-
Notifications
You must be signed in to change notification settings - Fork 0
Ops 401: Class 19
Nicholas Loiacono edited this page May 8, 2023
·
1 revision
This topic matters as it relates to what I'm studying in this module because Amazon GuardDuty is a security service that helps protect your cloud resources on AWS. It can detect threats like unauthorized access, unusual activity, and potential data leaks by analyzing data from different sources, such as CloudTrail Logs, VPC Flow Logs, and DNS Logs. GuardDuty uses machine learning and other techniques to spot abnormal behavior and sends alerts when it finds something suspicious.
Amazon GuardDuty is a threat detection service that can identify several Indicators of Compromise (IoCs) in your AWS environment. Some of the IoCs that GuardDuty can detect include:
- a. Unauthorized access attempts: GuardDuty can identify unauthorized attempts to access your resources, like EC2 instances and S3 buckets.
- b. Unusual API calls: It can detect anomalous API requests that might indicate an attacker's attempt to manipulate resources or gain access to sensitive data.
- c. Cryptocurrency mining: GuardDuty can identify instances of unauthorized cryptocurrency mining activity, which may indicate a compromised resource.
- d. Data exfiltration: It can detect potential data exfiltration attempts, such as large volumes of data being transferred to suspicious IP addresses.
- e. Infrastructure attacks: GuardDuty can identify various infrastructure attacks, like DDoS attacks and port scanning activities.
Amazon GuardDuty uses multiple data sources to analyze and detect potential threats in your AWS environment. Some of the data sources include:
- a. AWS CloudTrail Logs: GuardDuty analyzes AWS CloudTrail event logs to identify suspicious API activity or unauthorized access attempts.
- b. VPC Flow Logs: By analyzing VPC Flow Logs, GuardDuty can detect unusual network traffic patterns and potential data exfiltration attempts.
- c. DNS Logs: GuardDuty inspects DNS query logs to identify potential malicious domains or communication with known command-and-control servers.
GuardDuty uses machine learning algorithms and pre-built threat intelligence to analyze access behavior and spot potential malicious activity. It does this by:
- a. Baseline establishment: GuardDuty establishes a baseline of normal behavior for your AWS resources, users, and API activities.
- b. Anomaly detection: It continuously monitors and compares the current behavior against the established baseline to identify deviations or anomalies.
- c. Alerting: When GuardDuty detects a deviation that is potentially malicious, it generates a high-confidence alert that includes details about the suspicious activity.
By analyzing access behavior, GuardDuty can effectively identify potential security risks and help you maintain a secure AWS environment.
Things I want to know more about are pricing and cost optimization, configuration and setup, customization and tuning, integration with third-party tools, compliance and regulatory aspects, and best practices and real-life case studies. Exploring these aspects will help to gain a more comprehensive understanding of the service, its capabilities, and practical applications in real-world scenarios.
AWS re:Inforce 2019: Threat Detection on AWS: An Introduction to Amazon GuardDuty (FND216) Amazon Web Services. Retrieved May 08, 2023 from YouTube