Amazon GuardDuty Disabled

This plugin ensures Amazon GuardDuty is enabled for the region.

Risk Level: Low

Description

This plugin ensures Amazon GuardDuty is enabled for the region. Enabling GuradDuty will provide you with a detailed analysis of various AWS data sources and potential security risks. Unauthorized API calls from malicious IP addresses can also be monitored with GuardDuty. It is recommended to enable GuardDuty for all the AWS accounts.   

About the Service

Amazon GuradDuty: It provides intelligent threat detection for your AWS Accounts. With regular scans, it monitors your AWS account and workloads to provide detailed findings of potential security threats and remediation. 

Amazon GuardDuty threat detection which can be broadly classified into - account compromise, instance compromise, malicious reconnaissance, and bucket compromise. GuardDuty delivers more accurate findings using machine learning to filter out lists of malicious IPs and domains.

All the findings can be generated with just a few clicks by enabling the Amazon GuardDuty detector.

Impact

Amazon GuardDuty generates findings related to potential security threats. They can range from unprotected ports, possible brute force SSH attacks to API operations invoked by malicious IP addresses. Such findings are extremely important to secure the AWS infrastructure from potential attacks related to aforementioned threats. 

By not enabling Amazon GuardDuty, you might miss out on important High level threats which may lead to severely vulnerable resources.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon GuardDuty Console. You can use this link (https://console.aws.amazon.com/guardduty) to navigate directly if already logged in. 
  3. If you find the Welcome/Get Started screen on the home page and not a list of detectors, there are no GuardDuty Detectors enabled in the selected region. PingSafe recommends creating and enabling at least one GuardDuty detector in the region.
  4. Repeat step 3 for all the AWS regions you want to investigate.

Steps for Remediation

Create and Enable at least a single GuardDuty detector for all regions with AWS resources. 

  1. Log In to your AWS Console.
  2. Open the Amazon GuardDuty Console. You can use this link (https://console.aws.amazon.com/guardduty) to navigate directly if already logged in. 
  3. On the home page, click on Get Started
  4. Click on Enable Guard Duty. If required, also provide the Delegated administrator account ID.
  5. A GuardDuty Detector will be created and enabled for the region. A list of findings will be displayed in the Findings Section. You can further modify the settings of the detector by clicking on Settings option from the left panel.
  6. Repeat the steps from 3 to 5 for all the vulnerable regions.