NEW Featured eBook: AWS Cloud Cost Allocation: The Complete Guide - Download Now

Disabled AWS GuardDuty Accounts

This rule ensures that AWS GuardDuty Service is enabled for your AWS Accounts.

Amazon GuardDuty is an intelligent threat detection service that continuously monitors your provisioned AWS workloads for malicious activities like API requests from harmful IP addresses and unauthorized data S3 access.

It also provides comprehensive security insights for visibility and remediation. To identify and prioritize potential threats, GuardDuty leverages various techniques, like machine learning (ML), anomaly detection, and integrated threat intelligence. GuardDuty can analyze tens of billions of events curated from AWS CloudTrail event logs, Amazon Virtual Private Cloud (VPC) flow logs, and DNS query logs, among many other data sources.

This rule can help you with the following:

  • AWS Well-Architected Framework Lens

Audit

Follow these steps below to verify if Amazon GuardDuty is enabled for your AWS accounts:

1. Access the AWS GuardDuty landing page at https://console.aws.amazon.com/guardduty

2. If you see a Get Started page as shown below, this means AWS Guard Duty is currently not enabled in the current region for your AWS Account.

3. Switch to another region from the top right corner to determine the status of AWS Guard Duty Service for other regions.

1. Execute the list-detectors command as shown below to retrieve the list of enabled Guard Duty Detectors in an AWS Region.

aws guardduty list-detectors \\
	--region us-east-1 \\
	--query 'DetectorIds'

 
2. The result should contain a list with all detector ids. If the output is an empty list, AWS GuardDuty has not been enabled for the specified region.

**Output**
[]

 
3. Update --region parameter in the list-detectors command to check the status of Amazon Guard Duty detectors for other AWS regions.

Remediation / Resolution

1. Access the AWS GuardDuty landing page at https://console.aws.amazon.com/guardduty

2. Click on the Get Started button. You should be directed to the Service permissions page as shown below.

3. Click on the View Service Role permissions to examine the GuardDuty service role permissions that grant access to specified resources to be monitored. Here’s a sample policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeImages",
        "ec2:DescribeVpcEndpoints",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcPeeringConnections",
        "ec2:DescribeTransitGatewayAttachments",
        "organizations:ListAccounts",
        "organizations:DescribeAccount",
        "s3:GetBucketPublicAccessBlock",
        "s3:GetEncryptionConfiguration",
        "s3:GetBucketTagging",
        "s3:GetAccountPublicAccessBlock",
        "s3:ListAllMyBuckets",
        "s3:GetBucketAcl",
        "s3:GetBucketPolicy",
        "s3:GetBucketPolicyStatus"
      ],
      "Resource": "*"
    }
  ]
}

4. Go back to the previous page and select the Enable GuardDuty button to enable the AWS GuardDuty service. As soon as it is activated, AWS GuardDuty Service should begin generating discoveries by traversing and analyzing data streams from specified resources.

5. (Optional) You can build sample findings to help you visualize and examine AWS GuardDuty discoveries.

a. To do this, select the Settings option by the left, scroll down, and select the Generate sample findings button.

b. Once they’ve been generated, select a finding to learn more.

6. Switch to another AWS Region and repeat Steps 2 -4 to activate AWS GuardDuty Thread Detection Service for other regions.

1. Execute the create-detector command to generate an AWS GuardDuty Detector. Attach the --enable parameter to activate the detector after creation automatically:

aws guardduty create-detector \\
	--region us-east-1 \\
	--enable 

**Output**
{
    "DetectorId": "3ab6827baed9ac4601a88efcf0294d49"
}

 
As soon as it is activated, AWS GuardDuty Service should begin generating discoveries by traversing and analyzing data streams from specified resources.
 
2. (Optional) You can also build sample findings to help you visualize and examine AWS GuardDuty discoveries. To do this, execute the create-sample-findings command while attaching the DetectorId parameter generated in Step 1.

aws guardduty create-sample-findings \\
	--region us-east-1 \\
	--detector-id 3ab6827baed9ac4601a88efcf0294d49

**Output**
None

 
3. Update the --region parameter to switch to another AWS region.

Still Need Help?

Come see why we are the #1 cloud management platform and why companies like Uber, Dickey’s BBQ Pit and Norwegian Cruise Line trust nOps to manage their cloud.