At the AWS re:invent conference held in Las Vegas, the general availability release of Amazon GuardDuty was announced. Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorised behaviour to help protect AWS accounts and workloads. The service can be centrally managed across multiple AWS accounts, is "zero footprint" - requiring no additional software or hardware to be installed within AWS resources, and remediation scripts or AWS Lambda functions can be configured to trigger automatically based on GuardDuty findings.
GuardDuty is enabled within the AWS web console, and monitors an AWS account (or series of accounts) for activity such as unusual API calls or potentially unauthorised deployments that indicate a possible account compromise. GuardDuty uses pattern matching and machine learning for anomaly detection, and analyses events from AWS CloudTrail, Amazon VPC Flow Logs, and DNS Logs across all of associated AWS accounts, and combines this data with several threat intelligence feeds containing lists of malicious IP addresses and domains known to be hosted by bad actors.
GuardDuty is "zero-footprint", in that it requires no additional security software or infrastructure to be installed in order to analyse an account and workload activity data -- the service runs completely on AWS infrastructure -- and according to the GuardDuty FAQ, does not affect the performance or reliability of a customer's workloads.
Remediation scripts or AWS Lambda functions can be configured to trigger based on GuardDuty findings, and the event payload includes the affected resource's details, such as tags, security groups, or credentials. GuardDuty findings also include attacker information, such as IP address and geolocation. This mechanism allows GuardDuty findings to be pushed into event management systems such as Sumo Logic or PagerDuty, and to workflow systems like JIRA or Slack. The AWS blog states that this functionality enables a security team to define automated attack response actions, and centralise this across all of an organisation's accounts.
GuardDuty can be managed and threats triaged from a single console view across multiple accounts, although it should be noted that GuardDuty is a regional service - even when multiple accounts are enabled and multiple regions are used, the security findings remain in the same regions where the underlying data was generated. This ensures all data analysed is regionally based and doesn't cross AWS regional boundaries (which otherwise may fall foul of regulations such as the upcoming European GDPR). Customers can choose to aggregate security findings produced by Amazon GuardDuty across regions by utilising AWS CloudWatch Events, pushing findings to a data store in the customer's control, such as Amazon S3, and then aggregating.
GuardDuty will also look for compromised EC2 instances talking to malicious entities or services, data exfiltration attempts, and instances that are mining cryptocurrency. Using (or instantiating) compromised EC2 instance for bitcoin mining has been a vector of attack on compromised accounts for a number of years, and can result in large amounts of (expensive) resource usage.
AWS explicitly warns in their "Best Practices for Managing AWS Access Keys" documentation that anyone who has an account's access key has the same level of access as the customer of that account does. AWS state that they "go to significant lengths to protect your access keys", and in keeping with the platform's shared-responsibility model, all customers should as well. Open source solutions, such as AWS Labs' git-secret project, allow the creation of Git pre-commit hooks that parse the commit data for patterns resembling AWS keys, and prevent such an action.
The disclosure of companies leaking data that is stored on the public cloud has increased over the last several years, although this often focuses on misconfigured (publically accessible) buckets within AWS's S3 object storage services. AWS recently launched Amazon Macie, a machine learning-powered security service to discover, classify, and protect sensitive data within S3. This service can be seen as complementary to the broader protection provided by GuardDuty.
Amazon GuardDuty is priced across two dimensions: the quantity of AWS CloudTrail Events analysed (per 1,000,000 events); and the volume of Amazon VPC Flow Logs and DNS Logs analysed (per GB).
Amazon GuardDuty is generally available across multiple regions, and further information about the service can be found on the service's product page.