CloudWiki
Resource

GuardDuty

Amazon Web Services
Security
Amazon GuardDuty is a threat detection service that uses machine learning and other techniques to identify malicious activity and unauthorized behavior in your AWS accounts and workloads. GuardDuty integrates with other AWS security services to provide a comprehensive view of your security posture and helps you to quickly respond to security threats. With GuardDuty, you can detect and respond to a wide range of security threats, including account compromise, infrastructure threats, data exfiltration, and unauthorized access to sensitive data. The service continuously monitors your AWS environment and uses machine learning algorithms to identify potential threats. When a threat is detected, GuardDuty generates an alert, which you can view in the AWS Management Console or receive via Amazon CloudWatch events and Amazon SNS notifications. The service integrates with other AWS security services, such as Amazon CloudTrail, Amazon VPC Flow Logs, and AWS WAF, to provide a comprehensive view of your security posture.
Terraform Name
terraform
aws_guardduty_detector
GuardDuty
attributes:

The following arguments are supported:

  • enable - (Optional) Enable monitoring and feedback reporting. Setting to false is equivalent to "suspending" GuardDuty. Defaults to true.
  • finding_publishing_frequency - (Optional) Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS. See AWS Documentation for more information.
  • datasources - (Optional) Describes which data sources will be enabled for the detector. See Data Sources below for more details.
  • tags - (Optional) Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Data Sources

The datasources block supports the following:

  • s3_logs - (Optional) Configures S3 protection. See S3 Logs below for more details.
  • kubernetes - (Optional) Configures Kubernetes protection. See Kubernetes and Kubernetes Audit Logs below for more details.
  • malware_protection - (Optional) Configures Malware Protection. See Malware Protection, Scan EC2 instance with findings and EBS volumes below for more details.

S3 Logs

The s3_logs block supports the following:

  • enable - (Required) If true, enables S3 protection. Defaults to true.

Kubernetes

The kubernetes block supports the following:

  • audit_logs - (Required) Configures Kubernetes audit logs as a data source for Kubernetes protection. See Kubernetes Audit Logs below for more details.

Kubernetes Audit Logs

The audit_logs block supports the following:

  • enable - (Required) If true, enables Kubernetes audit logs as a data source for Kubernetes protection. Defaults to true.

Malware Protection

malware_protection block supports the following:

  • scan_ec2_instance_with_findings - (Required) Configure whether Malware Protection is enabled as data source for EC2 instances with findings for the detector. See Scan EC2 instance with findings below for more details.

Scan EC2 instance with findings

The scan_ec2_instance_with_findings block supports the following:

  • ebs_volumes - (Required) Configure whether scanning EBS volumes is enabled as data source for the detector for instances with findings. See EBS volumes below for more details.

EBS volumes

The ebs_volumes block supports the following:

  • enable - (Required) If true, enables Malware Protection as data source for the detector. Defaults to true.

Associating resources with a
GuardDuty
Resources do not "belong" to a
GuardDuty
Rather, one or more Security Groups are associated to a resource.
Create
GuardDuty
via Terraform:
The following HCL creates a resource to manage a GuardDuty detector.
Syntax:

resource "aws_guardduty_detector" "MyDetector" {
 enable = true

 datasources {
   s3_logs {
     enable = true
   }
   kubernetes {
     audit_logs {
       enable = false
     }
   }
   malware_protection {
     scan_ec2_instance_with_findings {
       ebs_volumes {
         enable = true
       }
     }
   }
 }
}

Create
GuardDuty
via CLI:
Parametres:

create-detector
--enable | --no-enable
[--client-token <value>]
[--finding-publishing-frequency <value>]
[--data-sources <value>]
[--tags <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws guardduty create-detector \
   --enable

aws cost
Costs
The cost of using GuardDuty depends on the number of AWS accounts and the amount of data processed. For data processing, you are charged for the number of AWS CloudTrail log files processed and the amount of data processed by Amazon GuardDuty. An active detector is a single GuardDuty deployment in an AWS account. If you have multiple AWS accounts, you will need to deploy GuardDuty in each account, and you will be charged for each active detector.
Direct Cost

per Events for PaidS3DataEventsAnalyzed in a region

per GB for the first 500 GB / month of data analyzed in a region

per CloudTrail event analyzed in a region

per S3 Data Event for the first 500000000 events / month analyzed in a region

Indirect Cost
No items found.
Best Practices for
GuardDuty

Categorized by Availability, Security & Compliance and Cost

Low
Access allowed from VPN
No items found.
Low
Auto Scaling Group not in use
No items found.
Medium
Connections towards DynamoDB should be via VPC endpoints
No items found.
Medium
Container in CrashLoopBackOff state
No items found.
Low
EC2 with GPU capabilities
No items found.
Medium
EC2 with high privileged policies
No items found.
Medium
ECS cluster delete alarm
No items found.
Critical
ECS task with Admin access (*:*)
Medium
ECS task with high privileged policies
No items found.
Critical
EKS cluster delete alarm
No items found.
Medium
ElastiCache cluster delete alarm
No items found.
Medium
Ensure Container liveness probe is configured
No items found.
Medium
Ensure ECS task definition has memory limit
No items found.
Critical
Ensure EMR cluster master nodes are not publicly accessible
No items found.
More from
Amazon Web Services