AWS GuardDuty is a service that continuously monitors an AWS account’s security and detects threats using data from multiple sources.

In this article, we’ll look at the data sources used by GuardDuty, the protections it provides, the types of findings it generates, and best practices for using the service.

Data Sources

The first thing we need to do is get data into Guard Duty. Guard Duty can pull data from multiple logging sources and evaluate block storage.

A list of data sources for GuardDuty: CloudTrail Logs, DNS Logs, VPC Flow Logs, Kubernetes audit logs, and Elastic Block Storage volume

CloudTrail Logs

CloudTrail logs API calls made to AWS from the management console, command line tools, or AWS SDKs. The history and the IP source address for API calls are sent to GuardDuty to look for patterns of suspicious activity or IPs. CloudTrail logs are the foundation of GuardDuty and will automatically feed data to GuardDuty once enabled.

DNS Logs

If you use AWS DNS resolver (Amazon Route 53), GuardDuty can review that data. If it detects requests to DNS known to be bad actors, those will be flagged by GuardDuty, as that’s often a sign of bot activity. If you use a different DNS, you can skip this, as GuardDuty does not support the logs from other DNS providers.

VPC Flow Logs

The logs from your virtual private cloud will allow GuardDuty to watch inbound and outbound traffic requests. This information enables GuardDuty to identify unauthorized IP addresses and destination ports.

Kubernetes audit logs

Kubernetes audit logs are an optional data source, but if you are using Kubernetes, you will want to ensure that logging is enabled and flowing into GuardDuty. These logs contain the history of the Kubernetes API from the Amazon EKS control plane and allow GuardDuty to monitor and identify suspicious activity.

Elastic Block Storage volume

GuardDuty Malware Protection can scan Elastic Block Storage (EBS) to locate malware. First, it creates a snapshot of the volume and an encrypted replica, then scans the replica to look for known malware. The replica is deleted after the scan, but be sure to configure GuardDuty so that the snapshot is retained for remediation and further action if it finds malware.

GuardDuty Protection

Once data is flowing into GuardDuty, it can provide value. Now, let’s look at the security features of GuardDuty. The foundational data source is your CloudTrail event logs. There is no additional charge for GuardDuty to access and monitor that data. It will begin by looking for suspicious events in those logs.

S3 Protection using AWS GuardDuty

With the S3 protection feature of GuardDuty, you can monitor object-level API operations and detect potential risks to the data in your S3 buckets. GuardDuty generates findings based on access patterns using the S3 data events. To use this feature, you must enable it to monitor S3 data events.

Malware Protection

Scanning S3 buckets for malware is helpful, but this only works for public S3 buckets. If your S3 buckets are encrypted, then they won’t be able to be scanned for malware. If you have a public S3 bucket, having them checked by GuardDuty is an obvious choice. However, unless you need to have a public S3 bucket, it should be private and encrypted. If there is any sensitive data on it, it should be encrypted. This feature is nice but not as universally applicable as it might first seem.

Kubernetes Protection

This optional feature allows you to extend GuardDuty protection across Amazon EKS if you use it. If you use Kubernetes on AWS, you will want to set this up to get the most out of GuardDuty; otherwise, you can ignore this feature.

Interpreting the Findings

AWS GuardDuty detects potential security issues in your account, known as findings. Each finding has a security level indicating its severity (high, medium, or low). Then, GuardDuty aggregates similar activity into a single finding and updates it with new information.

Sample GuardDuty findings with severity level and finding types.

There are various finding types related to multiple AWS services. For example, CryptoCurrency:EC2/BitcoinTool.B identifies an EC2 instance querying a bitcoin/cryptocurrency IP address. GuardDuty findings flag suspicious activity. Those then require further investigation in context to identify true positives. A true positive indicates something is compromised and should trigger an immediate incident response.

Getting the most out of AWS GuardDuty

Pictures of the AWS UI for adding trusted IPs and threat IPs

  • Record known and potentially malicious trusted IPs – To get the most out of this AWS security solution, maintain a list of trusted IPs (e.g., VPN IPs, Enterprise network IPs, etc.) in GuardDuty. You should also track concerning IP addresses in the GuardDuty threat IP list. To keep the list current, use threat intel feeds to identify relevant threat actors and add their IPs to the threat IPs list.
  • Use AWS GuardDuty in all regions – Organizations should enable GuardDuty in all regions to identify malicious activities wherever they occur, including regions unauthorized or not currently utilized by your applications.
  • Link all AWS accounts – Linking all AWS accounts to a single GuardDuty account provides a holistic view of your organization’s cloud assets.
  • Act on findings quickly – Fast response times can minimize the damage a threat actor can cause. To investigate and remediate the findings rapidly, set up notifications to notify you of new findings.
  • Address false positives proactively – False positive alerts waste your time and resources. After identifying a false positive, suppress it with descriptive criteria to suppress similar nuisance alerts.

A well-configured GuardDuty can actively detect security issues. You can maximize the platform’s benefits by understanding how GuardDuty works and following best practices.

Monitoring enterprise systems is complex, and it takes a lot of human and financial resources to track and remediate misconfigured cloud assets and security risks. Consider using an open-source platform like Paladin Cloud, which offers continuous monitoring, unified visibility, proactive risk detection, and automated remediation of security violations to improve your cloud’s security.