AWS GuardDuty

Amazon GuardDuty is a continuous security monitoring service. Amazon GuardDuty can help to identify unexpected and potentially unauthorized or malicious activity in your AWS environment.

To learn more about the service see the AWS GuardDuty documentation.

Prerequisites

Permissions

Administrator role in AWS to configure GuardDuty accounts and services
"Organization Admin" role in MD.ECO

Prefixes offered by default

AWSLogs/{{OrgID}}/GuardDuty/{{Region}}/

Prerequisite Variables

{{SecurityOrgID}}: Unique ID of the "Security" organization;
{{AuditOrgID}}: Unique ID of the "Audit" organization;
{{S3GuardDutyAuditBucketName}}: Name of the bucket which will be used for the transfer of logs with MD.ECO, to be created beforehand with the procedure Ingestion by S3 Bucket .

Configuration steps

Enable GuardDuty ("Security" Organization)

Enable GuardDuty in the correct region (ex: ca-central-1)
In Settings, note the Detection ID (ARN) needed in the following steps under the name {{GuardDutyDetectorIDARN}}

Configuration of the S3 Bucket ("Audit" Organization)

Optional: Creation of a KMS key ("Audit" Organization)

Name: guardduty_logging
Key Administration: N/A
Key usage permission: In the bottom section, enter the account ID {{SecurityOrgID}}
Edit the key that was created and add the following key policy

Replace values:

{{KMSDataEncryptionKeyARN}}: the ARN of the key that has just been created
{{SecurityOrgID}}: the ID of the organization that contains the GuardDuty service

{{GuardDutyDetectorIDARN}}: the ARN of the detector ID

{
  "Sid": "AllowGuardDutyKey",
  "Effect": "Allow",
  "Principal": {
    "Service": "guardduty.amazonaws.com"
    },
  "Action": "kms:GenerateDataKey",
  "Resource": "{{KMSDataEncryptionKeyARN}}",
  "Condition": {
    "StringEquals": {
      "aws:SourceAccount": "{{SecurityOrgID}}",
      "aws:SourceArn": "{{GuardDutyDetectorIDARN}}"
    }
  }
}

Configuring S3 bucket security ("Audit" organization)

Add the following security part to the existing security by replacing the values below

{{S3GuardDutyAuditBucketName}}: The name of the S3 bucket for saving GuardDuty logs
{{KMSDataEncryptionKeyARN}}: the ARN of the key that has just been created
{{SecurityOrgID}}: the ID of the organization that contains the GuardDuty service
{{GuardDutyDetectorIDARN}}: the ARN of the detector ID present in the "Security" Organization

{
    "Sid": "AllowGuardDutygetBucketLocation",
    "Effect": "Allow",
    "Principal": {
        "Service": "guardduty.amazonaws.com"
    },
    "Action": "s3:GetBucketLocation",
    "Resource": "arn:aws:s3:::{{S3GuardDutyAuditBucketName}}",
    "Condition": {
        "StringEquals": {
            "aws:SourceAccount": "{{SecurityOrgID}}",
            "aws:SourceArn": "{{GuardDutyDetectorIDARN}}"   

        }
    }
},
{
    "Sid": "AllowGuardDutyPutObject",
    "Effect": "Allow",
    "Principal": {
        "Service": "guardduty.amazonaws.com"
    },
    "Action": "s3:PutObject",
    "Resource": "arn:aws:s3:::{{S3GuardDutyAuditBucketName}}/*",
    "Condition": {
        "StringEquals": {
            "aws:SourceAccount": "{{SecurityOrgID}}",
            "aws:SourceArn": "{{GuardDutyDetectorIDARN}}"   

        }
    }
},
{
    "Sid": "DenyUnencryptedUploads",
    "Effect": "Deny",
    "Principal": {
        "Service": "guardduty.amazonaws.com"
    },
    "Action": "s3:PutObject",
    "Resource": "arn:aws:s3:::{{S3GuardDutyAuditBucketName}}/*",
    "Condition": {
        "StringNotEquals": {
            "s3:x-amz-server-side-encryption": "aws:kms"
        }
    }
},
{
    "Sid": "DenyIncorrectHeader",
    "Effect": "Deny",
    "Principal": {
        "Service": "guardduty.amazonaws.com"
    },
    "Action": "s3:PutObject",
    "Resource": "arn:aws:s3:::{{S3GuardDutyAuditBucketName}}/*",
    "Condition": {
        "StringNotEquals": {
            "s3:x-amz-server-side-encryption-aws-kms-key-id": "{{KMSDataEncryptionKeyARN}}"
        }
    }
},
{
    "Sid": "DenyNon-HTTPS",
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::{{S3GuardDutyAuditBucketName}}/*",
    "Condition": {
        "Bool": {
            "aws:SecureTransport": "false"
        }
    }
}

Configuring GuardDuty log saving to S3 bucket

Reference: Managing GuardDuty Accounts with AWS Organizations

Configuring log submission in GuardDuty ("Security" organization)

In the configurations:

Change frequency
- "Update CWE and S3 every 15 minutes"
- Click on "Save"
Configuration of the S3 repository
- Click on "Configure New"
- Select "Existing bucket"
- Bucket ARN field: arn:aws:s3:::{{S3GuardDutyAuditBucketName}}
- Key ARN field: {{KMSDataEncryptionKeyARN}}
- Click on "Save"

Activation of GuardDuty in other accounts ("Security" organization)

In the accounts:

Check all available accounts
Click on "Actions"
- Click "Add member" (activation in 1-2 minutes)
- Answer the questions
After activation, activate additional security
- Click on "Actions"
- Click on "Enable S3 Protection"
- Optional: Click on "Enable Kubernetes Audit Logs Monitoring"

Activation of administrator delegation ("Master" organization)

aws guardduty enable-organization-admin-account --admin-account-id {{SecurityOrgID}}

Notify Mondata with instance information

Include the following information:

{{S3WAFAuditBucketName}}

AWS GuardDuty

Prerequisites​

Permissions​

Prefixes offered by default​

Prerequisite Variables​

Configuration steps​

Enable GuardDuty ("Security" Organization)​

Configuration of the S3 Bucket ("Audit" Organization)​

Optional: Creation of a KMS key ("Audit" Organization)​

Configuring S3 bucket security ("Audit" organization)​

Configuring GuardDuty log saving to S3 bucket​

Configuring log submission in GuardDuty ("Security" organization)​

Activation of GuardDuty in other accounts ("Security" organization)​

Activation of administrator delegation ("Master" organization)​

Notify Mondata with instance information​