Cloud Detective Controls (Amazon GuardDuty) - benjamin-s-hobbs/reading-notes GitHub Wiki

Cloud Detective Controls (Amazon GuardDuty)

From: What is Amazon GuardDuty? (accessed by Benjamin Hobbs on 8/2/2023)

What Is Amazon GuardDuty?

Amazon GuardDuty is a threat detection system that is purpose-built for the cloud that AWS deployed in 2019. Threat Intel is pre-integrated into the service and is continuously updated and maintained.

Questions for Understanding

  1. What are some of the IoCs that GuardDuty can detect?
  • Compromised credentials
  • Unusual Activity/Behavior
  1. What are some of the data sources which GuardDuty can use?
  • VPC Flow logs
  • DNS logs (exclusive to GuardDuty)
  • AWS CloudTrail events
  1. How does GuardDuty use access behavior to spot potential malicious activity?
  • GuardDuty flags behavior that is anamalous in any way.

Additional Resources

Videos AWS re:Inforce 2019: Threat Detection on AWS: An Introduction to Amazon GuardDuty (FND216)

What More Do I Want To Know?