During AWS re:Invent 2017, AWS launched its 11th security service in the on-going drive to help its customers protect and secure their applications, environments, and accounts. This service was Amazon GuardDuty, a regionally based, intelligent, threat-detection service. This service allows users to monitor their AWS account for unusual and unexpected behavior by analyzing AWS CloudTrail Event Logs, VPC Flow Logs, and DNS Logs. It then uses the data from logs and assesses them against multiple security and threat detection feeds, looking for anomalies and known malicious sources, such as IP addresses and URLs. This course will introduce you to this Amazon GuardDuty and explain how it works and how to configure it, allowing you to be able to enable this service within your own AWS accounts to provide automatic and continuous security analysis for safeguarding your entire AWS environment.
By the end of this course you will be able to:
- Describe the Amazon GuardDuty service
- Manage and configure GuardDuty for single and multiple accounts
- Implement the correct permissions to both enable and manage GuardDuty
- Manage and resolve findings generated
- Explain how GuardDuty can play an important role within your organization
This course has been designed for individuals in the following roles:
- Security consultant/specialist
- Security analyst
- Security auditor
- Cloud architect
- Cloud operational support analyst
This course would also be valuable to anyone looking to learn more about AWS security and threat detection within AWS.
As a prerequisite to this course, you should have a basic understanding of the fundamentals of AWS along with an awareness of different security measures and mechanisms that are offered by different AWS services, such as within IAM, specifically IAM policies.
If you have thoughts or suggestions for this course, please contact Cloud Academy at email@example.com.
Course: Identity & Access Management
Hello and welcome to this lecture where I want to talk about the different permissions required and used when using Amazon GuardDuty, both from a user perspective and from the service itself.
This lecture will primarily focus on permissions to perform the following functions. How to access the Amazon GuardDuty Dashboard. How to enable the Amazon GuardDuty within a region and to manage your Trusted IP and Threat Lists. Before a user even begins to use Amazon GuardDuty specific permission are required to access the dashboard and enable the service. For example, if a user is trying to access the dashboard to enable GaurdDuty on your AWS account but receive an error that prevents them from doing so then it's most likely related to their permissions.
If the user selects Amazon GuardDuty from the homepage of the AWS Management console the following error message may appear preventing them from access to the GuardDuty dashboard. This error indicates that user doesn't have the relevant permissions to access the GaurdDuty service. They would need to speak to their administrator to ask them to revise their permissions for GuardDuty. However, if additional permissions were then given to that user by allowing all actions within GuardDuty using the following policy, they will then be able to access the dashboard without an issue. This does not mean however that the user has all the permissions they need to initially enable the service within the region. If the user attempts to enable the service with the above permissions alone they will receive the following error.
To enable the Amazon GuardDuty service a user will need specific IAM permissions that allows them to create a service-linked role that allows GuardDuty to retrieve information about some of your resources. So although the user will have full access to GuardDuty actions the user will still need these additional permissions relating to IAM and service-linked roles.
AWS has created an AWS management policy with the relevant permissions to allow you to enable GuardDuty within a region. The name of this policy is Amazon GuardDuty Full Access. This policy essentially allows full access to Amazon GuardDuty actions with the added permissions of being able to create the service-linked role as shown in this policy. One point to be made aware of with this Amazon GuardDuty Full Access is that it doesn't allow you to upload a Trusted IP or Threat List as this again, requires different IAM permissions. If you do try to add a list with the Full Access policy you will receive the following error.
To allow a user to be able to manage your Trusted IP and Threat lists you will need to add the following permissions to the user group or role. Do remember to replace the AWS account number with your own account. With all this in mind, AWS have provided a policy that you can create as a custom policy which allows you genuine full access to Amazon GuardDuty which will allow you access to the dashboard to enable the service in all regions and perform operations within the service including updating and managing Trusted IP and Threat Lists. And this policy is as shown, however you must remember to replace the AWS account number with your own. While I am on the topic of AWS management policies you may also notice that there is another AWS management policy entitled Amazon GuardDuty Read Only Access. As expected this policy provides the user to have read-only permissions to Amazon GuardDuty allowing them to review findings.
Earlier I mentioned the fact that GuardDuty uses the service-linked role during the enablement of the service. This role, AWS Service Role for Amazon GuardDuty contains the following permissions. This is used to enable GuardDuty to have read-only visibility of your EC2 instances should a finding become known relating to one of these resources. If there is a finding against your EC2 instance GuardDuty can use these permissions to retrieve metadata about the resource to present in the finding it generates to help resolve the security issue and threat. This service-linked role also has an associated trust relationship which allows Amazon GuardDuty to adopt this role. Again, when this service is enable against a region these permissions are granted to Amazon GuardDuty automatically.
As with other AWS services you can be very specific with what actions a user, group or role can perform with Amazon GuardDuty by creating custom IAM policies. For further information and details on how to create custom IAM policies please see our existing course here.
That now brings me to the end of this lecture. Coming up next I shall be diving into GuardDuty findings in more detail.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.