Getting the most out of AWS GuardDuty

GuardDuty Protection

Once data is flowing into GuardDuty, it can provide value. Now, let’s look at the security features of GuardDuty. The foundational data source is your CloudTrail event logs. There is no additional charge for GuardDuty to access and monitor that data. It will begin by looking for suspicious events in those logs.

S3 Protection using AWS GuardDuty

With the S3 protection feature of GuardDuty, you can monitor object-level API operations and detect potential risks to the data in your S3 buckets. GuardDuty generates findings based on access patterns using the S3 data events. To use this feature, you must enable it to monitor S3 data events.

Malware Protection

Scanning S3 buckets for malware is helpful, but this only works for public S3 buckets. If your S3 buckets are encrypted, then they won’t be able to be scanned for malware. If you have a public S3 bucket, having them checked by GuardDuty is an obvious choice. However, unless you need to have a public S3 bucket, it should be private and encrypted. If there is any sensitive data on it, it should be encrypted. This feature is nice but not as universally applicable as it might first seem.

Kubernetes Protection

This optional feature allows you to extend GuardDuty protection across Amazon EKS if you use it. If you use Kubernetes on AWS, you will want to set this up to get the most out of GuardDuty; otherwise, you can ignore this feature.

Interpreting the Findings

AWS GuardDuty detects potential security issues in your account, known as findings. Each finding has a security level indicating its severity (high, medium, or low). Then, GuardDuty aggregates similar activity into a single finding and updates it with new information.

There are various finding types related to multiple AWS services. For example, CryptoCurrency:EC2/BitcoinTool.B identifies an EC2 instance querying a bitcoin/cryptocurrency IP address. GuardDuty findings flag suspicious activity. Those then require further investigation in context to identify true positives. A true positive indicates something is compromised and should trigger an immediate incident response.

Getting the most out of AWS GuardDuty

• Record known and potentially malicious trusted IPs – To get the most out of this AWS security solution, maintain a list of trusted IPs (e.g., VPN IPs, Enterprise network IPs, etc.) in GuardDuty. You should also track concerning IP addresses in the GuardDuty threat IP list. To keep the list current, use threat intel feeds to identify relevant threat actors and add their IPs to the threat IPs list.
• Use AWS GuardDuty in all regions – Organizations should enable GuardDuty in all regions to identify malicious activities wherever they occur, including regions unauthorized or not currently utilized by your applications.
• Link all AWS accounts – Linking all AWS accounts to a single GuardDuty account provides a holistic view of your organization’s cloud assets.
• Act on findings quickly – Fast response times can minimize the damage a threat actor can cause. To investigate and remediate the findings rapidly, set up notifications to notify you of new findings.
• Address false positives proactively – False positive alerts waste your time and resources. After identifying a false positive, suppress it with descriptive criteria to suppress similar nuisance alerts.

A well-configured GuardDuty can actively detect security issues. You can maximize the platform’s benefits by understanding how GuardDuty works and following best practices.

Monitoring enterprise systems is complex, and it takes a lot of human and financial resources to track and remediate misconfigured cloud assets and security risks. Consider using an open-source platform like Paladin Cloud, which offers continuous monitoring, unified visibility, proactive risk detection, and automated remediation of security violations to improve your cloud’s security.