Tuesday 2 April 2019

How to use AWS GuardDuty for monitoring AWS environment by Raj Gupta


Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, URLs, or domains. For example, GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin. It also monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments, like instances deployed in a region that has never been used, or unusual API calls, like a password policy change to reduce password strength.
GuardDuty informs you of the status of your AWS environment by producing security findings that you can view in the GuardDuty console or through Amazon CloudWatch events. We can suspend or disable GuardDuty at any time to stop it from processing and analyzing events and logs

Amazon GuardDuty Pricing: - Any new account to Amazon GuardDuty can try the service for 30-days at no cost. You will have access to the full feature set and detections during the free trial. GuardDuty will display the volume of data processed and estimated daily average service charges for your account. This makes it easy for you to experience Amazon GuardDuty at no cost and forecast the cost of the service beyond the free trial.

Amazon GuardDuty is priced along two dimensions. The dimensions are based on the quantity of AWS CloudTrail Events analyzed (per 1,000,000 events) and the volume of Amazon VPC Flow Log and DNS Log data analyzed (per GB).
  • CloudTrail Event analysis – GuardDuty continuously analyzes CloudTrail Events, monitoring all access and behavior of your AWS accounts and infrastructure. CloudTrail analysis is charged per 1,000,000 events per month and pro-rated.
  • VPC Flow Log and DNS Log analysis – GuardDuty continuously analyzes VPC Flow Logs and DNS requests and responses to identify malicious, unauthorized, or unexpected behavior in your AWS accounts and workloads. Flow log and DNS log analysis is charged per Gigabyte (GB) per month. Flow log and DNS log analysis is offered with tiered volume discounts.

Pricing examples (monthly)
US-East (N. VA)
GuardDuty processes
·         40,000,000 events
·         2,000 GB of VPC Flow logs
·         1,000 GB of DNS Query Logs
Charges =
     40 x $4.00 (per 1,000,000 events) 
+ 500 x $1.00 (first 500 GB)
+ 2,000 x $0.50 (next 2,000 GB)
+ 500 x $0.25 (over 2,500 GB)
= $1,785 per month



Enable Amazon GuardDuty
To use GuardDuty, you must first enable it. Use the following procedure to enable GuardDuty.
1.The IAM identity (user, role, group) that you use to enable GuardDuty must have the required permissions. To grant the permissions required to enable GuardDuty, attach the following policy to an IAM user, group, or role:
Note
Replace the sample account ID in the example below with your actual AWS account ID.


We have below option with the GuardDuty: -

Findings: -
We have below Dashboard to identify the issues happened to our AWS environment. If we see the below dashboard then we find that we have three color blue, orange and red as per low, medium and high severity issue and this dashboard is very user-friendly to find any wrong thing happened to our AWS account



 Settings: - We can suspend or disable GuardDuty any time.  




List management
Trusted IP lists consist of IP addresses that are whitelisted for secure communication with your AWS environment. GuardDuty does not generate findings for IP addresses that are included in trusted IP lists. Threat lists consist of known malicious IP addresses. GuardDuty generates findings for IP addresses that are included in threat lists



Accounts: -
Member accounts share their findings with you. Members must first accept your invitation.



What's new in GuardDuty: -

Amazon GuardDuty now allows you to setup automatic archiving when creating a findings filter.
You can now extend your continuous security monitoring and threat detection to the EU (Paris) region.
We've added twelve new threat detections, including nine AWS CloudTrail-based anomaly detections that identify highly suspicious activity in accounts utilizing the service. Customers can now detect sensitive API calls that change the security posture of an account or attempt to undermine the ability to monitor AWS activities.
Two multi-account feature enhancements: 1) we increased the number of possible associated accounts from 100 to 1,000 member accounts; and 2) GuardDuty administrators can now manage custom threat intelligence lists in the GuardDuty master account and apply updates in up to 1,000 member accounts.
Amazon GuardDuty is a threat detection service that provides you with an accurate and easy way to continuously monitor and protect your AWS accounts and the applications and services running within them. With a few clicks in the AWS Management Console, GuardDuty immediately begins analyzing billions of events from AWS CloudTrail, VPC Flow Logs, and other AWS data sources.



Free trial: -




No comments:

Post a Comment