Monitor AWS GuardDuty Configuration Changes. AWS GuardDuty is a managed threat detection service that continuously monitors your VPC flow logs, AWS CloudTrail event logs and DNS logs for malicious or unauthorized behavior. The service monitors for activity such as unusual API calls, potentially compromised EC2 instances or potentially unauthorized deployments that indicate a possible AWS account compromise. AWS GuardDuty operates entirely on Amazon Web Services infrastructure and does not affect the performance or reliability of your applications. The service does not require any software agents, sensors or network appliances. GuardDuty uses threat intelligence feeds such as lists of malicious IPs or domains and advanced machine learning algorithms to identify unexpected, potentially unauthorized and malicious activity within your cloud environment. For example, the service can detect when an AWS EC2 instance might be compromised due to traffic from a known set of malicious IP addresses. Once the compromised EC2 instance is detected, you can take immediate action to restrict outbound traffic for that instance, which stops loss of data until a security engineer can assess exactly what has occurred. AWS GuardDuty can also detect unauthorized infrastructure deployments such as EC2 instances deployed in an AWS region that has never been used before or unusual API calls such as an IAM user password policy change that reduces the password strength. Ultimately, AWS GuardDuty can detect compromised instances used by malicious individuals for cryptocurrency mining and serving malware. When the service detects a suspicious or unexpected behavior in your AWS cloud environment, it generates a finding. This finding represents a notification that contains the details about a potential security threat identified by the GuardDuty service. The finding details include information about what happened, what AWS resources were involved in the suspicious activity, when the activity was initiated, the finding actor and so on. As a security best practices, you need to be aware of all configuration changes performed at the Amazon GuardDuty service level. The activity detected by Cloud Conformity RTMA could be, for example, a user action initiated through AWS Management Console or an AWS API request initiated programmatically using AWS CLI, that is triggering any of the GuardDuty operational events listed below:
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Real-Time Threat Monitoring.
"AcceptInvitation" - Accepts the invitation to be monitored by a master GuardDuty account.
"ArchiveFindings" - Archives AWS GuardDuty findings that are specified by a list of finding IDs.
"CreateDetector" - Creates a single Amazon GuardDuty detector. A detector is an object that represents the GuardDuty service. To enable GuardDuty within your AWS account, you must create a detector.
"CreateIPSet" - Creates an IPSet, which is a list of trusted IP addresses that have been safelisted for highly secure communication with your AWS cloud environment.
"CreateMembers" - Creates member GuardDuty accounts in the current AWS account (which becomes the master GuardDuty account) that has GuardDuty enabled.
"CreateSampleFindings" - Creates sample findings of the types that are specified by a list of AWS GuardDuty finding types.
"CreateThreatIntelSet" - Creates a ThreatIntelSet, which is a list of known malicious IP addresses.
"DeclineInvitations" - Declines invitations that are sent to the selected AWS account (invitee) by the AWS accounts (inviters) that are specified by the account IDs.
"DeleteDetector" - Deletes the AWS GuardDuty detector that is specified by the detector ID.
"DeleteIPSet" - Deletes the IPSet that is specified by the IPSet ID.
"DeleteInvitations" - Deletes invitations that are sent to the selected AWS account (invitee) by the AWS accounts (inviters) that are specified by their account IDs.
"DeleteMembers" - Deletes the Amazon GuardDuty member accounts that are specified by the account IDs.
"DeleteThreatIntelSet" - Deletes the ThreatIntelSet that is specified by the ThreatIntelSet ID.
"DisassociateFromMasterAccount" - Disassociates the current AWS GuardDuty member account from its master account.
"DisassociateMembers" - Disassociates the GuardDuty member accounts that are specified by the account IDs from their master account.
"InviteMembers" - Invites other AWS accounts to enable Amazon GuardDuty and become GuardDuty member accounts.
"StartMonitoringMembers" - Re-enables Amazon GuardDuty to monitor findings of the member accounts that are specified by the account IDs.
"StopMonitoringMembers" - Disables AWS GuardDuty from monitoring findings of the member accounts that are specified by the account IDs.
"UnarchiveFindings" - Unarchives Amazon GuardDuty service findings that are specified by the list of finding IDs.
"UpdateDetector" - Updates the AWS GuardDuty detector that is specified by the detector ID.
"UpdateFindingsFeedback" - Marks specified Amazon GuardDuty findings as useful or not useful.
"UpdateIPSet" - Updates the IPSet that is specified by the IPSet ID.
"UpdateThreatIntelSet" - Updates the GuardDuty ThreatIntelSet that is specified by the ThreatIntelSet ID.
To adhere to AWS security best practices and implement the principle of least privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to perform its tasks), Cloud Conformity strongly recommends that you avoid as much as possible to provide your non-privileged IAM users the permission to change GuardDuty service configuration in your AWS account.
The communication channels for sending RTMA notifications can be quickly configured within Cloud Conformity account. The list of supported communication channels that you can use to receive configuration change alerts for Amazon GuardDuty are SMS, Email, Slack, PagerDuty, ServiceNow and Zendesk.
Rationale
A high visibility into your Amazon Web Services account activity is a key aspect of security and operational best practices. You make use of Amazon GuardDuty to protect your AWS cloud environment components (AWS resources, IAM user passwords, API keys, guest operating systems, applications, etc) against security threats, therefore, monitoring any configuration change made at the GuardDuty service level is vital for keeping your AWS account secure and performant.