Introduction to Amazon GuardDuty
Amazon GuardDuty is an intelligent threat-detection service that monitors your accounts and workloads to detect malicious activity and unauthorized behavior across your AWS environment. Amazon GuardDuty combines Machine Learning (ML), anomaly detection, and malicious file discovery, using industry-leading sources and AWS to detect malicious activities and give insights so that we can remediate them. Amazon GuardDuty analyses multiple events across multiple AWS sources, AWS CloudTrail logs, DNS query logs, Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, Amazon Simple Storage Service (Amazon S3) data events, Amazon Aurora login events, runtime activity for Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Elastic Container Service (Amazon ECS)—including serverless container workloads on AWS Fargate and Amazon Elastic Compute Cloud (Amazon EC2) (Preview). The Amazon GuardDuty generated findings are sent to Amazon Detective for deep investigation, Amazon EventBridge to implement remediation, and Amazon Security Hub.
Figure 1: Amazon GuardDuty
Amazon GuardDuty findings are the potential issues discovered in AWS resources, which give information about the resource affected, account, tags, network, instance ID, etc. But it would be very useful if we could get more insights like which particular task running on the EC2 instance did this and how we will get this quicker.
Amazon ECS Runtime Monitoring
Runtime Monitoring gives more insights into actual operating system activity so that we can pinpoint what is responsible for these security findings. Runtime monitoring gives insights about a process, a network connection, or a downloaded file. Once you enable runtime monitoring for Amazon ECS, we can gather more insights on the impact on task ID rather than insights resulting from the impact on instances. Also, it depicts the whether multiple containers are involved in the connectivity problem.
Once you enable Automated Agent configuration for the AWS Fargate task, GuardDuty will add a sidebar container for each container workload within that task to get visibility into the runtime behavior of containers.
Figure 2: Enable Runtime Monitoring and Automated Agent Configuration
Figure 3: Amazon ECS Account settings
When you create an Amazon ECS cluster to run your containerized application, the findings will be generated by runtime monitoring and visible in the Amazon GuardDuty console.
Figure 4: Amazon ECS Cluster runtime coverage
Now, Runtime Monitoring will analyze Amazon ECS and detect threats across compute options on AWS.
|Amazon EC2 (Preview)
|Node-level Network (IP& DNS)
|Malware Detection (EBS)
|Container level Network (IP & DNS)
|Container Specific threats
|Process event threat detection
Table 1: Threat detection for Compute workloads
Expertly Migrate diverse Microsoft Workloads to AWS with CloudThat, Your Advanced AWS Migration Partner
- Seamless Migration
- Cost Optimization
- Usage Efficiency
Malware protection helps detect malware by scanning Amazon Elastic Block Store (Amazon EBS) volumes attached to the Amazon EC2 and container workload. Malware Protection provides malware scan options where we can include or exclude specific Amazon EC2 and container workloads. It also provides an option to retain the snapshots of Amazon EBS volumes. Only the snapshots are retained when malware is detected, and a finding is generated. You can perform either GuardDuty-initiated or on-demand malware scan.
|GuardDuty-initiated malware scan
|On-demand malware scan
|How the scan gets invoked
|If the findings are generated, then GuardDuty automatically initiates an agentless malware scan on the Amazon EBS volume attached to the impacted resource.
|Even though GuardDuty findings are not generated for your resource, you can initiate an On-demand malware scan using instance ARN.
|you must enable a GuardDuty-initiated malware scan for your account
|GuardDuty must be enabled in the account.
|Wait time to initiate a new scan
|Automatically initiates only once every 24 hours.
|The new scan will start only after 1 hour.
|free trial period
|once enabled, the availability of the 30-day
|no free trial period
Go to Malware Protection and enable GuardDuty initiated malware scan. For an On-demand malware scan, simply add the ARN of the instance you want to scan and start the scan.
Once an on-demand malware scan is completed, you will see the scan result is either clean or infected.
Amazon GuardDuty is a threat detection service that continuously analyses data generated from different sources and generates security findings. Runtime monitoring gives more context to the threat by analyzing impacted resources more granularly. Malware protection can scan Amazon EBS volumes for potential malware.
Enable smarter efficient workflows through Amazon MLOps Eco-system
- Improve speed
- Reduce time
- Zero downtime
Established in 2012, CloudThat is a leading Cloud Training and Cloud Consulting services provider in India, USA, Asia, Europe, and Africa. Being a pioneer in the Cloud domain, CloudThat has special expertise in catering to mid-market and enterprise clients in all the major Cloud service providers like AWS, Microsoft, GCP, VMware, Databricks, HP, and more. Uniquely positioned to be a single source for both training and consulting for cloud technologies like Cloud Migration, Data Platforms, DevOps, IoT, and the latest technologies like AI/ML, it is a top-tier partner with AWS and Microsoft, winning more than 8 awards combined in 11 years. Recently, it was recognized as the ‘Think Big’ partner from AWS and won the Microsoft Superstars FY 2023 award in Asia & India. Leveraging their position as a leader in the market, CloudThat has trained 650k+ professionals in 500+ cloud certifications and delivered 300+ consulting projects for 100+ corporates in 28+ countries.
WRITTEN BY Rashmi D