Amazon GuardDuty

Amazon GuardDuty

Last updated on July 11, 2023

Amazon GuardDuty Cheat Sheet

  • An intelligent threat detection service. It analyzes billions of events across your AWS accounts from AWS CloudTrail (AWS user and API activity in your accounts), Amazon VPC Flow Logs (network traffic data), and DNS Logs (name query patterns).

How It Works

Amazon GuardDuty

  • GuardDuty is a regional service.
  • Threat detection categories
    • Reconnaissance — Activity suggesting reconnaissance by an attacker, such as unusual API activity, intra-VPC port scanning, unusual patterns of failed login requests, or unblocked port probing from a known bad IP.
    • Instance compromise — Activity indicating an instance compromise, such as cryptocurrency mining, backdoor command and control activity, malware using domain generation algorithms, outbound denial of service activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials used by an external IP address, and data exfiltration using DNS.
    • Account compromise — Common patterns indicative of account compromise include API calls from an unusual geolocation or anonymizing proxy, attempts to disable AWS CloudTrail logging, changes that weaken the account password policy, unusual instance or infrastructure launches, infrastructure deployments in an unusual region, and API calls from known malicious IP addresses.
  • Tutorials dojo strip
  • Amazon GuardDuty provides three severity levels (Low, Medium, and High) to allow you to prioritize response to potential threats.
  • CloudTrail Event Source
    • GuardDuty analyzes CloudTrail management events and S3 data events. (Read about types of CloudTrail trails for more information.)
    • GuardDuty processes all CloudTrail events that come into a region, including global events that CloudTrail sends to all regions, such as AWS IAM, AWS STS, Amazon CloudFront, and Route 53.
  • VPC Flow Logs Event Source
    • VPC Flow Logs capture information about the IP traffic going to and from Amazon EC2 network interfaces in your VPC.
  • DNS Logs Event Source
    • If you use AWS DNS resolvers for your EC2 instances (the default setting), then GuardDuty can access and process your request and response DNS logs through the internal AWS DNS resolvers. Using other DNS resolvers will not provide GuardDuty access to its DNS logs.
  • GuardDuty vs Macie
    • Amazon GuardDuty provides broad protection of your AWS accounts, workloads, and data by helping to identify threats such as attacker reconnaissance, instance compromise, and account compromise. Amazon Macie helps you protect your data in Amazon S3 by helping you classify what data you have, the value that data has to the business, and the behavior associated with access to that data.

GuardDuty Findings

    • GuardDuty generates findings when it detects unexpected and potentially malicious activity in your AWS environment. These are viewable via Console, GuardDuty CLI or API operations.
    • A Finding’s summary includes:
      • Finding type – a concise yet readable description of the potential security issue.
      • Severity – a finding’s assigned severity level of either High, Medium, or Low.
      • Region – the AWS region in which the finding was generated.
      • Count – the number of times GuardDuty generated the finding after you enabled GuardDuty in your AWS account.
      • Account ID – the ID of the AWS account in which the activity took place that prompted GuardDuty to generate this finding.
      • Resource ID – the ID of the AWS resource against which the activity took place that prompted GuardDuty to generate this finding.
      • Threat list name – the name of the threat list that includes the IP address or the domain name involved in the activity that prompted GuardDuty to generate the finding.
      • Last seen – the time (your local timezone if checked through console, and UTC if checked through CLI or API) at which the activity took place that prompted GuardDuty to generate this finding.
    • A finding’s Resource affected section includes:
      • Resource role – a value that usually is set to Target because the affected resource can be a potential target of an attack.
      • Resource type – the type of the affected resource. This value is either AccessKey or Instance.
      • Instance ID – the ID of the EC2 instance involved in the activity that prompted GuardDuty to generate the finding.
      • Port – the port number for the connection used during the activity that prompted GuardDuty to generate the finding.
      • Access key ID – access key ID of the user engaged in the activity that prompted GuardDuty to generate the finding.
      • Principal ID – the principal ID of the user engaged in the activity that prompted GuardDuty to generate the finding.
      • User type – the type of user engaged in the activity that prompted GuardDuty to generate the finding.
      • User name – The name of the user engaged in the activity that prompted GuardDuty to generate the finding.
    • A finding’s Action section includes:
      • Action type – the finding activity type. This value can be one of the following: NETWORK_CONNECTION, AWS_API_CALL, PORT_PROBE, or DNS_REQUEST.
      • API – the name of the API operation that was invoked and thus prompted GuardDuty to generate this finding.
      • Service name – the name of the AWS service (GuardDuty) that generated the finding.
      • Connection direction – the network connection direction observed in the activity that prompted GuardDuty to generate the finding. The values can be INBOUND, OUTBOUND, and UNKNOWN.
      • Protocol – the network connection protocol observed in the activity that prompted GuardDuty to generate the finding.
    • A finding’s Actor section includes:
      • Location – location information of the IP address involved in the activity that prompted GuardDuty to generate the finding.
      • Organization – ISP organization information of the IP address involved in the activity that prompted GuardDuty to generate the finding.
      • IP address – the IP address involved in the activity that prompted GuardDuty to generate the finding.
      • Port – the port number involved in the activity that prompted GuardDuty to generate the finding.
      • Domain – the domain involved in the activity that prompted GuardDuty to generate the finding.
    • A finding’s Details section includes:
      • ThreatPurpose – describes the primary purpose of a threat or a potential attack. Can have the following values:
        • Backdoor – this value indicates that the attack has compromised an AWS resource and is capable of contacting its home command and control (C&C) server to receive further instructions for malicious activity.
        • Behavior – this value indicates that GuardDuty is detecting activity or activity patterns that are different from the established baseline for a particular AWS resource.
        • Cryptocurrency – this value indicates that GuardDuty is detecting software that is associated with cryptocurrencies.
        • Pentest – sometimes owners of AWS resources or their authorized representatives intentionally run tests against AWS applications to find vulnerabilities, like open security groups or access keys that are overly permissive. These pen tests are done in an attempt to identify and lock down vulnerable resources before they are discovered by attackers.
        • Persistence – this value indicates that a principal in your AWS environment is exhibiting behavior that is different from the established baseline. Such as a principal has no prior history of updating network configuration settings, or updating policies or permissions attached to AWS users or resources.
        • Policy – this value indicates that your AWS account is exhibiting behavior that goes against recommended security best practices.
        • PrivilegeEscalation – this value informs you that a specific principal in your AWS environment is exhibiting behavior that can be indicative of a privilege escalation attack.
        • Recon – this value indicates that a reconnaissance attack is underway, scoping out vulnerabilities in your AWS environment by probing ports, listing users, database tables, and so on.
        • ResourceConsumption – this value indicates that a principal in your AWS environment is exhibiting behavior that is different from the established baseline. Such as a principal has no prior history of launching EC2 instances.
        • Stealth – this value indicates that an attack is actively trying to hide its actions and its tracks.
        • Trojan – this value indicates that an attack is using Trojan programs that silently carry out malicious activity. Sometimes this software takes on an appearance of a legitimate program. Sometimes users accidentally run this software. Other times this software might run automatically by exploiting a vulnerability.
        • UnauthorizedAccess – this value indicates that GuardDuty is detecting suspicious activity or a suspicious activity pattern by an unauthorized individual.
      • ResourceTypeAffected – describes which AWS resource is identified in this finding as the potential target of an attack. Currently, only EC2 instances and principals (and their credentials) can be identified as affected resources in GuardDuty findings.
      • ThreatFamilyName – describes the overall threat or potential malicious activity that GuardDuty is detecting.
      • ThreatFamilyVariant – describes the specific variant of the ThreatFamily that GuardDuty is detecting. Attackers often slightly modify the functionality of the attack, thus creating new variants.
      • Artifact – describes a specific resource that is owned by a tool that is used in the attack.
    • You can create filters for your GuardDuty findings.
      • A suppression rule is a filter used to automatically archive new findings. After you create a suppression rule, new findings that match the criteria defined in the rule are automatically archived.
    • GuardDuty supports exporting active findings to CloudWatch Events and, optionally, to an Amazon S3 bucket. New Active findings that GuardDuty generates are automatically exported within about 5 minutes after the finding is generated. 

Trusted IP Lists and Threat Lists

    • Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists. 
    • At any given time, you can have only one uploaded trusted IP list per AWS account per region.
    • Threat lists consist of known malicious IP addresses. GuardDuty generates findings based on threat lists. 
    • At any given time, you can have up to six uploaded threat lists per AWS account per region.

Amazon GuardDuty Pricing

Pricing is based on the quantity of AWS CloudTrail Events analyzed (per 1,000,000 events) and the volume of Amazon VPC Flow Log and DNS Log data analyzed (per GB).

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

AWS Certified Security - Specialty Exam Study Path

Validate Your Knowledge

Question 1

A company is using Amazon GuardDuty to continuously monitor their AWS resources for malicious activity, unauthorized port-scanning, and other security vulnerabilities. Whenever there are pre-approved port scanning activities from specific EC2 instances owned by the IT Security team, the Operations team still receives GuardDuty events via Amazon CloudWatch Events. There is a new requirement to suppress alerts on these authorized security tests to prevent any false positives. The Security team must ensure that the alerts should still be sent for any unauthorized activity in AWS.

Which of the following is the MOST suitable solution for this scenario?

  1. Exclude and filter out the IP addresses of the pre-approved EC2 instances owned by the Security team in AWS CloudTrail.
  2. Attach Elastic IP addresses to the EC2 instances and then add these addresses to the Trusted IP list in Amazon GuardDuty.
  3. Install the Amazon Inspector agent on the EC2 instances that execute the pre-approved port scanning activities. Configure Amazon Inspector to exclude the pre-approved port scanning activities from these instances.
  4. Use Amazon Macie to block the event notifications generated by pre-approved port scanning activities.

Correct Answer: 2

Amazon GuardDuty monitors the security of your AWS environment by analyzing and processing VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. You can customize this monitoring scope by configuring GuardDuty to also use your own trusted IP lists and threat lists. The IP lists described below will apply to all VPC Flow Log and CloudTrail findings but do not apply to DNS findings

Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate VPC Flow Log or CloudTrail findings for IP addresses on trusted IP lists. At any given time, you can have only one uploaded trusted IP list per AWS account per Region.

Threat lists consist of known malicious IP addresses. GuardDuty generates findings based on threat lists. At any given time, you can have up to six uploaded threat lists per AWS account per Region.

GuardDuty can send notifications based on Amazon CloudWatch Events when any changes in the findings take place. These changes include newly generated findings or subsequent occurrences of existing findings.

Every GuardDuty finding is assigned a finding ID. GuardDuty creates a CloudWatch event for every finding with a unique finding ID. All subsequent occurrences of an existing finding are always assigned a finding ID that is identical to the ID of the original finding.

In order to receive notifications about GuardDuty findings based on CloudWatch Events, you must create a CloudWatch Events rule and a target for GuardDuty. This rule enables CloudWatch to send events for all findings that GuardDuty generates to the target that is specified in the rule. 

Hence, the correct answer is: Attach Elastic IP addresses to the EC2 instances and then add these addresses to the Trusted IP list in Amazon GuardDuty.

AWS Exam Readiness Courses

The option that says: Exclude and filter out the IP addresses of the pre-approved EC2 instances owned by the Security team in AWS CloudTrail is incorrect because you neither exclude nor filter out the API logs based on the IP address of an EC2 instance in AWS CloudTrail. A better solution here is to use a trusted IP list in Amazon GuardDuty instead.

The option that says: Install the Amazon Inspector agent on the EC2 instances that execute the pre-approved port scanning activities. Configure Amazon Inspector to exclude the pre-approved port scanning activities from these instances is incorrect because Inspector is simply an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Instead, you have to add the IP addresses of the EC2 instances that execute the pre-approved port scanning activities to the trusted IP list in Amazon GuardDuty.

The option that says: Use Amazon Macie to block the event notifications generated by pre-approved port scanning activities is incorrect because Amazon Macie is just a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS, specifically in Amazon S3. 

References:
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html

Note: This question was extracted from our AWS Certified Security Specialty Practice Exams.

For more AWS practice exam questions with detailed explanations, visit the Tutorials Dojo Portal:

Tutorials Dojo AWS Practice Tests

Amazon GuardDuty Cheat Sheet References:

https://aws.amazon.com/guardduty/
https://aws.amazon.com/guardduty/faqs/
https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
https://www.youtube.com/watch?time_continue=7&v=o2YaIsps5LY

Tutorials Dojo portal

Be Inspired and Mentored with Cloud Career Journeys!

Tutorials Dojo portal

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Recent Posts

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?