Things you must know about AWS GuardDuty before you get started

2022.03.23

AWS GuardDuty is a threat intelligence service which monitors for malicious behaviour to help customers protect their workloads.It monitors for CloudTrail Events, VPC Flow Logs and DNS logs to determine threats.

Analysis of logs is done according to the rules GuardDuty is configured by. GuardDuty is enabled using a click of a button without us having to install any agents and no pipelines to setup.

GuardDuty continuously analyses Amazon S3, container workloads, instance workloads, accounts and users etc for potential threats at scale. Once you have set up GuardDuty, you can set up AWS Lambda based actions for the alerts generated by GuardDuty, this way you can minimise threats automatically and on the fly.

GuardDuty classifies threats in 3 levels: low, medium and high to help users prioritise the threats which need immediate attention. A high level security threat represents a compromised resource and is actively being used for malicious activities.

The Catch

GuardDuty monitors logs of only AWS Route53, if you use any other DNS service then AWS GuardDuty will not be able to monitor them for security threats such as DNS exfiltration attacks. However, there are other threat detection methods optimised for cloud. Which detect a compromise fairly effectively.

Whitelisting alerts in GuardDuty

There are some scenarios in which while testing your workload GuardDuty might generate a lot of alerts, to avoid this from happening you can whitelist alerts so that they are not generated.

  • You can add a list of trusted IPs in the Trusted IP list, traffic from these IPs do not generate alerts.
  • There is a central security server which runs port scans on all production servers as a part of penetration testing which can trigger GuardDuty alerts.

Managing multiple accounts in GuardDuty

AWS lets users add multiple accounts to monitor using a single administrator account which makes accessibility and visibility of threats easy in a multi account environment.

There are 2 ways of adding multiple accounts:

  • AWS Organisations
    • This is a recommended way of monitoring multiple accounts in GuardDuty, you can monitor multiple accounts which are part of your AWS Organisation. 
    • You can use the administrator account to enable GuardDuty for any account in your organisation given that you have higher permissions than the member accounts.
    • You don’t need permission to enable GuardDuty for member accounts.
  • By invitation
    • Accounts which are not part of an Organisation can be added to a central administrator account by invitation.
    • Invitation has to be accepted by the member account for the findings to be reported to the master account.

Managing member accounts

  • GuardDuty can be enabled and suspended in the member accounts, accounts can be added and removed from the administrator account as well.
  • You can add suppression rules, trusted IP lists from the admin account for the member account.
  • To suspend GuardDuty, you need to suspend it in all member accounts first and then remove the member account after which you need to enable it in all accounts.