• EC2 backdoor traffic

GuardDuty is free for the first 30 days

AWS GuardDuty allows AWS accounts to try it out for 30 days and you can disable it before the 30 day window if it doesn’t meet your needs free of charge. Beyond the free trial, GuardDuty will charge based on what services are running within the account at different rates. These specific pricing details can be found here.

GuardDuty Set Up

To set up GuardDuty:

1. Open the AWS Management Console, and navigate to the GuardDuty dashboard.
2. Click the “Enable GuardDuty” button.
3. Choose the AWS account(s) and region(s) that you want to monitor.
4. Choose a S3 bucket to store GuardDuty findings.
5. Choose the GuardDuty master account and member accounts (if applicable).
6. Enable the appropriate SNS topics to receive GuardDuty alerts.
7. Choose the appropriate data sources (VPC Flow Logs, DNS logs, CloudTrail logs).
8. Review the GuardDuty pricing and confirm your setup.

After you have completed these steps, GuardDuty will start analyzing your log data and network traffic for potential threats. You can view the GuardDuty findings in the GuardDuty console or by setting up SNS notifications.