Enabling Amazon GuardDuty – Event Management with Security Hub and GuardDuty – SCS-C02 Study Guide

Enabling Amazon GuardDuty

Amazon GuardDuty is a regional service. You must first select the region where you will enable the service; once that is done, it is effortless to enable it. Just complete the following steps:

  1. From the Amazon Management Console, find the GuardDuty service by going to Services > Security, Identity, & Compliance > GuardDuty, or search for GuardDuty in the top search bar.
  2. Once on the GuardDuty page, click the orange Get Started button to enable the GuardDuty service.
  3. This will bring you to the Enable GuardDuty page. GuardDuty needs to create a service role to monitor and protect your account. Since data is involved, click on the orange Enable GuardDuty button at the bottom of the page to allow GuardDuty to be enabled.

After enabling GuardDuty, you will be brought to the main GuardDuty page (that is, the Findings page) by default. Since you have just enabled the service, three zeros in the page’s top right-hand corner should indicate no high-, medium-, or low-severity alerts.

Figure 6.2: The severity alert count for GuardDuty

Customizing GuardDuty

With GuardDuty enabled, you can customize the service to meet your organization’s needs.

Combining GuardDuty with the CloudWatch Events service allows you to match specific severity levels with either automated remediations and/or alerts sent out to a particular SNS topic. GuardDuty rates the items that it finds on a numerical scale, broken down into the following three categories:

  • High-severity items are valued between 7.0–8.9
  • Medium-severity items are valued between 4.0–6.9
  • Low-severity items are valued between 1.0–3.9

If the severity is not at a high level (say, for instance, if it is a 4 or 5), then you may only want to have the security team notified via the messaging channel (e.g., MS Teams or Slack) that they are constantly monitoring. Conversely, if the severity level is high (such as 7 or 8), you may want the security team and an executive stakeholder notified so that a response plan can be prepared, just in case it is needed.

Triggering GuardDuty

You can try modifying something in your account to see how a finding would look in the GuardDuty service.

AWS has created a lab to simulate malware in a contained environment and generate findings in the GuardDuty service. You can find the files for this exercise at https://github.com/awslabs/amazon-guardduty-tester:

  1. Download the repo by going to your computer and running the following command:

git clone https://github.com/awslabs/amazon-guardduty-tester.git

  • Now that you have the CloudFormation templates and testing scripts available locally, go to your AWS Management Console and run the template from the CloudFormation service. You can get there quickly by going to the following URL: https://console.aws.amazon.com/cloudformation/.
  • Once in the CloudFormation service, under Stacks (if you have not already been taken there by default), click the Create Stack button so that additional menu items appear. Choose the option labeled With new resources (standard) to create a new CloudFormation stack.

Figure 6.3: The screen to create a CloudFormation stack

  • On the Create Stack page, move to the section labeled Specify template. Choose the option labeled Upload a template file. Click the Upload File button and find the folder on your local drive named amazon-guardduty-tester. Inside that folder will be a file named guardduty-tester.template.

Figure 6.4: Upload a template file screen for GuardDuty

  • Once you have selected the guardduty-tester.template file, press the orange Next button at the bottom of the page.
  • You should now be on the Specify stack details page. Enter guardduty-tester as the name of the stack.

Figure 6.5: The stack name screen for GuardDuty

  • In the Parameters section, under Availability Zones, as the prompt says, just select the first AZ to keep things simple.

Figure 6.6: The Availability Zones selection screen for GuardDuty

  • The next item you should customize is Allowed Bastion External Access CIDR. Instead of keeping this open globally, enter your IP address followed by /32. This means that only your singular IP address will be allowed to access the bastion host.

Figure 6.7: The Bastion CIDR details screen for GuardDuty

  • The final item that needs customization in the template is the key pair name. Use the dropdown to select one of your current EC2 key pairs.
  • After customizing the template, move to the bottom of the screen and press the orange Next button.
  • This brings you to the Configure stack options screen; scroll down to the bottom of the page and click the orange Next button.
  • You should now be on the Review guardduty-test page. Once again, scroll down to the bottom of the page. Acknowledge that this template may create IAM resources by clicking in the blue box. Once done, press the orange Submit button to bring up the template’s resources.

After around 10 minutes, the template should have completed creating all the resources. You can now click on the Outputs tab and obtain the IP address of the Bastion host.

Figure 6.8: The GuardDuty Outputs screen

  1. Next, open up a terminal window so that you can ssh into the Bastion IP address shown in the previous step. Use the IP provided with the username ec2-user to log in to the instance. You will also need the ssh key you designated when creating the template:

ssh -i ~/.ssh/key-name [email protected]

  1. You will be greeted with a terminal window once you have entered the Bastion host. With the terminal window open, go to the EC2 service in the AWS Management Console and look for an instance named RedTeam. Click on this instance and copy (or write) its private IP address (you will need it in a moment).
  2. You must place your SSH key on the Bastion host inside the ssh folder. On your local machine, print the key out, and then copy and paste it into the new file.
  3. Returning to your terminal, create a file on your Bastion host at the path of ~/.ssh/{your-ssh-key}. You can do this via the command line with the vim command:

vim ~/.ssh/{your-ssh-key.pem}

  1. Once the Vim editor is opened, paste the value from your private key file.
  2. Close and save the file by pressing the esc button at the top of the keyboard, and then type :wq. This is the write/quit sequence in the Vim editor. To make sure that the file has been saved correctly, run the following command:

cat ~/.ssh/{your-ssh-key}

  1. After you have created the key file, change the permissions of the file using the following command:

chmod 0600 ~/.ssh/{your-ssh-key.pem}

  • With the key in the ~/.ssh folder located on the Bastion host, you can now log in to a tester instance simply with the command:

ssh -i ~/.ssh/{your-ssh-key.pem} ec2-user@{RedTeam EC2 IP}

  •  At this point in the exercise, you should be on the Red Team EC2 instance. Here, you can run the guardduty_tester.sh script. Run the following command to generate the findings:

./guardduty_tester.sh

  • Once you have generated the findings, you should be able to clean up all instances and resources quickly and easily by terminating the CloudFormation template.

After learning how to enable Amazon GuardDuty and trigger it using a few scripts, the next step is to review the findings and see how the GuardDuty service detects unusual activity.