A while back I wrote about AWS control tower and how it is the best way to secure multi-account AWS environments. That was part of a larger series covering essential cloud security services in the cloud and today I will go over another awesome AWS service which is Amazon GuardDuty. If you have worked in the cloud before then you know that the Cloud follows a shared responsibility model where the cloud provider secures the underlying platform while customers are responsible for the security of the workloads. This is same across AWS , Azure and GCP and having a proper cloud security posture usually involves using a mixture of native and commercial cloud services.

One of the best native cloud security services available for AWS customers is Amazon GuardDuty

Why do you need Amazon GuardDuty ?

Simply put if you have a busy cloud environment, then there will be too many events happening for you to monitor manually. You can offload this to a Security Operations Center (SOC) team who monitor your environment 24/7 but even then the risk of alert fatigue is there. This is where Amazon GuardDuty comes in and saves the day

GuardDuty is a threat detection service that uses machine learning to continuously monitor your environment. It gathers data from different data streams and builds a baseline of what is normal and what isn’t using its powerful AI based algorithms.

The best thing about these algorithms is that they are maintained and managed by AWS who do all the hard work of maintaining and optimizing them for the cloud. You can use GuardDuty in its simplest form via the dashboard, integrate it with your SIEM solution or even automate it to take action on your behalf !

How easy is it to implement Amazon GuardDuty ?

Being a managed service , Amazon GuardDuty can be deployed with just a few clicks without the need of any deployment. It starts analyzing and building a baseline of your environment using its own duplicate data streams which its sets up so you have a fully managed threat service running in minutes ! How long it takes to generate findings depends on the size of your AWS account but you can generate test findings to see it in action as we will see.

Amazon GuardDuty is free initially

Best thing is you can try out Amazon Guardduty for free for 30 days at zero cost and fully check out its functionality. You can check the estimated costs during this time to see how much it is going to cost you once the free trial finishes.

Amazon GuardDuty pricing has more details on pricing .

How to find out cost

GuardDuty Findings

Amazon Guardduty has some pretty cool built in threat detection which can alert you in case of unusual scans, instance being compromise, cryptocurrency mining, unusual API calls etc. Yo can go ahead and generate test findings similar to below:

test findings

As I mentioned earlier these findings show up in the console and can be simultaneously send to a ticketing system or an SIEM. You can also call built in features of AWS like Lambda which can auto-remediate the finding by itself. For example if you get an alert that a cloud server has been compromised then you call a Lambda function to isolate that server automatically and alert the security team.

Is GuardDuty worth the hype ?

To find out if GuardDuty is really worth the hype, AWS engaged a completely neutral third part Foregenix to conduct an independent cyber-security assessment of GuardDuty to see how well it does in an actual incident. Foregenix carried out multiple tests in a lab environment usually several complex attack playbooks. The results were compared to similar results of commercial third party solutions and the findings were impressive to say the least. From the report which you can read here, Foregenix states that:

Foregenix determined that GuardDuty is at least as effective at detecting network level attacks as other market-leading IDS. They found GuardDuty to be simple to deploy and required no specialized skills to configure the service to function effectively. Also, with its inherent capability of analyzing DNS requests, VPC flow logs, and CloudTrail events, they concluded that GuardDuty was able to effectively identify threats that other IDS could not natively detect and required extensive manual customization to detect in the test environment.

Amazon GuardDuty is your friend in the cloud

I hope this was useful in convincing you in enabling Amazon GuardDuty if you are using AWS cloud. AWS is going to continue to develop and refine this product more and introduce newer and more advanced detection techniques and I will be covering more advanced Amazon GuardDuty use cases in the future

Good luck in your cloud security journey !