AWS Guardduty Detector
Deploys an Amazon GuardDuty Detector to an AWS region as a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and sends emails about security findings for visibility and remediation.
Made by
Massdriver
Official
Yes
Clouds
Tags
AWS GuardDuty
Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and anomalous behavior. With GuardDuty, you can monitor for unauthorized and unexpected behaviors in your AWS workloads and accounts, and integrate with other AWS services to remediate threats automatically.
Design Decisions
- Enabling Core Features: The solution automatically enables critical GuardDuty features such as S3 Data Events, EKS Audit Logs, EBS Malware Protection, RDS Login Events, and Lambda Network Logs based on user configuration.
- Notifications: Uses Amazon SNS to send notifications about GuardDuty findings. Users can specify an email to receive alerts.
- CloudWatch Integration: Integrates with CloudWatch for monitoring and alerting, automatically creating CloudWatch event rules and SNS topics to handle findings.
- Automatic Alarms: Configures automatic CloudWatch alarms for failed SNS notifications and GuardDuty findings using user-defined thresholds.
- Modular Approach: Utilizes separate modules for alarms and notifications to keep provisioning organized and maintainable.
Runbook
GuardDuty Findings Not Showing Up in CloudWatch
If GuardDuty findings are not appearing in CloudWatch as expected, it's essential to verify the CloudWatch Event Rule configuration.
- Check CloudWatch Event Rule
List all the CloudWatch Event Rules:
aws events list-rules
Describe the specific rule to ensure it matches the expected pattern:
aws events describe-rule --name <your_rule_name>
Ensure the event pattern includes:
- Source:
"aws.guardduty" - Detail-Type:
"GuardDuty Finding" - Appropriate severity levels in the detail section.
SNS Topic Not Receiving Notifications
If the SNS topic is not receiving notifications from GuardDuty, verify the SNS topic configuration.
- Check SNS Topics and Subscriptions
List your SNS topics to ensure they exist:
aws sns list-topics
List subscriptions to make sure your endpoints are attached to the correct topics:
aws sns list-subscriptions-by-topic --topic-arn <your_topic_arn>
- Subscribe an Email to the SNS Topic
If the email subscription is missing, manually subscribe:
aws sns subscribe --topic-arn <your_topic_arn> --protocol email --notification-endpoint <your_email@example.com>
- Verify SNS Topic Policy
Ensure that the SNS topic policy allows sns:Publish from cloudwatch.amazonaws.com.
aws sns get-topic-attributes --topic-arn <your_topic_arn>
Look for the Policy attribute and verify the permissions.
Viewing GuardDuty Findings in the AWS Management Console
Sometimes the findings are present but not visible via the CLI or API.
- Check GuardDuty Findings in the Console
Go to the AWS Management Console:
- Navigate to GuardDuty.
- Check the "Findings" section to view detailed issues flagged by GuardDuty.
This manual inspection can help verify that findings are being generated even if not properly routed to SNS or CloudWatch.
| Variable | Type | Description |
|---|---|---|
| detector.region | string | AWS Region to provision in. |
| features.ebs_malware | boolean | Enable scanning of EBS volumes for malware |
| features.eks_audit | boolean | Enable monitoring of EKS audit logs to detect suspicious activity in your EKS clusters |
| features.eks_runtime | boolean | Enable monitoring of EKS runtimes to detect suspicious activity in EKS workloads |
| features.lambda_network | boolean | Enable monitoring of AWS lambda invocations |
| features.rds_login | boolean | Enable monitoring successful and unsuccessful login attempts to RDS databases |
| features.s3_data | boolean | Enable monitoring of S3 get/put/list/delete events |
| monitoring.mode | string | Enable and customize CloudWatch metric alarms. |
| notifications.email | string | Specify email to be notified at in case of findings |
| notifications.frequency | string | Select the frequency to export events to EventHub for notifications |
| notifications.severity.high | boolean | A High severity level indicates that the resource in question is compromised and is actively being used for unauthorized purposes. |
| notifications.severity.low | boolean | A low severity level indicates attempted suspicious activity that did not compromise your network |
| notifications.severity.medium | boolean | A Medium severity level indicates suspicious activity that deviates from normally observed behavior and, depending on your use case, may be indicative of a resource compromise. |
