Skip to main content

GuardDuty

Service Details

Cloud native threat detection, with rulesets maintained by AWS.

Assessment Notes

The general recommendation is to enable GuardDuty in all regions in-use in all accounts. The costs have reduced over time, and it provides a base level of detection that will spot some lower sophistication attacks. It also serves as an additional data source to feed into a SIEM to do better detection with. For more info on the rationale behind this, Scott Piper's blog lays it out pretty well - https://summitroute.com/blog/2019/03/05/should_you_use_guardduty/

If GuardDuty is enabled:

  • Check whether GuardDuty findings are being ingested anywhere, and whether that's being monitored
  • Check whether they're monitoring for alterations to GuardDuty's state via CloudTrail or AWS Config
  • If they're using multiple AWS account, they should have GuardDuty for each account enrolled into a master account. The master account should have very heavily restricted access, ideally to only a few key security people.

Operational Notes

None