AWS GuardDuty — Threat Detection Service
This Blog has moved from Medium to blogs.tensult.com. All the latest content will be available there. Subscribe to our newsletter to stay updated.
Amazon GuardDuty is a managed service which does threat detection intelligently to protect the AWS accounts and workloads. It continuously monitors for malicious or undesired activities like port scan, unauthorized penetration test, etc. GuardDuty detects unexpected behavior in the AWS environment and generates notifications called Findings which details the underlying security issue. AWS GuardDuty collects its inputs from three log streams. VPC Flow Logs, DNS logs, and CloudTrail events. Also, It can associate one AWS account with another account so that you can view and manage their GuardDuty Findings on their behalf.
About the Experiment
I have added my laptop’s public IP address to the AWS GuardDuty’s Threat list. Then I tried to access the AWS console and did an SSH to one of the EC2 instances of the AWS account, assuming that GuardDuty can detect it. And it did it for me !!!
Configuration
- Create a file and add the “attacker” IP address ( You can add multiple IP addresses/CIDRs in each line) and upload it to an S3 Bucket. I have used file1.txt and uploaded it to a bucket only-50, thereby URL of the file s3://tly-50/file1.txt. ( I have concealed first two octets of the IP address, but you have to write in full)
X.X.40.2102) Enable AWS GuardDuty by following screenshots below
3) In the GuardDuty console click “Lists” and then “Add a threat list” like below
4) Create the threat list like below and add List Name, Location, and Format.
5) Make sure that the List is activated. Now you are ready for testing
Testing the Setup
6) Login to AWS Web Console from your system whose IP address was listed in the threat list. Then you try to do SSH to one of the EC2 instances in the AWS account. These are the two activities GuardDuty is expected to detect.
7)After a few minutes click the Findings. Let us see the EC2 access Finding
8) Now let us see how the AWS web console access is detected by GuardDuty.
Conclusion
AWS GuardDuty can detect and report malicious activities in the AWS account and workload. This is a managed service that identifies and reports undesired activities to the administrator. We have configured GuardDuty for threat detection and tested how it works.
Related readings
