Launched in 2017, Amazon Web Services’ GuardDuty is a network-based intrusion detection system (IDS) that analysis usage patterns across your AWS infrastructure and identify (based upon pre-existing rules) potential threats - basically it intelligently parses through your CloudTrail, VPC Flow and Route53 logs and triggers CloudWatch events if it notices anything suspicious.
GuardDuty is, second to none, the most cost effective intrusion detection system on the market today for customers already using AWS and should be part of any responsible information security policy. As of this writing, AWS charges depending on the amount of logs it analysis at $1/GB for VPC and DNS logs and $4 per 1k CloudTrail events — but what is truly exceptional here is that you do not have to enable CloudTrail, VPC Flow and DNS logs for GuardDuty to operate potentially saving you money with the storage and administration of these logs (source) since there’s a good chance you are already paying for the S3 storage of these logs but not getting any of the benefits of intelligently processing them.
Lastly, much like other AWS products, GuardDuty comes with a 30-day free trial , it’s simply a matter of enabling it and seeing the types of findings it produces, for example:
This is for one of our production accounts showing how quickly malicious users commence scanning for open ports on a EC2 instance.
Since GuardDuty appears to be an underutilized AWS service, there isn’t much in terms of public documentation and guides (outside of AWS’s official documentation) on how to deploy it using cloudformation so here’s a working example of setting it up and configuring SNS alerts via email for findings, enjoy!
--- Description: >- Guardduty with SNS email alerts ftw! AWSTemplateFormatVersion: 2010-09-09 Resources: SecuritySnstopic: Type: AWS::SNS::Topic Properties: DisplayName: security-alerts TopicName: security-alerts Subscription: - Endpoint: email@example.com Protocol: email GuardDuty: Type: AWS::GuardDuty::Detector Properties: Enable: true FindingPublishingFrequency: FIFTEEN_MINUTES GuardDutyEventRule: Type: AWS::Events::Rule DependsOn: - SecuritySnstopic Properties: EventPattern: detail-type: - GuardDuty Finding detail: source: - aws.guardduty detail-type: - GuardDuty Finding State: ENABLED Targets: - Arn: !Ref SecuritySnstopic Id: SnsSecurityTopic EventTopicPolicy: Type: 'AWS::SNS::TopicPolicy' Properties: PolicyDocument: Statement: - Effect: Allow Principal: Service: events.amazonaws.com Action: 'sns:Publish' Resource: '*' Topics: - !Ref SecuritySnstopic
Looking for a REST API you can use to identify malware, phishing, NSFW images/language and other dangerous content? Try https://scanii.com!
Last updated on 01/09/2019.