Security in the AWS cloud with GuardDuty

En Garde!

Mein Gott!

You are finally up and running, and you can expect AWS to start monitoring your load balancers and public-facing EC2 IP addresses straightaway. There's a little ambiguity in the documentation, but I work on the basis that GuardDuty will only ever monitor external IP address traffic. By that, I mean the intelligence tooling isn't focused on private IP addresses (geek alert: I mean RFC 1918 [10] address space). Although some AWS documentation examples mention 10.0.0.0/16 ranges, if my memory serves.

Note that, importantly, GuardDuty is only concerned with new traffic and will never track historical communications. It will, however, let you retain findings for a while, and ideally you would output the findings to CloudWatch and then beyond (e.g., Splunk or Sumo Logic) via an AWS lambda function, which I have done in the past.

To get the most out of GuardDuty, you really need a reasonable level of public traffic hitting your resources. To make sure your account is working, a nice feature generates sample findings that let you get a feel for what GuardDuty can do. The samples comprise one of each type of finding that GuardDuty can detect.

To get better visibility into how powerful GuardDuty really is, I generated sample findings from the AWS Console (Figure 7). You'll find this capability under the Settings box above the Suspend GuardDuty section shown in Figure 6.

Figure 7: Generating one of each type of alert that would usually trigger GuardDuty threat intelligence alerts.

Once you have clicked Generate sample findings , you can return to the main screen. Lo and behold, you will see a flurry of activity (Figure  8). Notice the EC2 instance IDs are i-99999999, or similar, to highlight that it's fake traffic.

Figure 8: Sample findings give you a really good idea about how clever the venerable GuardDuty is.

If you look closer, you'll find some useful attack information. SSH, IAM, DNS, Trojan, and Tor issues are flagged, just for starters. I'd recommend spending some time getting used to the formatting. You can egest this useful attack information off the API or CloudWatch, as mentioned, further upstream.

Now that GuardDuty is up and running, after a while, it should offer you some very helpful assistance through its threat intelligence. Remember, though, that GuardDuty is only looking at new traffic; it can be a little confusing at first.

If you want to continue your testing by carefully – and with the permission of AWS and the owner – probing EC2 instances in your account, you might need to whitelist or blacklist your own IP address. Check your public IP address with this natty little service:

$ curl ifconfig.io
1.2.3.4

Ding Dong

The bells and whistles GuardDuty GitHub example [11] demonstrates what your Terraform ultimately should aim to include. This example from Leap Beyond Analytics includes a number of interesting additions to the simple example.

For example, GuardDuty can ignore a list of ingested IP addresses, such as your home network or a corporate LAN, as whitelists. You can also ensure that known malicious IP addresses are flagged so that GuardDuty pays attention to those to a greater degree.

The whitelist/blacklist configuration requires an S3 bucket created in Terraform and permissions that allow the upload of and reading of such whitelist/blacklist files. Additionally, it's possible to grant extra permissions to individual users so that they can keep an eye on GuardDuty findings, which also involves some slightly more sophisticated jiggery pokery.

After making sure the resources are correctly destroyed by the Terraform code, I would recommend looking back at the example from Leap Beyond Analytics to consider what you might want to add or adapt to embellish your current functionality. AWS also has a CloudFormation template that might offer some insight [12]. In other words, you can definitely glean useful Terraforming information from a number of online sources (see also this AWS GitHub repo [13]). As ever, in all the examples shown, you should read the license before using them. Other Terraform documentation can be found online to help you out [14]-[16].

The End Is Nigh

Because the Internet is no longer the safe place that it once was, and nipping down to the shops without locking your front door isn't an option, tools such as GuardDuty that automatically update their threat intelligence are invaluable for both live and forensic threat analysis.

By completely removing added overhead and hassle, GuardDuty's auto-updating rulesets are to be cherished from an administrative perspective. I hope you agree on the great scope that exists for an affordable, sophisticated service in the cloud like GuardDuty. Stay vigilant.

Infos

  1. GuardDuty: https://aws.amazon.com/guardduty
  2. Terraform: https://www.terraform.io
  3. GuardDuty pricing: https://aws.amazon.com/guardduty/pricing
  4. Managing access to Amazon GuardDuty: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_managing_access.html
  5. Configuration and credential files maintained by the AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/cli-config-files.html
  6. Managing accounts in GuardDuty: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html
  7. Member management resource: https://www.terraform.io/docs/providers/aws/r/guardduty_member.html
  8. Remote state in Terraform: https://medium.com/@itsmattburgess/why-you-should-be-using-remote-state-in-terraform-2fe5d0f830e8
  9. Terragrunt: https://github.com/gruntwork-io/terragrunt
  10. RFC 1918, "Address Allocation for Private Internets," Network Working Group, February 1996, https://tools.ietf.org/html/rfc1918
  11. GuardDuty with Terraform: https://github.com/LeapBeyond/terraform-aws-guardduty
  12. Amazon GuardDuty hands on: https://github.com/aws-samples/amazon-guardduty-hands-on/blob/master/guardduty-cfn-template.yml
  13. AWS GuardDuty using Terraform and Python: https://github.com/full360/aws-guardduty-example
  14. Member Terraform code: https://www.terraform.io/docs/providers/aws/r/guardduty_member.html
  15. Detector information: https://www.terraform.io/docs/providers/aws/r/guardduty_detector.html
  16. Threat intelligence files for known bad actors: https://www.terraform.io/docs/providers/aws/r/guardduty_threatintelset.html

The Author

Chris Binnie's latest book, Linux Server Security: Hack and Defend, shows how hackers launch sophisticated attacks to compromise servers, steal data, and crack complex passwords, so you can learn how to defend against such attacks. In the book, he also shows you how to make your servers invisible, perform penetration testing, and mitigate unwelcome attacks. You can find out more about DevOps, DevSecOps, Containers, and Linux security on his website: https://www.devsecops.cc.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus