Ref: https://learn.cantrill.io/courses/1820301/lectures/41301519

• Summary:
• Contents:

GuardDuty - Overview

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/2000-SECURITY_DEPLOYMENTS_OPERATIONS/00_LEARNINGAIDS/AmazonGuardduty-1.png

• 🔧 Continuous security monitoring service
  • Runs in the background, trying to protect account & resources from security issues
  • Uses ML/AI, plus threat intelligence feeds
• Constantly analyzes supported data sources:
  • DNS Logs from R53 (unusual DNS requests)
  • VPC Flow Logs (unusual internal traffic, unusual IP address)
  • CloudTrail Event Logs (unusual API calls, unauthorized deployments)
    • CT management events (unusual control plane events)
    • CT S3 data events (unusual interactions with S3 objects)
  • Optional features: EKS Audit Logs, RDS & Aurora, EBS, Lambda, S3 data events…
• Identifies unexpected and unauthorized activity
  • No need to define what that is, GuardDuty learns patterns & identifies intelligently
    • Customer can however influence this by whitelisting IPs or specifying okay behavior
  • Can notify of threats/findings or trigger event-driven protection/remediation
    • e.g. finding sent to EventBridge, which invokes a Lambda function to remediate by adding an explicit denial in a NACL
    • e.g. protect against CryptoCurrency attacks (dedicated “finding”)
• Support for multi-account management
  • Master-member architecture: master account can invite other accounts