Open menu
-->

AWS GuardDuty Findings

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Check for AWS GuardDuty findings and resolve them step by step to ensure that your AWS infrastructure is protected against security threats. Amazon GuardDuty is a managed threat detection service that continuously monitors your VPC flow logs, CloudTrail event logs and DNS logs for malicious or unauthorized behavior. When GuardDuty detects a suspicious or unexpected behavior in your AWS account, it generates a finding. A finding is a notification that contains information about a potential security threat identified by the GuardDuty service. The finding details includes data about the finding actor, the AWS resource(s) involved in the suspicious activity, the time when the activity occurred and so on. The GuardDuty findings are available within your Cloud Conformity account as result of Real-Time Threat Monitoring and Analysis (RTMA) integration with Amazon GuardDuty service. With RTMA - GuardDuty integration, the findings are highlighted on your Cloud Conformity dashboard and alert notifications are sent (based on the severity level) via established communication channels in real-time. The communication channels for sending finding alert notifications can be easily configured within your Cloud Conformity account. The list of supported communication channels are Email, SMS, Slack, JIRA, PagerDuty and ServiceNow.

With GuardDuty findings you can evaluate your AWS infrastructure (AWS accounts and resources, IAM user passwords, API keys, guest operating systems, applications, etc) in an automated way, without the heavy lifting of additional security hardware or software to deploy and maintain. Note: As example, this conformity rule will demonstrate how to analyze and solve a Recon:EC2/PortProbeUnprotectedPort type finding. This type of finding informs you that somewhere in your AWS environment an EC2 instance has an unprotected port that a potential attacker is probing. The unprotected port is port 22 (SSH) and the remediation consists of limiting exposure by allowing access only to IP addresses from a trusted network IP address space.

Audit

To check for existing Amazon GuardDuty findings within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS GuardDuty home page at https://console.aws.amazon.com/guardduty.

03 In the left navigation panel, under Findings, click Current to access the Current findings page.

04 Click on the GuardDuty finding that you want to examine to expand the finding details panel.

05 Analyze the selected AWS GuardDuty finding by checking the following attributes:

  1. Type – a concise yet readable description of the potential security issue. For more information, see AWS GuardDuty finding types.
  2. Severity – a finding's assigned severity level of either High, Medium or Low.
  3. Account ID – the ID of the AWS account in which the activity took place that prompted the service to generate the finding.
  4. Resource ID – the ID of the AWS resource against which the activity took place that prompted the service to generate the finding.
  5. Threat list name – the name of the threat list that includes the IP address/domain name involved in the suspicious activity that prompted the AWS GuardDuty service to generate the finding.
  6. Action type – the finding activity type. This value can be one of the following: NETWORK_CONNECTION (when traffic was exchanged between the identified instance and the remote host), AWS_API_CALL (when an AWS API is invoked), PORT_PROBE (when a remote host probed the identified instance on multiple opened ports) or DNS_REQUEST (when the identified instance queried a domain name).
  7. Actor IP address/domain – the IP address or domain involved in the suspicious activity.
  8. Actor port – the port number involved in the activity that prompted AWS GuardDuty to generate the finding.
  9. Actor location – location information of the IP address involved in the activity that prompted the service to generate the finding.

06 Based on the information returned at the previous step you can analyze the selected finding and make a plan to implement the recommended fix (see Remediation/Resolution section).

07 Repeat steps no. 4 – 6 to check and analyze other Amazon GuardDuty findings available in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-detectors command (OSX/Linux/UNIX) using custom query filters to list the ID of the Amazon GuardDuty detector, available in the selected region. A detector is an object that represents the AWS GuardDuty service. A detector must be created in order for GuardDuty to become operational:

aws guardduty list-detectors 
	--region us-east-1 
	--query 'DetectorIds'

02 The command output should return an array with the requested detector ID:

[
    "DetectorId": "aaabbbcccdddeeefff01234567890123"
]

03 Run list-findings command (OSX/Linux/UNIX) using custom query filters to list the IDs of the existing AWS GuardDuty findings, available in the selected region:

aws guardduty list-findings
	--region us-east-1
	--detector-id aaabbbcccdddeeefff01234567890123
	--query 'FindingIds'

04 The command output should return an array with the existing finding IDs:

[
    "bbbbccccddddeeee1234567890123456",
    "ccccddddeeeeffff1234567890123456",
    "ddddeeeeffffgggg1234567890123456"
]

05 Run get-findings command (OSX/Linux/UNIX) using the ID of the GuardDuty detector returned at step no. 2 and the ID of the finding that you want to examine as identifiers, to describe the selected Amazon GuardDuty finding:

aws guardduty get-findings
	--region us-east-1
	--detector-id aaabbbcccdddeeefff01234567890123
	--finding-ids bbbbccccddddeeee1234567890123456

06 The command output should return the metadata for selected GuardDuty finding:

{
    "Findings": [
        {
            "Title": "Unprotected port on EC2 instance i-012345678aabbccdd is being probed.",
            "Type": "Recon:EC2/PortProbeUnprotectedPort",
            "Region": "us-east-1",
            "Partition": "aws",
            "Arn": "arn:aws:guardduty:us-east-1:123456789012:detector/aaabbbcccdddeeefff01234567890123/finding/bbbbccccddddeeee1234567890123456",
            "UpdatedAt": "2017-12-12T19:18:55.329Z",
            "SchemaVersion": "2.0",
            "Severity": 2.0,
            "Id": "bbbbccccddddeeee1234567890123456",
            "CreatedAt": "2017-12-12T19:18:55.329Z",
            "AccountId": "123456789012",
 
            ...
 
            "Description": "EC2 instance has an unprotected port which is being probed by a known malicious host.",
            "Service": {
                "Count": 1,
                "Archived": false,
                "ServiceName": "guardduty",
                "EventFirstSeen": "2017-12-12T19:10:53Z",
                "ResourceRole": "TARGET",
                "EventLastSeen": "2017-12-12T19:11:46Z",
                "DetectorId": "aaabbbcccdddeeefff01234567890123",
                "Action": {
                    "ActionType": "PORT_PROBE"
                }
            },
 
            ...
            
            "Resource": {
                "ResourceType": "Instance",
                "InstanceDetails": {
                    "ProductCodes": [],
                    "AvailabilityZone": "us-east-1a",
                    "InstanceId": "i-012345678aabbccdd",
                    "InstanceState": "running",
                    "ImageId": "ami-abcd01234",
                    "InstanceType": "c4.large",
                }
            }
        }
    ]
}

07 Analyze the selected AWS GuardDuty finding metadata by checking the following attributes:

  1. "Title" – the title of the selected AWS GuardDuty finding.
  2. "Type" – the type of the finding (e.g. "Recon:EC2/PortProbeUnprotectedPort"). For more information, see AWS GuardDuty finding types.
  3. "Severity" – a finding's assigned severity level of either High, Medium or Low.
  4. "AccountId" – the ID of the AWS account in which the activity took place that prompted the service to generate the finding.
  5. "Resource" – the details about the AWS resource against which the activity took place that prompted the service to generate the finding.
  6. "Description" – a concise yet readable description of the potential security issue.
  7. "ActionType" – the finding activity type. This value can be one of the following: NETWORK_CONNECTION (when traffic was exchanged between the identified instance and the remote host), AWS_API_CALL (when an AWS API is invoked), PORT_PROBE (when a remote host probed the identified instance on multiple open ports) or DNS_REQUEST (when the identified instance queried a domain name).

08 Based on the information returned at the previous step you can analyze the selected finding and make a plan to implement the recommended fix (see Remediation/Resolution section).

09 Repeat steps no. 5 – 7 to check and analyze other Amazon GuardDuty findings available in the current region.

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the audit process for other regions.

Remediation / Resolution

To solve an Amazon GuardDuty finding, perform the following actions:" note="Note: As example, this section will provide step by step instructions on how to solve the audited GuardDuty finding (i.e. "unprotected port on EC2 instance i-012345678aabbccdd is being probed") by updating the inbound configuration of the security group associated with the compromised EC2 instance in order to restrict SSH access to specific (trusted) IP address or IP range.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the security group associated with the compromised EC2 instance, identified by the selected GuardDuty finding (see Audit section part I to identify the right EC2 resource).

05 Select the Inbound tab from the dashboard bottom panel and click the Edit button.

06 In the Edit inbound rules dialog box, change the traffic Source for the inbound rule that allows unrestricted access through TCP port 22 by performing one of the following actions:

  1. Select My IP from the Source dropdown list to allow inbound traffic only from your machine (from your IP address).
  2. Select Custom from the Source dropdown list and enter one of the following options based on your access requirements:
    • A specific (trusted) IP address (IPv4) with the suffix set to /32, e.g. 192.168.100.54/32.
    • An IP address range (IPv4) in CIDR notation, for example 192.168.100.0/24.
    • The name or ID of another trusted security group available in the same AWS region.

07 Click Save to apply the changes. The SSH access is now restricted to the specific IP address/range or security group.

Using AWS CLI

01 First, run revoke-security-group-ingress command (OSX/Linux/UNIX) to remove the inbound rule that allows unrestricted access through TCP port 22, from the security group associated with the compromised EC2 instance, identified by the selected GuardDuty finding (the command does not return an output):

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-name cc-staging-env-sg
	--protocol tcp
	--port 22
	--cidr 0.0.0.0/0

02 Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add the inbound rule removed at the previous step with a different set of parameters in order to restrict SSH access to specific entities. To add custom inbound rules to the selected security group, use one of the following options (the command does not return an output):

  • Add an inbound rule that allows SSH access to a specific IP address (IPv4) via port 22:
    aws ec2 authorize-security-group-ingress
    	--region us-east-1
    	--group-name cc-staging-env-sg
    	--protocol tcp
    	--port 22
    	--cidr 192.168.100.54/32
    
  • Add an inbound rule that allows SSH access to a specific IP address range (IPv4) via port 22:
    aws ec2 authorize-security-group-ingress
    	--region us-east-1
    	--group-name cc-staging-env-sg
    	--protocol tcp
    	--port 22
    	--cidr 192.168.100.0/24
    
  • Add an inbound rule that allows SSH access to another (trusted) EC2 security group in the same AWS region via port 22:
    aws ec2 authorize-security-group-ingress
    	--region us-east-1
    	--group-name cc-staging-env-sg
    	--protocol tcp
    	--port 22
    	--source-group cc-new-staging-sg
    

The SSH access is now restricted to the specific IP address/range or security group.

References

Publication date Dec 14, 2017