Study Guides/AWS Cybersecurity Notes/Security Hub & Guard Duty

From Cramsession
< Study Guides‎ | AWS Cybersecurity Notes
Revision as of 01:36, 25 May 2026 by Mflavell (talk | contribs) (→‎Findings & Cloudwatch)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search
✍️ Verified Author: MflavellClick to view professional profile & credentials

Amazon Guard Duty

This is a managed threat detection service.

  • Uses machine learning
  • Is charged to your account /not free.
  • Can process millions of events, captured by:
  • CloudTrail
  • DNS (Route 53)
  • VPC Flow longs


This service learns what is normal in the account to find abnormal actions.

  • Can detect connections with unisal sources.
  • EG: data been exfiltrated to a remote FTP server


This is a always on service:

  • Issues can be found without incurring a performance hit.
  • No local agentds are requires - this is Security as a Service.
  • No upfront costs with GuardDuty.
  • Installs in One Click no configuration nightmares.


Additionally:

Coverage is global.
Can detect intel-based well known threats
Can find behaviour based threats
Can monitor security over different accounts


Guard Duty Data Sources

Once enabling guard duty, it will use these data sources...


  • VPC Flow logs
Provide details about network communication
VPC flow logs can be turned off - because of this Guard Duty uses its onwn flow log stream.


  • CloudTrail Events
Stores SDK / Command line use for future reference.
Helps build a profile of your account to understand norms.


  • DNS logs
Checks for queries of known and unknown instances.
Can look at domains queries and compre them to threat intelligence.
Can be done with or without route 53 enabled.


GuardDuty Alerts

All detections are ranked: High, Medium or Low

This lets you know what items to address first.


Findings are devliered to three places:

Your secutiy hub.
A designated s3 bucket.
CloudWarch Events or Eventbridge


  • For this setup you must have security hub up and running.


Why use these:

Security hub - lets you see everything in one place.
Cloudwatch / Eventbridge can provide near realtime alerts using SNS.
S3 Keeps an audutable log of alerts.


Where does infomaton come from

Guard duty uses these sources:

AWS security intelegence
AWS Partners such as CrowdString and Proofpoint
Customer provided infomration.


What can be detected

Using this intelgence GuardDuty can detect:

Hosts infected with known malware.
Proxies or TOR gateways
Crypto mining or wallets
Hosting of malware or hacking tools


Macie vs GuardDuty

Macie looks at information stored in S3:
Tries to classifiy the data and assess it's risk
Macie is also a fullly managed macine learning system.
Macie allows proactive safeguards on sesnsative infomration.


GuardDury does not:
Read the S3 bucket data
Find data containing PII


Guard duty does:
Aggrigrate cloud trail events.


Macie - inforMation

Guard duty - Trails & logs (guards follow trails)


Severity of items

A numerical scale is used for guard duty:

  • High - 7.0 - 8.9
  • Medium - 4.0.- 6.9
  • Low - 1.0 - 3.9


These values can be used to trigger SNS alerts.


Testing Guard Duty

AWS has a guard duty repo with simulated malware.

More information can be found here: at https://github.com/awslabs/amazon-guardduty-tester

This is a GIT repo that contains cloudformation templates.

After setup findings should appear in guard duty after 8 to 10 minutes.


Findings & Cloudwatch

Multiple simular events will be combined - this is to prevent too much noise.

An inital alert is sent out, guard duty then waits for a backoff period before alerting again.
By default this period is six hours.


Remediation

Any automated remeidation is done using cloudwatch.

For manual, Guard duity provides a remeidation guide.

Retrieved from "https://cramsession.net/index.php?title=Study_Guides/AWS_Cybersecurity_Notes/Security_Hub_%26_Guard_Duty&oldid=1631"