{"id":93906,"date":"2024-03-05T17:58:50","date_gmt":"2024-03-05T12:28:50","guid":{"rendered":"https:\/\/www.whizlabs.com\/blog\/?p=93906"},"modified":"2024-03-22T15:28:13","modified_gmt":"2024-03-22T09:58:13","slug":"aws-guardduty","status":"publish","type":"post","link":"https:\/\/www.whizlabs.com\/blog\/aws-guardduty\/","title":{"rendered":"How to turn on intelligent Threat Detection using Amazon GuardDuty"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Amazon GuardDuty is a fully managed threat detection service to monitors any malicious or unauthorized behavior to ensure the security of your AWS accounts and workloads.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As an <\/span><a href=\"https:\/\/www.whizlabs.com\/aws-certified-cloud-practitioner\/\"><span style=\"font-weight: 400;\">AWS Certified Cloud Practitioner<\/span><\/a><span style=\"font-weight: 400;\">, it is crucial to ensure the security of the AWS infrastructure and you can achieve it with the help of Amazon GuardDuty.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In this blog, we are going to explore Amazon GuardDuty and its features, the working of Amazon Guardduty, and how to achieve intelligent Threat Detection using Amazon GuardDuty.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Let\u2019s dive in!<\/span><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 ez-toc-wrap-left counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ea7e02;color:#ea7e02\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ea7e02;color:#ea7e02\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-guardduty\/#What_is_AWS_GuardDuty\" >What is AWS GuardDuty?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-guardduty\/#AWS_GuardDuty_Features\" >AWS GuardDuty Features<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-guardduty\/#How_to_turn_on_intelligent_Threat_Detection_using_Amazon_GuardDuty\" >How to turn on intelligent Threat Detection using Amazon GuardDuty<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-guardduty\/#AWS_GuardDuty_Use_Cases\" >AWS GuardDuty Use Cases<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-guardduty\/#How_does_AWS_GuardDuty_work\" >How does AWS GuardDuty work?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-guardduty\/#GuardDuty_accounts_management\" >GuardDuty accounts management\u00a0<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-guardduty\/#Key_considerations_for_GuardDuty_delegated_administrators\" >Key considerations for GuardDuty delegated administrators<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-guardduty\/#Amazon_GuardDuty_Pricing\" >Amazon GuardDuty Pricing<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.whizlabs.com\/blog\/aws-guardduty\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h3><span class=\"ez-toc-section\" id=\"What_is_AWS_GuardDuty\"><\/span><span style=\"font-weight: 400;\">What is AWS GuardDuty?<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Amazon GuardDuty is a threat monitoring service that keeps an eye out for illegal activity and harmful activities to safeguard workloads, and data stored in Amazon S3, and AWS accounts.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As soon as an IT or security administrator activates GuardDuty through the AWS Management Console, the controlled cloud-hosted service starts scanning the AWS environment.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Although there is a 30-day free trial when you enable GuardDuty, the service is not free. Pricing is determined by the quantity of VPC Flow Log and DNS Log data evaluated monthly as well as the number of <a href=\"https:\/\/www.whizlabs.com\/blog\/aws-cloudtrail\/\" target=\"_blank\" rel=\"noopener\">AWS CloudTrail events<\/a> examined.<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"AWS_GuardDuty_Features\"><\/span><span style=\"font-weight: 400;\">AWS GuardDuty Features<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><b>Accuracy<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Amazon GuardDuty ensures effective threat detection for the accounts that are subjected to theft using continuous monitoring in real-time.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">GuardDuty finds the activity of the accounts comprised such as resources accessed from uncommon locations at unexpected times.<\/span><\/p>\n<p><b>Continuous monitoring<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Amazon GuardDuty continuously monitors and assesses data from AWS CloudTrail, VPC Flow Logs, and DNS Logs in AWS accounts and workloads. It allows for aggregated threat detection by linking AWS accounts, eliminating the need for a per-account approach. Moreover, there is no requirement to manually collect, analyze, or correlate extensive amounts of AWS data from numerous accounts.<\/span><\/p>\n<p><b>Threat severity levels<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Amazon GuardDuty employs three severity categories to help clients prioritize their response to potential attacks.\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">A &#8220;Low&#8221; sensitivity indication signifies the detection and prevention of suspicious or malicious activity to safeguard your resources.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">A &#8220;Medium&#8221; risk level indicates questionable behavior, such as a notable volume of traffic sent through the Tor network or unusual activity.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">A resource assigned a &#8220;High&#8221; severity rating indicates that it has been compromised and is actively being exploited for malicious purposes, such as an Amazon EC2 instance or a set of IAM user credentials.<\/span><\/li>\n<\/ul>\n<p><b>High available threat detection<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Amazon GuardDuty is crafted to autonomously oversee the utilization of resources within your AWS accounts, workloads, and Amazon S3 data. It enhances detection capabilities precisely when needed and reduces usage during periods when it is no longer necessary.<\/span><\/p>\n<p><b>One-click deployment<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Configuring Amazon GuardDuty is a seamless process, requiring just one click or API request for a single AWS account. With a few extra steps, you can easily enable GuardDuty across multiple accounts using the AWS Management Console. Additionally, GuardDuty provides native support for handling multiple accounts and offers integration with AWS Organizations.<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"How_to_turn_on_intelligent_Threat_Detection_using_Amazon_GuardDuty\"><\/span><span style=\"font-weight: 400;\">How to turn on intelligent Threat Detection using Amazon GuardDuty<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">In these guided hands-on labs, you will learn how to enable Amazon Guardduty and explore some threat detection functionalities.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To start with it, you have to access the <a href=\"https:\/\/www.whizlabs.com\/labs\/\">Whizlabs hands-on labs<\/a> page. Then type<a href=\"https:\/\/www.whizlabs.com\/labs\/introduction-to-amazon-guardduty\" target=\"_blank\" rel=\"noopener\"> Amazon Guardduty<\/a> in the search box and the lab page will be displayed.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Follow the instructions given under lab steps.\u00a0<\/span><\/p>\n<p><b>Task 1: Sign in to the AWS Management Console<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Click the &#8220;Open Console&#8221; button, and you will be directed to the AWS Console in a new browser tab. On the AWS sign-in page, keep the Account ID as the default setting. It is crucial not to modify or remove the 12-digit Account ID displayed in the AWS Console; failure to do so may hinder your progress in the lab.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Proceed by copying your User Name and Password from the Lab Console to the IAM Username and Password fields in the AWS Console. Click the &#8220;Sign in&#8221; button to complete the sign-in process.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Once successfully signed in to the AWS Management Console, set the default AWS Region to US East (N. Virginia) by choosing us-east-1.<\/span><\/p>\n<p><em><span style=\"font-weight: 400;\">Note: There is no validation function for this lab.<\/span><\/em><\/p>\n<p><b>Task 2: Enabling Amazon GuardDuty<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Ensure you select the US East (N. Virginia) region (us-east-1) from the AWS Management Console dashboard, located in the top right corner.\u00a0<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-93923\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/free.jpg\" alt=\"free\" width=\"723\" height=\"314\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/free.jpg 723w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/free-300x130.jpg 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/free-150x65.jpg 150w\" sizes=\"(max-width: 723px) 100vw, 723px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Navigate to the Services menu at the top, then click on GuardDuty under the Security, Identity, and Compliance section. Proceed by clicking on &#8220;Get started.&#8221;<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Click on Enable GuardDuty with one click and this service will be activated.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-93924\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/findings.jpg\" alt=\"findings\" width=\"1189\" height=\"401\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/findings.jpg 1189w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/findings-300x101.jpg 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/findings-1024x345.jpg 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/findings-768x259.jpg 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/findings-150x51.jpg 150w\" sizes=\"(max-width: 1189px) 100vw, 1189px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">In the Findings page, you will see the warning <strong>You don\u2019t have any findings<\/strong> because there is no malicious activity happening in your AWS Account. Ignore the warnings, wherever you find them.<\/span><\/p>\n<p><b>Task 3: Exploring Amazon GuardDuty<\/b><\/p>\n<p><b>Settings<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Navigate to the left panel and click on &#8220;Settings.&#8221; You will find a Detector ID, which represents the GuardDuty service as a resource.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-93922\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/settings.jpg\" alt=\"settings\" width=\"752\" height=\"425\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/settings.jpg 752w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/settings-300x170.jpg 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/settings-150x85.jpg 150w\" sizes=\"(max-width: 752px) 100vw, 752px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">For service roles, GuardDuty utilizes a service role to oversee your data sources on your behalf.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Concerning findings export options, findings are automatically sent to CloudWatch Events, and there&#8217;s the additional option to export them to an S3 bucket. The export process for new findings takes place within 5 minutes, and no adjustments are necessary.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If you choose to suspend GuardDuty, it ceases monitoring your AWS environment, preventing the generation of new findings. Existing findings are preserved and remain unaffected.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">However, disabling GuardDuty not only halts its monitoring and generation of new findings but also results in the loss of existing findings and configurations. Once disabled, the data cannot be recovered later.<\/span><\/p>\n<p><b>Lists<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Select &#8220;Lists&#8221; beneath the &#8220;Settings&#8221; section. In the List Manager, you can include Trusted IP Lists and Threat IP Lists.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-93925\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/list-management.jpg\" alt=\"list management\" width=\"947\" height=\"419\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/list-management.jpg 947w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/list-management-300x133.jpg 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/list-management-768x340.jpg 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/list-management-150x66.jpg 150w\" sizes=\"(max-width: 947px) 100vw, 947px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Trusted IP Lists include IP addresses authorized for secure communication with your AWS environment. GuardDuty refrains from generating findings for IP addresses present in these trusted lists, acknowledging them as secure.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">On the other hand, Threat IP Lists comprise known malicious IP addresses. GuardDuty actively generates findings for any IP addresses identified within threat lists, helping to identify and respond to potential security threats.<\/span><\/p>\n<p><b>Accounts<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Click on Accounts above the settings.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-93926\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/accounts.jpg\" alt=\"accounts\" width=\"1014\" height=\"290\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/accounts.jpg 1014w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/accounts-300x86.jpg 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/accounts-768x220.jpg 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/accounts-150x43.jpg 150w\" sizes=\"(max-width: 1014px) 100vw, 1014px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">You have the option to extend invitations to other accounts, inviting them to enable GuardDuty and establish an association with your AWS account. Upon acceptance, your account assumes the role of the master GuardDuty account.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The account accepting the invitation transforms into a member account linked to your master account. This arrangement allows you to oversee and administer GuardDuty findings on behalf of the associated member account.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Notably, a master account in GuardDuty, for each region, can manage up to 1000 member accounts.<\/span><\/p>\n<p><b>Task 4: Generating Sample Findings<\/b><\/p>\n<p><span style=\"font-weight: 400;\">To simulate and explore sample security findings in our AWS Account, follow these steps:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Navigate to the &#8220;Settings&#8221; section from the left panel.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Scroll down and click on &#8220;Generate sample findings.&#8221;<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-93927\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/findings-of-accounts.jpg\" alt=\"findings of accounts\" width=\"931\" height=\"545\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/findings-of-accounts.jpg 931w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/findings-of-accounts-300x176.jpg 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/findings-of-accounts-768x450.jpg 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/findings-of-accounts-150x88.jpg 150w\" sizes=\"(max-width: 931px) 100vw, 931px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Go to &#8220;Findings&#8221; from the left panel and w<\/span><span style=\"font-weight: 400;\">ait for the loading process to complete. In the top-right corner, you should observe several findings.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This process allows you to generate and examine example security findings in your AWS environment.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You can use filter criteria to filter your findings.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-93928\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/findings-of-accounts-1.jpg\" alt=\"filter\" width=\"931\" height=\"545\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/findings-of-accounts-1.jpg 931w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/findings-of-accounts-1-300x176.jpg 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/findings-of-accounts-1-768x450.jpg 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/findings-of-accounts-1-150x88.jpg 150w\" sizes=\"(max-width: 931px) 100vw, 931px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Click on one of the sample findings<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You can see various parameters like severity, region, Account ID, Resource ID, Resource Affected, etc.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-93931\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/filterpara.jpg\" alt=\"filterpara\" width=\"1142\" height=\"564\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/filterpara.jpg 1142w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/filterpara-300x148.jpg 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/filterpara-1024x506.jpg 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/filterpara-768x379.jpg 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/filterpara-150x74.jpg 150w\" sizes=\"(max-width: 1142px) 100vw, 1142px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Go through the sample to learn more about the different severities.<\/span><\/p>\n<p><b>Task 5: Validation of the Lab<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Once the lab steps are completed, please click on the Validation button on the right-side panel.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-93921\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/validatelab.jpg\" alt=\"validatelab\" width=\"778\" height=\"404\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/validatelab.jpg 778w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/validatelab-300x156.jpg 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/validatelab-768x399.jpg 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/validatelab-150x78.jpg 150w\" sizes=\"(max-width: 778px) 100vw, 778px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">This will validate the resources in the AWS account and display whether you have completed this lab successfully or not.<\/span><\/p>\n<p><b>Task 6: Disabling GuardDuty<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Go to the settings and click on DisableGuardDuty under suspend GuardDuty to stop it.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Click on Disable to confirm and y<\/span><span style=\"font-weight: 400;\">ou have successfully disabled GuardDuty.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-93920\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/disable-guarduty.jpg\" alt=\"disable guarduty\" width=\"671\" height=\"294\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/disable-guarduty.jpg 671w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/disable-guarduty-300x131.jpg 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/disable-guarduty-150x66.jpg 150w\" sizes=\"(max-width: 671px) 100vw, 671px\" \/><\/p>\n<h3><span class=\"ez-toc-section\" id=\"AWS_GuardDuty_Use_Cases\"><\/span><span style=\"font-weight: 400;\">AWS GuardDuty Use Cases<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Protect your compute workloads: detect whether your <a href=\"https:\/\/www.whizlabs.com\/labs\/introduction-to-amazon-elastic-compute-cloud-ec2\">EC2 instance<\/a> is mining cryptocurrency or communicating with IP addresses and domains connected with known dangerous actors.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Protect your AWS credentials: detect whether your AWS credentials are used unusually or suspiciously, such as from IP addresses connected with known malicious actors, or in a manner that differs from their expected behavior.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Protect your data stored in Amazon S3 buckets: identify when data stored in your Amazon S3 buckets are accessed in an unusually suspicious manner, such as when an unusual volume of items is obtained from an odd location, or when the S3 bucket is visited from IP addresses connected with known malicious actors.<\/span><\/li>\n<\/ul>\n<blockquote><p><span style=\"font-weight: 400;\">Also Read: Free<\/span><a href=\"https:\/\/www.whizlabs.com\/blog\/aws-cloud-practitioner-certification-questions\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\"> AWS Cloud Practitioner Exam Questions<\/span><\/a><\/p><\/blockquote>\n<h3><span class=\"ez-toc-section\" id=\"How_does_AWS_GuardDuty_work\"><\/span><span style=\"font-weight: 400;\">How does AWS GuardDuty work?<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Amazon GuardDuty provides continuous monitoring of AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs to detect potential security threats. Utilizing built-in threat intelligence, anomaly detection, and machine learning capabilities developed by the AWS security team, the service conducts near-real-time analysis.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-93932\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/amazonguarduty-working.jpg\" alt=\"amazonguarduty working\" width=\"1289\" height=\"533\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/amazonguarduty-working.jpg 1289w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/amazonguarduty-working-300x124.jpg 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/amazonguarduty-working-1024x423.jpg 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/amazonguarduty-working-768x318.jpg 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/amazonguarduty-working-150x62.jpg 150w\" sizes=\"(max-width: 1289px) 100vw, 1289px\" \/><\/p>\n<p style=\"text-align: center;\">Source: <a href=\"https:\/\/aws.amazon.com\/guardduty\/\" target=\"_blank\" rel=\"nofollow noopener\">AWS<\/a><\/p>\n<p><span style=\"font-weight: 400;\">GuardDuty classifies AWS cloud threats into three categories:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><strong>Attacker reconnaissance:<\/strong> This includes identifying failed login patterns, unusual API activity, and instances of port scanning.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><strong>Compromised resources:<\/strong> GuardDuty detects threats such as cryptojacking, abnormal increases in network traffic, and unauthorized access to EC2 instances through an external IP address.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><strong>Compromised accounts:<\/strong> This category involves recognizing API calls from unexpected locations, attempts to disable CloudTrail, and irregular deployments of instances or infrastructure.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">While administrators can specify a list of &#8220;safe&#8221; IP addresses for GuardDuty, the service does not support custom detection criteria. However, administrators can provide feedback on GuardDuty findings by indicating approval or disapproval.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">GuardDuty sends security alerts to the Management Console in JSON format, enabling administrators or automated workflows to take appropriate actions. For instance, Amazon CloudWatch Events can leverage GuardDuty findings to trigger AWS Lambda code for adjusting security configurations.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Security findings are retained in the GuardDuty console and APIs for 90 days.<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"GuardDuty_accounts_management\"><\/span><span style=\"font-weight: 400;\">GuardDuty accounts management\u00a0<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">You can assign administration to any account inside the organization when using GuardDuty with an AWS Organizations organization.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Only the organization management account has the authority to designate GuardDuty delegation administrators.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">GuardDuty is automatically activated in the chosen Region for a delegated administrator account, which also gains the authority to enable &amp; maintain GuardDuty for all accounts in the organization within that Region.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The delegated administrator account may be linked with additional organization accounts for inspection and addition as GuardDuty partner accounts.<\/span><\/p>\n<div class=\"ast-oembed-container \" style=\"height: 100%;\"><iframe title=\"What is Amazon GuardDudy? - What are the different ways to use Amazon GaurdDusy? | Whizlabs\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/z7HXekonZCQ?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/div>\n<h3><span class=\"ez-toc-section\" id=\"Key_considerations_for_GuardDuty_delegated_administrators\"><\/span><span style=\"font-weight: 400;\">Key considerations for GuardDuty delegated administrators<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Capable of handling up to 5000 members, GuardDuty sets a maximum limit of 5000 member accounts for each delegated administrator. While this limit may be sufficient for many businesses, those with more than 5000 clients can track the total number of accounts under the &#8220;Accounts&#8221; section in the GuardDuty interface.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To address potential concerns, GuardDuty employs various notification methods <strong>if the member accounts exceed the 5000 limit<\/strong>, including alerts through CloudWatch, the AWS Health Dashboard, and an email sent to the delegated administrator account.<\/span><\/p>\n<p><strong><em>It&#8217;s essential to note that GuardDuty operates as a regional service, unlike AWS Organizations.\u00a0<\/em><\/strong><\/p>\n<p><span style=\"font-weight: 400;\">Consequently, delegated administrators and their associated member accounts must be added to each desired region to activate account management via AWS Organizations across all regions.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Organizations are limited to having a single delegated administrator per organization, and each account can only have one delegated administrator.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">While the management account of your organization can serve as the delegated administrator, it is not recommended by AWS Security best practices, adhering to the principle of least privilege.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Notably, changing the delegated administrator does not disable GuardDuty for member accounts. When a delegated administrator is removed, all associated member accounts cease being GuardDuty members, but GuardDuty is not deactivated in those accounts.<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Amazon_GuardDuty_Pricing\"><\/span><span style=\"font-weight: 400;\">Amazon GuardDuty Pricing<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Upon initial activation, AWS offers a complimentary <strong>30-day full-access trial<\/strong> for Amazon GuardDuty, allowing users to assess its suitability. Following this trial period, Amazon GuardDuty provides an estimated cost, representing the potential expenses if the free trial were not available.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The pricing for analyzing AWS log data is influenced by the extent of the analysis conducted.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Unlike CloudTrail Event Logs, which incur charges based on a per-million-events-per-month model, VPC Flow Logs and DNS Logs are billed on a per-gigabyte-per-month basis.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Pricing structures may vary by region but typically include the following tiers:<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><b>Service<\/b><\/td>\n<td><b>Usage Tier<\/b><\/td>\n<td><b>Price per Unit<\/b><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">VPC Flow Log and DNS Log Analysis<\/span><\/td>\n<td><span style=\"font-weight: 400;\">First 500 GB \/ month<\/span><\/td>\n<td><span style=\"font-weight: 400;\">$1.00 per GB<\/span><\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><span style=\"font-weight: 400;\">Next 2000 GB \/ month<\/span><\/td>\n<td><span style=\"font-weight: 400;\">$0.50 per GB<\/span><\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><span style=\"font-weight: 400;\">Over 2500 GB \/ month<\/span><\/td>\n<td><span style=\"font-weight: 400;\">$0.25 per GB<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">AWS CloudTrail Event Analysis<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Per 1,000,000 events\/month<\/span><\/td>\n<td><span style=\"font-weight: 400;\">$4.00 per 1,000,000<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">GuardDuty offers continuous monitoring of your infrastructure, ensuring cost efficiency by billing only for the actual detection capacity utilized. In essence, charges are incurred solely for the volume of service utilized.<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span><span style=\"font-weight: 400;\">Conclusion<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">By following the outlined steps, you can enable GuardDuty with just a click or API request. The service is designed to automatically monitor and assess potential threats, allowing you to customize settings based on your security preferences.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">With its ability to adapt to varying resource utilization needs, GuardDuty provides a proactive defence against suspicious or malicious activities.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">By leveraging its three severity categories, Low, Medium, and High, GuardDuty assists in prioritising responses to potential threats, ensuring a robust and dynamic security posture for your AWS accounts and workloads.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Amazon GuardDuty is a fully managed threat detection service to monitors any malicious or unauthorized behavior to ensure the security of your AWS accounts and workloads. As an AWS Certified Cloud Practitioner, it is crucial to ensure the security of the AWS infrastructure and you can achieve it with the help of Amazon GuardDuty. In this blog, we are going to explore Amazon GuardDuty and its features, the working of Amazon Guardduty, and how to achieve intelligent Threat Detection using Amazon GuardDuty. Let\u2019s dive in! What is AWS GuardDuty? Amazon GuardDuty is a threat monitoring service that keeps an eye [&hellip;]<\/p>\n","protected":false},"author":389,"featured_media":93961,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[5121,5120],"class_list":["post-93906","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aws-certifications","tag-amazon-guardduty","tag-aws-guardduty"],"uagb_featured_image_src":{"full":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/aws-guardduty.webp",1280,720,false],"thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/aws-guardduty-150x150.webp",150,150,true],"medium":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/aws-guardduty-300x169.webp",300,169,true],"medium_large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/aws-guardduty-768x432.webp",768,432,true],"large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/aws-guardduty-1024x576.webp",1024,576,true],"1536x1536":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/aws-guardduty.webp",1280,720,false],"2048x2048":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/aws-guardduty.webp",1280,720,false],"profile_24":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/aws-guardduty.webp",24,14,false],"profile_48":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/aws-guardduty.webp",48,27,false],"profile_96":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/aws-guardduty.webp",96,54,false],"profile_150":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/aws-guardduty.webp",150,84,false],"profile_300":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/aws-guardduty.webp",300,169,false],"tptn_thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/aws-guardduty-250x250.webp",250,250,true],"web-stories-poster-portrait":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/aws-guardduty-640x720.webp",640,720,true],"web-stories-publisher-logo":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/aws-guardduty-96x96.webp",96,96,true],"web-stories-thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2024\/03\/aws-guardduty-150x84.webp",150,84,true]},"uagb_author_info":{"display_name":"Karthikeyani Velusamy","author_link":"https:\/\/www.whizlabs.com\/blog\/author\/karthikeyani-velusamy\/"},"uagb_comment_info":2,"uagb_excerpt":"Amazon GuardDuty is a fully managed threat detection service to monitors any malicious or unauthorized behavior to ensure the security of your AWS accounts and workloads. As an AWS Certified Cloud Practitioner, it is crucial to ensure the security of the AWS infrastructure and you can achieve it with the help of Amazon GuardDuty. In&hellip;","_links":{"self":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/93906","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/users\/389"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/comments?post=93906"}],"version-history":[{"count":6,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/93906\/revisions"}],"predecessor-version":[{"id":94080,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/93906\/revisions\/94080"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media\/93961"}],"wp:attachment":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media?parent=93906"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/categories?post=93906"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/tags?post=93906"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}