AWS – Setting up intrusion detection

An intrusion detection system (IDS) is a system that is configured to monitor a network, or specific resources, in order to watch for policy violations that might indicate that a bad actor has infiltrated the network. Unusual user activity, odd patterns in data flows throughout a network, or changes to critical operating system files can indicate an intrusion.

An IDS is often integrated with a Security Information and Event Management (SIEM) system, to collect and analyze all of the information reported by an IDS.

Amazon GuardDuty is a service offered by AWS that can act as your cloud IDS. GuardDuty uses machine learning algorithms to monitor log sources, such as AWS CloudTrail and Amazon VPC Flow Logs, for any activity that could indicate unauthorized activity in your account.

How to do it…

This recipe will walk you through the basics of setting up GuardDuty, in order to monitor your resources. There really isn’t much to it, beyond enabling the service for your account:

  1. Log in to your AWS account and go to the GuardDuty dashboard.
  2. Click Get Started, and then click Enable GuardDuty.
  3. Click Settings, and then click Generate Sample Findings.
  4. Go back to Findings and check out what typical findings might look like:

GuardDuty Findings

How it works…

GuardDuty uses threat detection feeds from a variety of sources in order to stay up to date with the latest malicious activity that is common on the internet. It monitors logs and applies machine learning to alert you when something suspicious is happening. Alerts are sent to CloudWatch, so that you can then take action on these alerts, by sending messages to administrators, or even automating responses with AWS Lambda.

GuardDuty can consolidate findings across multiple accounts, and feed them all into a central administrative account, which makes setting up enterprise-wide monitoring quick and easy.

There’s more…

Here are some of the things that GuardDuty can detect:

  • EC2 instance compromise
  • Account compromise
  • Connections from geographic locations that are not associated with routine use
  • Unusual API calls
  • DNS queries that are not associated with normal account activity
  • Connections to external IP addresses that are known to be associated with bad actors
  • Failed login requests
  • Port scanning

Comments are closed.