During AWS re:Invent 2017, AWS launched its 11th security service in the on-going drive to help its customers protect and secure their applications, environments, and accounts. This service was Amazon GuardDuty, a regionally based, intelligent, threat-detection service. This service allows users to monitor their AWS account for unusual and unexpected behavior by analyzing AWS CloudTrail Event Logs, VPC Flow Logs, and DNS Logs. It then uses the data from logs and assesses them against multiple security and threat detection feeds, looking for anomalies and known malicious sources, such as IP addresses and URLs. This course will introduce you to this Amazon GuardDuty and explain how it works and how to configure it, allowing you to be able to enable this service within your own AWS accounts to provide automatic and continuous security analysis for safeguarding your entire AWS environment.
By the end of this course you will be able to:
- Describe the Amazon GuardDuty service
- Manage and configure GuardDuty for single and multiple accounts
- Implement the correct permissions to both enable and manage GuardDuty
- Manage and resolve findings generated
- Explain how GuardDuty can play an important role within your organization
This course has been designed for individuals in the following roles:
- Security consultant/specialist
- Security analyst
- Security auditor
- Cloud architect
- Cloud operational support analyst
This course would also be valuable to anyone looking to learn more about AWS security and threat detection within AWS.
As a prerequisite to this course, you should have a basic understanding of the fundamentals of AWS along with an awareness of different security measures and mechanisms that are offered by different AWS services, such as within IAM, specifically IAM policies.
If you have thoughts or suggestions for this course, please contact Cloud Academy at firstname.lastname@example.org.
Hello and welcome to this lecture where I want to provide an introduction to the service, explaining what it is, what it does, and the problem that it solves.
AWS still treats security as its number one priority across its public cloud. They know that without adequate security techniques, mechanisms, and measures in place to safeguard and protect their customers and their data, their customers will not have the confidence to use their services. Cloud security can still be seen as one of the main reasons that companies are slow to adopt cloud technology from a public cloud provider such as AWS. Much of this can be attributed to the lack of cybersecurity skills within an organization. Not having the knowledge and ability to confidently implement a high level of security within the cloud can be damaging to an organization.
Security is an ongoing development process. As technology changes, so do threats and risks against that technology. With this comes a need for newer, more advanced and powerful tools to protect against these threats, and AWS is at the forefront of this development.
Prior to Amazon GuardDuty, there were 10 other services that sat within the security, identity, and compliance category of the AWS Management Console, making this service the 11th. Each security service has a very specific function and benefit that it provides to assist and help customers control, manage, and operate a secure and safe environment within the cloud. The services within this category already cover a wide scope of features and security mechanisms, so how does this new service differ from the rest that already exist?
Amazon GuardDuty is a regional-based intelligent threat detection service, the first of its kind offered by AWS, which allows users to monitor their AWS account for unusual and unexpected behavior by analyzing AWS CloudTrail event logs, VPC flow logs, and DNS logs. It then uses the data from logs and assesses them against multiple security and threat detection feeds, looking for anomalies and known malicious sources, such as IP addresses and URLs.
The service itself is powered by machine learning, and this allows the service to continuously evolve by learning and understanding operational behavior within your infrastructure. Amazon GuardDuty then uses this data to look for erroneous patterns within your AWS account that could indicate potential threats to your environment. These threats could be behavioral based, where a resource has been compromised by an account or credential exposure, unexpected API calls that sit outside security best practices, or even communications from suspicious sources.
Using different threat detection feeds, some generated from public sources and some by AWS, Amazon GuardDuty provides automatic and continuous security analysis for safeguarding your entire AWS environment. Any findings generated by the service are presented and issued with a priority level that enables you to investigate the issue further to ensure that your environment is not compromised and exposed unnecessarily. Amazon GuardDuty is very simple to activate within your account, and unlike other more traditional threat detection mechanisms, there is no need to install any agents or software on your resources, meaning that this is a very scalable and flexible security tool to have enabled.
With this in mind, it's also possible to link your AWS accounts together to perform a threat detection layer across all of your accounts. In addition to this, the service itself operates entirely on AWS infrastructure, providing zero impact of the performance of your own existing resources within your account. Threat detection is key in the defense against a security breach. Having the ability to respond to a potential threat as it is detected significantly reduces the chances of a breach. Cyber criminals are using more advanced techniques to infiltrate networks and hosts using zero-day threats, and Amazon GuardDuty is the latest service to help defend against these attacks.
That now brings me to the end of this lecture. Coming up next, I will be discussing the different components of the service and how it fits together.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.