Guide to AWS GuardDuty Best Practices
What Is AWS GuardDuty
Amazon Guard Duty is a security service for AWS. It monitors logs in your AWS environment, detects threats and alerts you about vulnerabilities.
How AWS Works
The good thing about GuardDuty is that it’s highly automated. It finds threats with Machine Learning, anomaly detection, and 3rd party data. It builds patterns that find potential security issues.
Note, that Guard Duty doesn’t prevent issues, but only detects them. That’s why GuardDuty alone won’t protect you from issues like DDoS attacks. But you can pair GuardDuty with AWS Shield for maximum security.
What Logs Does GuardDuty Track
Some of the data sources are foundational, others are optional.
Here are the main log sources that GuardDuty tracks. For all 3, GuardDuty starts monitoring automatically right after you enable the service.
- AWS CloudTrail logs capture API activity in your AWS account. GuardDuty helps find unauthorized access or compromised credentials.
- VPC Flow logs show IP traffic going in and out of the Virtual Private Cloud network.
- DNS logs that turn domain names into IP addresses.
Additionally, GuardDuty can track logs within these AWS services:
- EKS protection includes audit log and runtime monitoring.
- Lambda network activity logs can show malicious code in Lambda functions.
- EBS volumes that are attached to EC2 are scanned for malware.
- RDS login activity shows access threats.
- S3 protection looks for security risks in API operations.
What Happens When GuardDuty Finds a Threat
When there are any security findings, GuardDuty passes them forward. Here’s how it works:
GuardDuty Pipeline
- GuardDuty findings pass to CloudWatch Events in 5 minutes after they are detected.
- CloudWatch Event has 2 targets: SNS and Firehose. You can use Lambda functions to filter the findings.
- Firehose stream delivers targets to S3 Buckets for long-term archiving. It also goes to Elasticsearch.
- You can use Kibana, the built-in Elasticsearch plugin for visualization and operational analytics.
- Cognito user pools are used for authentication.
- SNS will send email and SMS notifications when GuardDuty finds a threat.
What Does GuardDuty Protect Me from
Unusual Behavior. GuardDuty carefully checks all unauthorized attempts to access your network including the API calls. It looks at anything out of the ordinary: login attempts from strange places, misused credentials, or sudden spikes in traffic.
Malware. It tracks your network for malicious software, like trojans and crypto miners. Basically, it scans EBS volumes attached to the EC2 instances and container workloads. Note, that malware scans come at additional price – after the trial period you’ll pay for EBS volume snapshots.
Data Breaches. GuardDuty watches for signs of data breaches or irregular data transfer patterns in your AWS infrastructure. It’s vigilant for large or unexpected data transfers, unusual access patterns, or any activities that could indicate unauthorized movement or potential loss of data.
Network Insecurities. GuardDuty monitors traffic for known malicious botnets or command-and-control servers. It flags suspicious DNS-related activities that might indicate data exfiltration.
How Is GuardDuty Different from Other AWS Security Services?
It’s easy to get lost between many AWS services, so let’s figure them out.
Security Hub aggregates findings from many AWS services – including GuardDuty. When GuardDuty finds a threat, it may go to Security Hub where it can get neutralized.
Inspector focuses on vulnerabilities in AWS applications, while Guard Duty finds threats in event logs. In other words, GuardDuty looks at what happened, and Inspector checks what can happen.
Macie protects sensitive data in S3 buckets. It can also ensure compliance with regulations like HIPAA. Yet, Macie and GuardDuty serve different purposes, and they don’t directly integrate with each other.
Shield protects from DDoS attacks, while GuardDuty can add insights into the attacks to help Shield fight them. These services serve different purposes, but can work together to fight DDoS.
WAF is a firewall that monitors HTTP and HTTPS traffic. It prevents exploits like SQL injection and XSS in web apps. While GuardDuty works like an antivirus, WAF is an intelligent firewall.
Trusted Advisor mainly helps to optimize costs and performance. But it also addresses the security gaps. TA can ensure that you follow best practices and standards in security.
SIEM looks over the entire network, while GuardDuty checks the entrance to it. SIEMS stands for Security information and event management. While Guardduty is not a SIEM, there are many different SIEM tools like Splunk or IBM QRadar.
IDS means Intrusion Detection System. GuardDuty is a cloud-centric IDS, that’s somewhat different from traditional IDS. Traditional IDS monitor network traffic at specific control points using preconfigured rules, while GuardDuty analyzes a broader spectrum of events including API calls and serverless services.
AWS GuardDuty Best Practices
GuardDuty is highly automated, so in many ways it takes care of itself. There’s a simple and straightforward setup guide. It only takes a few minutes to enable all foundational services.
You can fine tune GuardDuty as well. Amazon made an hour-long webinar with GuardDuty tips. Watch it for a deep dive or read a quick breakdown.
Here’s are some best practices, though:
Link All of Your AWS Accounts. If you have multiple accounts, set up a master member to centralize GuardDuty. You can use the multi account script to speed up the process.
Update Your IP Address Lists – both trusted and threat lists. You can purchase threat feeds from third-party companies like Crowdstrike or generate your own lists.
Use Filters to Archive Expected Findings. When you run a security assessment, you expect GuardDuty alerts. But you don’t have to clutter your findings list with them. Hide and archive them instead.
How to Optimize GuardDuty Pricing
GuardDuty pricing is complicated. It charges you per analyzed data, measured in gigabytes and the number of security findings. AWS has a pricing calculator, but it’s too tangled for real life.
To make it easier, Amazon offers a free monthly trial. This way, you’ll track potential costs, but won’t need to pay for them. Keep in mind that the trial will estimate your current spendings. If your application is scaling, so will the GuardDuty costs.
To prevent extra costs, make as few calls as possible. You can use cache or change the calling intervals. Or reduce unnecessary CloudTrail data with suppression rules. Sometimes, it’s wise to disable S3 and EKS in non-business critical regions.
If you need help balancing GuardDuty costs, reach out to us. We’ll save your AWS budget, so you don’t have to pay extra every month. All while keeping the cloud secure.
