AWS Top 10 Security Risks Issue 3: Enable Amazon GuardDuty

"Duncan Idaho's last stand" by Brick.Ninja is licensed under CC BY-SA 2.0.

‍

Imagine an attacker slips into your cloud environment, gains access to your resources, and starts exfiltrating sensitive data. How long would it take for you to identify and stop the attack?

Effective cyber-defense begins with robust monitoring. And for most AWS accounts, the best way to achieve this is using AWS GuardDuty.

In our third installment on the AWS Top 10 Security Risks, we’ll discuss the #3 priority for securing your AWS accounts: enabling Amazon GuardDuty. This series highlights the most common security issues we at Cloud Security Partners have seen in our customers’ AWS accounts, and how to best address them.

‍

What is Amazon GuardDuty?

The first step to enabling a good monitoring system in your cloud environment is activating logging for all sensitive actions. However, it’s not enough to just turn on these logs. Proactive threat detection ensures that malicious activity is identified and addressed in real-time.

‍

Enter Amazon GuardDuty. GuardDuty is a managed threat detection system that continuously monitors your logs and other sources of information for suspected intrusions.

‍

As a threat detection system, GuardDuty can integrate with multiple data sources:

‍

• CloudTrail, which logs all AWS API calls made to the account, and changes to the management plane
• VPC Flow Logs, which log information about IP traffic to and from your AWS account
• Route53 Resolver DNS query logs, which log information about DNS queries initiated from the AWS environment
• S3 settings and Kubernetes audit logs (through EKS), which are advanced settings for advanced protection

‍

GuardDuty analyzes these logs for common attack patterns using a combination of deterministic rules, machine learning, and anomaly detection. GuardDuty can proactively detect malicious behavior within minutes, speeding up your response time for a wide variety of common threats. 

‍

Benefits of GuardDuty

AWS GuardDuty has several key benefits:

‍

• It is preconfigured with rules for detecting common AWS threats, minimizing the need for manual configuration.

• It is fully serverless and managed, meaning that there is no infrastructure or agents to manage.

• It easily integrates with other AWS services, both for monitoring and responses.

• It can integrate with multiple AWS accounts through AWS Organizations.

‍

However, the main benefit is that it is the simplest threat detection system to enable within AWS. You can enable GuardDuty within minutes and immediately begin continuous monitoring within your environment.

‍

Enabling GuardDuty

GuardDuty requires that CloudTrail be turned on first, as it provides the main logs that GuardDuty analyzes. You can enable CloudTrail via the AWS Management Console or through the AWS CLI:

‍

aws cloudtrail start-logging --name <trail-name>

‍

After you have enabled logging, you can enable GuardDuty in the AWS Management console by navigating to Services, searching for GuardDuty, and selecting Enable GuardDuty; or you can enable it via the AWS CLI:

‍

aws guardduty create-detector --enable

‍

After enabling GuardDuty, you should be able to review new findings in the GuardDuty dashboard and filter results by type and severity. Congratulations! Your environment now has threat detection enabled.

‍

Best Practices for GuardDuty

Even though the default settings for GuardDuty are effective, it is important to follow a few more best practices for full coverage:

‍

• Enable GuardDuty in all regions. Threat detection is region-specific. To ensure that all resources are monitored, enable GuardDuty in every region where you have any AWS resources.

‍

• Forward alerts to an external S3 bucket. The default retention of GuardDuty alerts is 90 days. To preserve them for extended audit purposes, consider forwarding the alerts to an external S3 bucket, using AWS EventBridge.

‍

• Send findings to an SIEM platform. For centralized management and incident response, consider integrating GuardDuty with an SIEM platform like Splunk or DataDog. You can do this by forwarding findings using AWS EventBridge, or GuardDuty’s integration with AWS Security Hub. 

‍

• Create a plan for addressing alerts. Findings are only useful if they are reviewed and resolved. Without a clear plan, alerts can pile up and lead to overlooked security issues. Develop an incident response plan that outlines timelines for addressing alerts and establishes criticality levels to prioritize high-severity findings. Additionally, consider implementing automated workflows for certain alert types, using AWS Lambda to automatically remediate them.

‍

• Enable advanced features. GuardDuty can monitor more than just CloudTrail logs. For maximum coverage, consider enabling GuardDuty for S3 and Elastic Kubernetes Services (EKS) workloads, for anomaly detection in all your resources.

‍

Conclusion

Monitoring is the cornerstone of effective cyber defense, and the easiest and best way to enable this in AWS is by using GuardDuty. GuardDuty simplifies the complexities of monitoring by automatically analyzing your logs for potential intrusions and providing proactive alerts. Enabling GuardDuty strengthens your cloud environment, making it significantly more resilient against threat actors.

This post is the third in our series on the AWS Top 10 Security Risks: each installment will dive deeper into the most common risks we see across customer environments and how to fix them. Stay tuned for the next blog, and if you’d like expert help evaluating your cloud security, reach out to Cloud Security Partners for a comprehensive assessment of your AWS environment.