DEV Community

ojo temitope seun
ojo temitope seun

Posted on • Updated on

AWS GUARDDUTY

What is Amazon GuardDuty?
Amazon GuardDuty is a pay-as-you-go threat detection service that continuously monitors for malicious activity and anomalous behavior to help protect your AWS accounts, workloads, and data. It continuously monitors and analyzes activity within your AWS environment to identify potentially malicious or unauthorized behavior. GuardDuty uses machine learning, anomaly detection, and integrated threat intelligence to identify threats such as unusual API calls, potentially compromised instances, unauthorized access attempts, and instances of cryptocurrency mining.

BENEFITS OF GUARDDUTY

  1. Continuous Monitoring: GuardDuty continuously analyzes events and log data from various AWS data sources including AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs to detect potential security threats.
  2. Threat Detection: It uses a combination of signature-based detection, anomaly detection, and machine learning algorithms to identify potential security threats and suspicious activities within your AWS environment.
  3. Integrated Threat Intelligence: GuardDuty integrates with AWS Security Hub and AWS Lambda to provide threat intelligence feeds from AWS, as well as third-party sources, to enhance threat detection capabilities.
  4. Centralized Dashboard: GuardDuty provides a centralized dashboard where you can view security findings, prioritize alerts based on severity, and investigate security incidents.

  5. Automated Remediation: GuardDuty can automatically respond to certain types of security threats by triggering AWS Lambda functions or AWS CloudWatch Events to initiate automated remediation actions.

WHAT IS GUARDDUTY FINDINGS
Findings indicate potential security issues due to malicious activity occurring in your AWS account.

Below are the types of Amazon GuardDuty findings :

1.Malware protection
GuardDuty will flag suspicious files installed on an EC2 instance.

2.RDS Protection
It will detect any anomalous behaviour, such as failed login attempts to the Relational Database.

3.EC2 Finding Types
Unauthorized access to EC2 instance using SSH bruteforce

4.IAM Finding Types
IAM user disabling CloudTrailLogging, IAMuser using root credentials

The Malware Detection on EC2 instance as a use case and the following is a walk through guide
Guardduty can be used to scan EC2 instance workload to detect and flag any threat .
Below are the steps to implement this :
NETWORK DIAGRAM

Image description

a. Enable Guardduty on your account by click on Get Started

Image description

Image description

b. Launch Microsoft window server and download a test malware on it.
The malware will not be detected automatically until you scan it with guard duty.

Image description

Image description

c. Malware scan with Guardduty

Using the Malware Scans page:

In the navigation pane, choose Malware Scans.

Choose Start on-demand scan and provide the Amazon EC2 instance ARN1 for which you want to initiate the scan.

Image description

Image description

Image description

d. The result after the GuardDuty scan reveals that a threat was found on the Windows server that was scanned, requiring urgent attention.

Image description

Image description

Image description

CONCLUSION
Amazon GuardDuty has a variety of applications, one of which is malware detection, as explained in detail above. Feel free to follow these steps and practice on your own. Amazon GuardDuty offers 30 days of free use for you to explore and learn various uses of the tool. Thank you for your time; we would also appreciate your feedback and contribution.

Top comments (0)