Guardduty is one of the must-have cybersecurity services among AWS services. Threat analysis, a suspicious login that did not exist before (for example, it can be a request from an unexpected country). It can perform discovery with threat intelligent to protect AWS accounts. It can analyze using mainly the following services and logs.
· CloudTrail Events Logs: unusal API callls, unauthorized deployments
· CloudTrail Managment Events: create VPC subnet, create trail
· CloudTrail S3 Data Events: get object, list object, delete object
· VPC Flow Logs: unusual internal traffic, unusual IP address
· DNS Logs: compromised EC2 instances sending encoded data within DNS queries
It also analyzes EKS Audit Logs, RDS and Aurora, EBS, Lambda, S3 Data Events.
In addition to blocking GuardDuty CryptoCurrency attacks, you can take automatic actions with EventBridge. Let's examine a sample event formation with the diagram below.
As can be seen above, we receive logs from the log sources on the left with GuardDuty and let's assume that a suspicious situation has occurred. GuardDuty sends this information with EventBridge and we can send a notification with SNS or take action automatically using Lambda.
First I create an S3 bucket.
Now let's do a scenario of using GuardDuty. In the scenario I will use an s3 bucket and try to load eicar here.
I created S3 bucket ( name testgaurd) and go to the guardDuty.
We do not need all-features. Click "GuardDuty Malware Protection for S3 only"
Browse S3 ad choose testguard bucket.
There is an important point here. We need to assign a role, otherwise we cannot access and enable GuardDuty S3 bucket because it is not authorised. For the permissions that should be here, we say View permission, copy the ones here and then add a role and policy on the IAM side with Create role and attached role on GuardDuty permission
Finally wecan upload Eicar ( malware file).
And GuardDuty detect malware file
Top comments (1)
Great overview of AWS GuardDuty’s malware protection! For those exploring alternative solutions, our product bucketAV provides enhanced S3 malware scanning capabilities. Unlike GuardDuty, bucketAV offers customizable scanning options, real-time alerts, and comprehensive reporting designed specifically for S3 buckets. We’ve written a detailed comparison of bucketAV vs. GuardDuty for S3 here that dives deeper into the features we offer. This might be helpful for teams needing more flexibility and control over their S3 security.