WIXLIB

Amazon GuardDutyAmazon GuardDuty User Guide

Amazon GuardDuty Amazon GuardDuty User GuideAmazon GuardDuty: Amazon GuardDuty User GuideCopyright Amazon Web Services, Inc. and/or its affiliates. All rights reserved.Amazon's trademarks and trade dress may not be used in connection with any product or service that is notAmazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages ordiscredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who mayor may not be affiliated with, connected to, or sponsored by Amazon.

Amazon GuardDuty Amazon GuardDuty User GuideTable of ContentsWhat is GuardDuty? . 1Pricing for GuardDuty . 1Accessing GuardDuty . 1Getting started . 2Before you begin . 2Step 1: Enable Amazon GuardDuty . 3Step 2: Generate sample findings and explore basic operations . 4Step 3: Configure GuardDuty findings export to an S3 bucket . 5Step 4: Set up GuardDuty finding alerts through SNS . 6Next steps . 7Concepts and terminology . 9Data sources . 11AWS CloudTrail event logs . 11How GuardDuty Handles AWS CloudTrail Global Events . 11AWS CloudTrail management events . 12AWS CloudTrail data events for S3 . 12Kubernetes audit logs . 12VPC flow logs . 13DNS logs . 13Kubernetes protection . 14Understanding how GuardDuty uses Kubernetes data sources . 14Configuring Kubernetes protection for a standalone account . 14To enable or disable Kubernetes protection . 14Configuring Kubernetes protection in multiple-account environments . 15Automatically enabling Kubernetes protection for Organization member accounts . 15To manually enable or disable Kubernetes protection in member accounts . 16Automatically disabling Kubernetes protection for new GuardDuty accounts . 17S3 protection . 18Understanding how GuardDuty uses S3 data events . 18Configuring S3 protection for a standalone account . 14To enable or disable S3 protection . 14Configuring S3 protection in multiple-account environments . 19Automatically enabling S3 protection for Organization member accounts . 19To selectively enable or disable S3 protection in member accounts . 20Automatically disabling S3 protection for new GuardDuty accounts . 21Understanding findings . 22Finding details . 22Finding summary . 22Resource . 23Action . 25Actor or Target . 26Additional information . 26Evidence . 26Anomalous behavior . 27GuardDuty finding format . 28Threat Purposes . 28Sample findings . 30Generating sample findings through the GuardDuty console or API . 30Automatically generating common GuardDuty findings . 31Severity levels for GuardDuty findings . 32GuardDuty finding aggregation . 33Locating and analyzing GuardDuty findings . 34Finding types . 35EC2 finding types . 35iii

Amazon GuardDuty Amazon GuardDuty User GuideBackdoor:EC2/C&CActivity.B .Backdoor:EC2/C&CActivity.B!DNS .Backdoor:EC2/DenialOfService.Dns .Backdoor:EC2/DenialOfService.Tcp .Backdoor:EC2/DenialOfService.Udp .Backdoor:EC2/DenialOfService.UdpOnTcpPorts .Backdoor:EC2/DenialOfService.UnusualProtocol .Backdoor:EC2/Spambot .Behavior:EC2/NetworkPortUnusual .Behavior:EC2/TrafficVolumeUnusual .CryptoCurrency:EC2/BitcoinTool.B .CryptoCurrency:EC2/BitcoinTool.B!DNS .Impact:EC2/AbusedDomainRequest.Reputation .Impact:EC2/BitcoinDomainRequest.Reputation .Impact:EC2/MaliciousDomainRequest.Reputation .Impact:EC2/PortSweep .Impact:EC2/SuspiciousDomainRequest.Reputation .Impact:EC2/WinRMBruteForce .Recon:EC2/PortProbeEMRUnprotectedPort .Recon:EC2/PortProbeUnprotectedPort .Recon:EC2/Portscan .Trojan:EC2/BlackholeTraffic .Trojan:EC2/BlackholeTraffic!DNS .Trojan:EC2/DGADomainRequest.B .Trojan:EC2/DGADomainRequest.C!DNS .Trojan:EC2/DNSDataExfiltration .Trojan:EC2/DriveBySourceTraffic!DNS .Trojan:EC2/DropPoint .Trojan:EC2/DropPoint!DNS .Trojan:EC2/PhishingDomainRequest!DNS .UnauthorizedAccess:EC2/MaliciousIPCaller.Custom .UnauthorizedAccess:EC2/MetadataDNSRebind .UnauthorizedAccess:EC2/RDPBruteForce .UnauthorizedAccess:EC2/SSHBruteForce .UnauthorizedAccess:EC2/TorClient .UnauthorizedAccess:EC2/TorRelay .S3 finding types .Discovery:S3/MaliciousIPCaller .Discovery:S3/MaliciousIPCaller.Custom .Discovery:S3/TorIPCaller .Exfiltration:S3/MaliciousIPCaller .Exfiltration:S3/ObjectRead.Unusual .Impact:S3/MaliciousIPCaller .PenTest:S3/KaliLinux .PenTest:S3/ParrotLinux .PenTest:S3/PentooLinux .Policy:S3/AccountBlockPublicAccessDisabled .Policy:S3/BucketAnonymousAccessGranted .Policy:S3/BucketBlockPublicAccessDisabled .Policy:S3/BucketPublicAccessGranted .Stealth:S3/ServerAccessLoggingDisabled .UnauthorizedAccess:S3/MaliciousIPCaller.Custom .UnauthorizedAccess:S3/TorIPCaller .IAM finding types .CredentialAccess:IAMUser/AnomalousBehavior .DefenseEvasion:IAMUser/AnomalousBehavior .Discovery:IAMUser/AnomalousBehavior 85959606060616262

Amazon GuardDuty Amazon GuardDuty User GuideExfiltration:IAMUser/AnomalousBehavior .Impact:IAMUser/AnomalousBehavior .InitialAccess:IAMUser/AnomalousBehavior .PenTest:IAMUser/KaliLinux .PenTest:IAMUser/ParrotLinux .PenTest:IAMUser/PentooLinux .Persistence:IAMUser/AnomalousBehavior .Policy:IAMUser/RootCredentialUsage .PrivilegeEscalation:IAMUser/AnomalousBehavior .Recon:IAMUser/MaliciousIPCaller .Recon:IAMUser/MaliciousIPCaller.Custom .Recon:IAMUser/TorIPCaller .Stealth:IAMUser/CloudTrailLoggingDisabled .Stealth:IAMUser/PasswordPolicyChange .UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B �ltration.InsideAWS �ltration.OutsideAWS .UnauthorizedAccess:IAMUser/MaliciousIPCaller om .UnauthorizedAccess:IAMUser/TorIPCaller .Kubernetes finding types .CredentialAccess:Kubernetes/MaliciousIPCaller tom cess .CredentialAccess:Kubernetes/TorIPCaller .DefenseEvasion:Kubernetes/MaliciousIPCaller m ss .DefenseEvasion:Kubernetes/TorIPCaller .Discovery:Kubernetes/MaliciousIPCaller .Discovery:Kubernetes/MaliciousIPCaller.Custom .Discovery:Kubernetes/SuccessfulAnonymousAccess .Discovery:Kubernetes/TorIPCaller .Execution:Kubernetes/ExecInKubeSystemPod .Impact:Kubernetes/MaliciousIPCaller .Impact:Kubernetes/MaliciousIPCaller.Custom .Impact:Kubernetes/SuccessfulAnonymousAccess .Impact:Kubernetes/TorIPCaller t .Persistence:Kubernetes/MaliciousIPCaller .Persistence:Kubernetes/MaliciousIPCaller.Custom .Persistence:Kubernetes/SuccessfulAnonymousAccess .Persistence:Kubernetes/TorIPCaller unt .Policy:Kubernetes/AnonymousAccessGranted .Policy:Kubernetes/ExposedDashboard .Policy:Kubernetes/KubeflowDashboardExposed r .Retired finding types .Impact:S3/PermissionsModification.Unusual .Impact:S3/ObjectDelete.Unusual .Discovery:S3/BucketEnumeration.Unusual .Persistence:IAMUser/NetworkPermissions .Persistence:IAMUser/ResourcePermissions .Persistence:IAMUser/UserPermissions ions .Recon:IAMUser/NetworkPermissions 8586868787888889

Amazon GuardDuty Amazon GuardDuty User GuideRecon:IAMUser/ResourcePermissions . 89Recon:IAMUser/UserPermissions . 90ResourceConsumption:IAMUser/ComputeResources . 90Stealth:IAMUser/LoggingConfigurationModified . 91UnauthorizedAccess:IAMUser/ConsoleLogin . 91UnauthorizedAccess:EC2/TorIPCaller . 92Backdoor:EC2/XORDDOS . 92Behavior:IAMUser/InstanceLaunchUnusual . 92CryptoCurrency:EC2/BitcoinTool.A . 93UnauthorizedAccess:IAMUser/UnusualASNCaller . 93Findings by resource type . 93Findings table . 93Managing findings . 100Filtering findings . 100Creating filters in the GuardDuty console . 100Filter attributes . 101Suppression rules . 103. 103Common use cases for suppression rules and examples . 104To create suppression rules in GuardDuty . 105. 105Trusted IP and threat lists . 106List formats . 107Permissions required to upload trusted IP lists and threat lists . 107Using server-side encryption for trusted IP lists and threat lists . 108To upload trusted IP lists and threat lists . 108To activate or deactivate trusted IP lists and threat lists . 109To update trusted IP lists and threat lists . 109Exporting findings . 110Permissions required to configure findings export . 110Granting GuardDuty permission to a KMS key . 111Granting GuardDuty permissions to a bucket . 112Exporting findings to a bucket with the Console . 114Export access error . 116Export update frequency . 116Automating responses with CloudWatch Events . 116CloudWatch Events notification frequency for GuardDuty . 117CloudWatch event format for GuardDuty . 118Creating a CloudWatch Events rule to notify you of GuardDuty findings (console) . 118Creating a CloudWatch Events rule and target for GuardDuty (CLI) . 122CloudWatch Events for GuardDuty multi-account environments . 123Remediating findings . 125Remediating a compromised EC2 instance . 125Remediating a compromised S3 Bucket . 125Remediating compromised AWS credentials . 127Remediating Kubernetes findings . 127Configuration issues . 128Compromised users . 128Compromised pods . 130Compromised container images . 131Compromised nodes . 131Managing multiple accounts . 133Managing multiple accounts with AWS Organizations . 133Managing multiple accounts by invitation . 133GuardDuty administrator and member account relationships . 133Managing accounts with AWS Organizations . 135Important considerations for GuardDuty delegated administrators . 135vi

Amazon GuardDuty Amazon GuardDuty User GuidePermissions required to designate a delegated administrator .Designating a GuardDuty delegated administrator .Consolidating GuardDuty administrator accounts under a single organization delegatedadministrator .De-registering a GuardDuty delegated administrator .Managing accounts by invitation .Designating administrator and member accounts through invitation (console) .Designating GuardDuty administrator and member accounts through invitation (API) .Enable GuardDuty in multiple accounts simultaneously .Estimating costs .Understanding how usage costs are calculated .Review GuardDuty usage statistics (Console) .Review GuardDuty usage statistics (API) .Security .Data protection .

Amazon GuardDuty Amazon GuardDuty User Guide Pricing for GuardDuty What is Amazon GuardDuty? Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following