Which AWS service helps identify malicious or unauthorized activities in AWS accounts and workloads?

• Amazon GuardDuty is a threat detection service that continuously monitors the AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
• is a continuous security monitoring service that analyzes and processes the following data sources:
  • CloudTrail S3 data events and management event logs,
  • DNS logs,
  • EKS audit logs, and
  • VPC flow logs.
• uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within the AWS environment.
• combines machine learning, anomaly detection, network monitoring, and malicious file discovery, utilizing both AWS-developed and industry-leading third-party sources to help protect workloads and data on AWS
• is a Regional service and is recommended to be enabled in all supported AWS Regions. This helps generate findings of unauthorized or unusual activity even in Regions not actively used.
• does not look at historical data, it monitors only the activity that starts after it is enabled.
• operates completely independent of your AWS resources and therefore should have no impact on the performance or availability of your accounts or workloads.
• GuardDuty supports
  • Suppression rules, allow the creation of very specific combinations of attributes to suppress findings.
  • Trusted IP List for highly secure communication with the AWS environment. Findings are not generated based on trusted IP lists.
  • Threat List for known malicious IP addresses. Findings are generated based on threat lists.
• Security findings are retained and made available through the GuardDuty console and APIs for 90 days, after which they are discarded.
• Findings are assigned a severity, and actions can be automated by integrating with Security Hub, EventBridge, Lambda, and Step Functions.
• Amazon Detective is also tightly integrated with GuardDuty which helps perform deeper forensic and root cause investigations.
• GuardDuty Malware Protection feature helps to detect malicious files on EBS volumes attached to an EC2 instance and container workloads.

GuardDuty with Multiple Accounts

• GuardDuty has multi-account management through AWS Organizations integration, which allows delegating an administrator account for the organization.
• The delegated administrator (DA) account is a centralized account that consolidates all findings and can configure all member accounts.
• The administrator account helps to associate and manage multiple AWS accounts.
• All security findings are aggregated to the administrator account for review and remediation.
• CloudWatch Events are also aggregated to the administrator account when using this configuration.

GuardDuty Malware Protection

• GuardDuty Malware Protection helps scan EBS volume data for possible malware and identifies suspicious behavior indicative of malicious software in EC2 instances or container workloads.
• is optimized to consume large data volumes for near real-time processing of security detections.
• scans a replica EBS volume that GuardDuty generates based on the snapshot of the EBS volume for trojans, worms, crypto miners, rootkits, bots, and more.

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. Which AWS service makes it easy to detect and report unexpected and potentially malicious activity in your AWS environment?
   1. AWS Shield
   2. AWS Inspector
   3. AWS GuardDuty
   4. AWS WAF

References

Amazon_GuardDuty

« Back to Glossary Index

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts, workloads, and data stored in Amazon S3. 

The managed cloud-hosted service immediately begins analyzing the AWS environment once an IT or security administrator enables GuardDuty within the AWS Management Console. 

GuardDuty is not a free service, although enabling GuardDuty initiates a 30-day free trial. After that, pricing is based on the number of AWS CloudTrail events analyzed per month and the volume of VPC Flow Log and DNS Log data analyzed per month.

How Does It Work? 

The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs. 

GuardDuty detects three main types of threats:

• Compromised instances. GuardDuty will detect any unusual spikes in network traffic, as well as hijacked resources — such as an external IP address hijacking EC2 instances.
• Reconnaissance. Reconnaissance is when an attacker gathers information about the network. GuardDuty detects activity that suggests reconnaissance, such as unblocked port probing from a known malicious IP, VPC port scanning, and unusual API activity.
• Compromised accounts. GuardDuty will detect common patterns that indicate an account compromise, such as API calls from unusual locations, updates that weaken the account’s password policy and API calls from known malicious IPs.

The service categorizes its alerts into three severity levels: low, medium and high. 

• Low severity threats are typically threats that have been blocked without compromising resources. 
• Medium severity threats indicate suspicious activity. This can include a spike in traffic directed to bitcoin-related domains, which could be a sign of cryptocurrency mining. 
• High severity threats indicate a compromised resource and should be immediately remediated. 

Configuring GuardDuty

GuardDuty configuration requires administrators to create an Identity and Access Management (IAM) role to allow GuardDuty to query various services including EC2, S3, VPC Flow, and Organizations. It also enables CloudWatch to query the AWS event bus to read GuardDuty events and put those events into a kinesis data stream.

« Back to Glossary Index