Amazon GuardDuty is a
continuous security monitoring service that analyzes and processes the
following data sources: VPC
Flow Logs, AWS CloudTrail event logs, and DNS logs. It uses threat
intelligence feeds, such as lists of malicious IPs and domains, and machine
learning to identify unexpected and potentially unauthorized and malicious
activity within your AWS environment. This can include issues like escalations
of privileges, uses of exposed credentials, or communication with malicious
IPs, URLs, or domains. For example, GuardDuty can detect compromised EC2
instances serving malware or mining bitcoin. It also monitors AWS account
access behavior for signs of compromise, such as unauthorized infrastructure
deployments, like instances deployed in a region that has never been used, or
unusual API calls, like a password policy change to reduce password strength.
GuardDuty informs you
of the status of your AWS environment by producing security findings that you
can view in the GuardDuty console or through Amazon CloudWatch events. We can
suspend or disable GuardDuty at any time to stop it from processing and
analyzing events and logs
Amazon GuardDuty Pricing: - Any new account to Amazon GuardDuty can
try the service for 30-days at no cost. You will have access to the full
feature set and detections during the free trial. GuardDuty will display the
volume of data processed and estimated daily average service charges for your account.
This makes it easy for you to experience Amazon GuardDuty at no cost and
forecast the cost of the service beyond the free trial.
Amazon
GuardDuty is priced along two dimensions. The dimensions are based on the
quantity of AWS CloudTrail Events analyzed (per 1,000,000 events) and the
volume of Amazon VPC Flow Log and DNS Log data analyzed (per GB).
- CloudTrail
Event analysis – GuardDuty continuously analyzes CloudTrail Events,
monitoring all access and behavior of your AWS accounts and infrastructure.
CloudTrail analysis is charged per 1,000,000 events per month and
pro-rated.
- VPC Flow
Log and DNS Log analysis – GuardDuty continuously analyzes VPC Flow Logs
and DNS requests and responses to identify malicious, unauthorized, or
unexpected behavior in your AWS accounts and workloads. Flow log and DNS
log analysis is charged per Gigabyte (GB) per month. Flow log and DNS log
analysis is offered with tiered volume discounts.
Pricing examples (monthly)
US-East (N. VA)
GuardDuty processes
·
40,000,000 events
·
2,000 GB of VPC Flow
logs
·
1,000 GB of DNS Query
Logs
Charges =
40
x $4.00 (per 1,000,000 events)
+ 500 x $1.00 (first
500 GB)
+ 2,000 x $0.50 (next
2,000 GB)
+ 500 x $0.25 (over
2,500 GB)
= $1,785 per month
Enable Amazon GuardDuty
To use GuardDuty, you must first enable it.
Use the following procedure to enable GuardDuty.
1.The IAM identity (user, role, group) that
you use to enable GuardDuty must have the required permissions. To grant the
permissions required to enable GuardDuty, attach the following policy to an IAM
user, group, or role:
Note
Replace the sample account ID in the example
below with your actual AWS account ID.
We have below option
with the GuardDuty: -
Findings: -
We have below Dashboard to identify the issues happened to
our AWS environment. If we see the below dashboard then we find that we have
three color blue, orange and red as per low, medium and high severity issue and
this dashboard is very user-friendly to find any wrong thing happened to our
AWS account
List management
Trusted IP lists consist of IP
addresses that are whitelisted for secure communication with your AWS
environment. GuardDuty does not generate findings for IP addresses that are
included in trusted IP lists. Threat lists consist of known malicious IP
addresses. GuardDuty generates findings for IP addresses that are included in threat
lists
Accounts: -
Member accounts share their
findings with you. Members must first accept your invitation.
What's new in GuardDuty: -
Amazon GuardDuty now allows you to
setup automatic archiving when creating a findings filter.
|
|
You can now extend your continuous
security monitoring and threat detection to the EU (Paris) region.
|
|
We've added twelve new threat
detections, including nine AWS CloudTrail-based anomaly detections that
identify highly suspicious activity in accounts utilizing the service.
Customers can now detect sensitive API calls that change the security posture
of an account or attempt to undermine the ability to monitor AWS activities.
|
|
Two multi-account feature
enhancements: 1) we increased the number of possible associated accounts from
100 to 1,000 member accounts; and 2) GuardDuty administrators can now manage
custom threat intelligence lists in the GuardDuty master account and apply
updates in up to 1,000 member accounts.
|
|
Amazon GuardDuty is a threat
detection service that provides you with an accurate and easy way to
continuously monitor and protect your AWS accounts and the applications and
services running within them. With a few clicks in the AWS Management
Console, GuardDuty immediately begins analyzing billions of events from AWS
CloudTrail, VPC Flow Logs, and other AWS data sources.
Free
trial: -
|
No comments:
Post a Comment