GuardDuty

Amazon GuardDuty is a threat detection service that uses machine learning and other techniques to identify malicious activity and unauthorized behavior in your AWS accounts and workloads. GuardDuty integrates with other AWS security services to provide a comprehensive view of your security posture and helps you to quickly respond to security threats. With GuardDuty, you can detect and respond to a wide range of security threats, including account compromise, infrastructure threats, data exfiltration, and unauthorized access to sensitive data. The service continuously monitors your AWS environment and uses machine learning algorithms to identify potential threats. When a threat is detected, GuardDuty generates an alert, which you can view in the AWS Management Console or receive via Amazon CloudWatch events and Amazon SNS notifications. The service integrates with other AWS security services, such as Amazon CloudTrail, Amazon VPC Flow Logs, and AWS WAF, to provide a comprehensive view of your security posture.

Terraform Name

aws_guardduty_detector

GuardDuty

attributes:

The following arguments are supported:

enable - (Optional) Enable monitoring and feedback reporting. Setting to false is equivalent to "suspending" GuardDuty. Defaults to true.
finding_publishing_frequency - (Optional) Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty primary accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and primary accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS. See AWS Documentation for more information.
datasources - (Optional) Describes which data sources will be enabled for the detector. See Data Sources below for more details.
tags - (Optional) Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Data Sources

The datasources block supports the following:

s3_logs - (Optional) Configures S3 protection. See S3 Logs below for more details.
kubernetes - (Optional) Configures Kubernetes protection. See Kubernetes and Kubernetes Audit Logs below for more details.
malware_protection - (Optional) Configures Malware Protection. See Malware Protection, Scan EC2 instance with findings and EBS volumes below for more details.

S3 Logs

The s3_logs block supports the following:

enable - (Required) If true, enables S3 protection. Defaults to true.

Kubernetes

The kubernetes block supports the following:

audit_logs - (Required) Configures Kubernetes audit logs as a data source for Kubernetes protection. See Kubernetes Audit Logs below for more details.

Kubernetes Audit Logs

The audit_logs block supports the following:

enable - (Required) If true, enables Kubernetes audit logs as a data source for Kubernetes protection. Defaults to true.

Malware Protection

malware_protection block supports the following:

scan_ec2_instance_with_findings - (Required) Configure whether Malware Protection is enabled as data source for EC2 instances with findings for the detector. See Scan EC2 instance with findings below for more details.

Scan EC2 instance with findings

The scan_ec2_instance_with_findings block supports the following:

ebs_volumes - (Required) Configure whether scanning EBS volumes is enabled as data source for the detector for instances with findings. See EBS volumes below for more details.

EBS volumes

The ebs_volumes block supports the following:

enable - (Required) If true, enables Malware Protection as data source for the detector. Defaults to true.

‍

Associating resources with a

GuardDuty

Resources do not "belong" to a

GuardDuty

Rather, one or more Security Groups are associated to a resource.

Create

GuardDuty

via Terraform:

The following HCL creates a resource to manage a GuardDuty detector.

Syntax:

resource "aws_guardduty_detector" "MyDetector" {
enable = true

datasources {
s3_logs {
enable = true
}
kubernetes {
audit_logs {
enable = false
}
}
malware_protection {
scan_ec2_instance_with_findings {
ebs_volumes {
enable = true
}
}
}
}
}

Create

GuardDuty

via CLI:

Parameters:

create-detector
--enable | --no-enable
[--client-token <value>]
[--finding-publishing-frequency <value>]
[--data-sources <value>]
[--tags <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws guardduty create-detector \
--enable

Costs

The cost of using GuardDuty depends on the number of AWS accounts and the amount of data processed. For data processing, you are charged for the number of AWS CloudTrail log files processed and the amount of data processed by Amazon GuardDuty. An active detector is a single GuardDuty deployment in an AWS account. If you have multiple AWS accounts, you will need to deploy GuardDuty in each account, and you will be charged for each active detector.

GuardDuty

Terraform Name

Data Sources

S3 Logs

Kubernetes

Kubernetes Audit Logs

Malware Protection

Scan EC2 instance with findings

EBS volumes

Costs

Indirect Cost

IAM best practices and troubleshooting tips for AWS EKS

How to identify a compromised EC2 instance using VPC Flow logs and Amazon GuardDuty