Simple intrusion detection with AWS GuardDuty

Launched in 2017, Amazon Web Services’ GuardDuty is a network-based intrusion detection system (IDS) that analysis usage patterns across your AWS infrastructure and identify (based upon pre-existing rules) potential threats - basically it intelligently parses through your CloudTrail, VPC Flow and Route53 logs and triggers CloudWatch events if it notices anything suspicious.

Why should startups use GuardDuty?

GuardDuty is, second to none, the most cost effective intrusion detection system on the market today for customers already using AWS and should be part of any responsible information security policy. As of this writing, AWS charges depending on the amount of logs it analysis at $1/GB for VPC and DNS logs and $4 per 1k CloudTrail events — but what is truly exceptional here is that you do not have to enable CloudTrail, VPC Flow and DNS logs for GuardDuty to operate potentially saving you money with the storage and administration of these logs (source) since there’s a good chance you are already paying for the S3 storage of these logs but not getting any of the benefits of intelligently processing them.

Lastly, much like other AWS products, GuardDuty comes with a 30-day free trial , it’s simply a matter of enabling it and seeing the types of findings it produces, for example:

This is for one of our production accounts showing how quickly malicious users commence scanning for open ports on a EC2 instance.

Easy GuardDuty deployment with Cloudformation

Since GuardDuty appears to be an underutilized AWS service, there isn’t much in terms of public documentation and guides (outside of AWS’s official documentation) on how to deploy it using cloudformation so here’s a working example of setting it up and configuring SNS alerts via email for findings, enjoy!

---
Description: >-
  Guardduty with SNS email alerts ftw!
AWSTemplateFormatVersion: 2010-09-09
Resources:
  SecuritySnstopic:
    Type: AWS::SNS::Topic
    Properties:
      DisplayName: security-alerts
      TopicName: security-alerts
      Subscription:
        - Endpoint: dev@uvasoftware.com
          Protocol: email
  GuardDuty:
    Type: AWS::GuardDuty::Detector
    Properties:
      Enable: true
      FindingPublishingFrequency: FIFTEEN_MINUTES

  GuardDutyEventRule:
    Type: AWS::Events::Rule
    DependsOn:
      - SecuritySnstopic
    Properties:
      EventPattern:
        detail-type:
          - GuardDuty Finding
        detail:
          source:
            - aws.guardduty
          detail-type:
            - GuardDuty Finding
      State: ENABLED
      Targets:
        - Arn: !Ref SecuritySnstopic
          Id: SnsSecurityTopic

  EventTopicPolicy:
    Type: 'AWS::SNS::TopicPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: events.amazonaws.com
            Action: 'sns:Publish'
            Resource: '*'
      Topics:
        - !Ref SecuritySnstopic

Looking for a REST API you can use to identify malware, phishing, NSFW images/language and other dangerous content? Try https://scanii.com!

Tags: tech

Last updated on 01/09/2019.