Amazon GuardDuty
- Intelligent Threat discovery to protect AWS Account
- Uses ML algorithms, anomaly detection, 3rd party data
- Input data includes:
- CloudTrail Event Logs - unusual API calls, unauthorized deployments
- CloudTrail Management Events - create VPC subnet, create trail, โฆ
- CloudTrail S3 Data Events - get, list, delete object, โฆ
- VPC Flow Logs -unusual internal traffic, unusual IP addresses
- DNS Logs - compromised EC2 instances sending encoded data within DNS queries
- Optional Features - EKS Audit Logs, RDS & Aurora, EBS Lambda, S3 Data Events, โฆ
- Can set EventBridge rules to be notified in case of findings
- EventBridge rules can target AWS Lambda or SNS
- Can protect against CryptoCurrency attacks
Managing member accounts
- Organizationโs delegated admin account ๋ก member account ๋ค์ GD ๋ฅผ ํตํฉ์ผ๋ก ๊ด๋ฆฌ ๊ฐ๋ฅ
- Admin ์ด ๊ด๋ฆฌํ๋ Member Account ๋ ์ค์ค๋ก Detector ๋ฅผ Disable ํ๊ฑฐ๋ Protection Plans ๋ฅผ Disable ํ ์ ์์
- Member Account ๋น 1 ๊ฐ์ Detector ๊ฐ ๋ฐฐ์ ๋๋ฉฐ ํด๋น Detector ์ Protection Plans ์ ์ด ๊ฐ๋ฅ
- ์ฆ, ๊ฐ Member Account ๋ง๋ค Detector ID ๊ฐ ๋ค๋ฆ
- Protection Plans
- S3 Protection
- EKS Protection
- Runtime Monitoring
- Malware Protection for EC2
- RDS Protection
- Lambda Protection
- Amazon GuardDuty ECS Runtime Monitoring Overview | Amazon Web Services
References