This service allows customers to analyze AWS CloudTrail Event Logs, VPC Flow Logs, and DNS Logs to look for unusual or unexpected behavior in their AWS accounts. It then compares the log data to numerous security and threat detection feeds, searching for anomalies and known harmful sources such as IP addresses and URLs.
Table of Contents:
Check out this insightful video on AWS certification for beginners:
Overview of AWS GuardDuty
GuardDuty secures workloads and data on AWS by leveraging both AWS-developed and industry-leading third-party sources. It integrates machine learning, anomaly detection, network monitoring, and the detection of dangerous files.
Tens of billions of events per second can be analysed by GuardDuty from a variety of AWS data sources, including DNS query logs, Amazon VPC flow logs, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, and AWS CloudTrail event logs.
In your accounts, Amazon GuardDuty notices unusual activity, assesses its security significance, and gives context. This makes it possible for a respondent to decide whether a follow-up query is necessary.
GuardDuty’s results are ranked in terms of their seriousness, and by connecting with AWS Security Hub, Amazon EventBridge, AWS Lambda, and AWS Step Functions, actions can be automated.
Additionally closely integrated with GuardDuty is Amazon Detective, which enables you to conduct more in-depth forensic and root cause analyses.
Check out Intellipaat’s AWS Training Course to get ahead in your career!
AWS GuardDuty Features
Amazon GuardDuty delivers effective threat detection of compromised accounts, which can be difficult to notice quickly if you are not continually monitoring factors in near real-time.
GuardDuty can detect signs of account compromise, such as AWS resource access from an uncommon location at an unusual time of day.
Amazon GuardDuty monitors and evaluates AWS account & workload data from AWS CloudTrail, VPC Flow Logs, and DNS Logs on a continuous basis.
Instead of working account by account, you can aggregated threat detection by joining your AWS accounts.
Furthermore, you are not obliged to collect, analyze, or correlate massive amounts of AWS data from numerous accounts.
Get 100% Hike!
Master Most in Demand Skills Now !
Threat severity levels
Amazon GuardDuty has three severity categories to assist clients to prioritize their response to possible attacks.
- An indication of “Low” sensitivity means that suspicious or malicious activity was discovered and kept from endangering your resource.
- A “Medium” level risk denotes dubious behavior. For instance, a significant volume of traffic was sent to a remote host that was concealed by the Tor network, or there was activity that wasn’t as it should have been.
- A resource with a “High” severity rating has been compromised and is actively being used for nefarious purposes, such as an Amazon EC2 instance or a set of IAM user credentials.
High available threat detection
Amazon GuardDuty is designed to automatically monitor resource utilisation in your AWS accounts, workloads, and Amazon S3 data.
GuardDuty increases detection capacity precisely when it is required and decreases usage when it is no longer required.
Amazon GuardDuty can be configured on a single account with a single AWS Management Console click or API request.
With a few additional steps, you may enable GuardDuty in the console for several accounts.
Amazon GuardDuty has native support for multiple accounts as well as AWS Organizations connection.
Go through these AWS Interview Questions to excel in your AWS Interview.
AWS GuardDuty Use cases
- Protect your compute workloads: detect whether your EC2 instance is mining cryptocurrency or communicating with IP addresses and domains connected with known dangerous actors.
- Protect your AWS credentials: detect whether your AWS credentials are used in an unusual or suspicious manner, such as from IP addresses connected with known malicious actors, or in a manner that differs from their expected behavior.
- Protect your data stored in Amazon S3 buckets: identify when data stored in your Amazon S3 buckets are accessed in an unusually suspicious manner, such as when an unusual volume of items is obtained from an odd location, or when the S3 bucket is visited from IP addresses connected with known malicious actors.
How AWS GuardDuty works?
Amazon GuardDuty continuously monitors cloud events in AWS CloudTrail, Amazon VPC Flow Logs, and domain name system (DNS) logs for potentially harmful activities.
To execute analysis in near real-time, the service employs built-in threat intelligence, anomaly detection, and machine learning abilities developed by the AWS security team.
GuardDuty identifies three types of AWS cloud threats:
- Attacker reconnaissance: Failed login patterns, odd API activity, and port scanning are examples of such dangers.
- Compromised resources: Cryptojacking, anomalous surge in network traffic, and temporary access to Elastic Compute Cloud (EC2) instances via an external IP address are all dangers in this category.
- Compromised accounts: API calls from an unexpected location, attempts to disable CloudTrail, and unusual instance or infrastructure deployments are examples of these threats.
While an administrator can provide GuardDuty with a list of “safe” IP addresses, the service does not support custom detection criteria. An administrator, on the other hand, can respond to each GuardDuty finding with a thumbs-up or thumbs-down answer to provide feedback for future detections.
Amazon GuardDuty gathers and transmits security warnings to the Management Console in JSON format, allowing an administrator or automated workflow to take action.
Amazon CloudWatch Events, for example, can take GuardDuty findings and then trigger an AWS Lambda code to adjust security configurations.
Security findings are stored in the GuardDuty console and APIs for 90 days.
If you have any doubts or queries related to AWS, do a post on AWS Community.
GuardDuty accounts management with AWS Organizations
You can assign administration to any account inside the organization when using GuardDuty with an AWS Organizations organization.
Only the organization management account has the authority to designate GuardDuty delegation administrators.
GuardDuty is automatically activated in the chosen Region for a delegated administrator account, which also gains the authority to enable & maintain GuardDuty for all accounts in the organization within that Region.
The delegated administrator account may be linked with additional organization accounts for inspection and addition as GuardDuty partner accounts.
Important considerations for GuardDuty delegated administrators
- Can handle up to 5000 members.
The maximum number of member accounts for each delegated administrator on GuardDuty is 5000. Nevertheless, your business might have more than 5000 clients. On the Accounts portion of the GuardDuty interface, it says how many accounts are in your firm overall.
You will be alerted if you have more than 5000 member accounts via CloudWatch, the AWS Health Dashboard, and an email sent to the delegated administrator account.
- Delegated administrator is Regional.
GuardDuty, unlike AWS Organizations, is a regional service. This means that GuardDuty delegated administrators and their member accounts must be added in each desired Region in order for account management via AWS Organizations to be active in all Regions.
- There can only be one delegated administrator per organization.
For each account, there can only be one delegated administrator. An account must serve as your delegated administrator in all other regions if you have designated it as such in one location.
- It is not recommended to make your organization’s management account the delegated administrator.
The management account for your company may serve as the delegated administrator, although this is not recommended by AWS Security best practises based on the principle of least privilege.
- When a delegated administrator is changed, GuardDuty is not disabled for member accounts.
All associated member accounts are terminated as GuardDuty members when the delegated administrator is removed, but GuardDuty is not turned off in all of those accounts.
Interested in learning AWS? Go through this AWS Tutorial!
With the initial activation, AWS provides a free 30-day full-access trial of the service so you can determine if it’s a good fit for you. The estimated cost of what you would have paid if the free trial hadn’t been available is then produced by Amazon GuardDuty.
The amount of analysis done on your AWS log data affects pricing. In contrast to CloudTrail Event Logs, which are charged based on 1 million events per month, VPC Flow Logs and DNS Logs will be billed per GB per month. Although prices differ by nation, they often include the following:
VPC Flow Log and DNS Log Analysis
|First 500 GB / month||$1.00 per GB|
|Next 2000 GB / month||$0.50 per GB|
|Over 2500 GB / month||$0.25 per GB|
AWS CloudTrail Event Analysis
|Per 1,000,000 events/month||$4.00 per 1,000,000 events|
GuardDuty continuously monitors your infrastructure to save money, knowing precisely how much detection capacity is required at any given time. In other words, only the volume that you really use will be charged for.
An excellent tool that intelligently detects multiple threats across crucial AWS services is AWS GuardDuty. It requires no infrastructure installation or current infrastructure modifications, is incredibly easy to set up on single and multi-account systems, and interfaces with other AWS services with ease.
This service can only presently be used in AWS environments, therefore you are not able to utilize it on any other cloud computing platform. If AWS could make this functionality available outside of AWS, that would be excellent. In light of this, we think Amazon GuardDuty is a fantastic addition to the AWS suite of services, and we anticipate using it whenever practical.
If this article excited you! You can check out Intellipaat’s AWS Certification course for deeper insight into AWS.