AWS GuardDuty

With a few clicks in the AWS Management Console, Amazon GuardDuty can be enabled and customers can have a more intelligent and cost-effective option for threat detection in the AWS Cloud.


Amazon GuardDuty is a managed threat detection service which could intelligently protect the AWS accounts and workloads. It continuously monitors for malicious or unauthorized behaviors, such as API calls, that indicate a possible account compromise.

GuardDuty detects unexpected activities in AWS environment and generate notification called Findings which specifies the underlying security issue. GuardDuty collects its data from three log streams, VPC Flow Logs, DNS Logs and CloudTrail Logs and identifies suspected attackers through integrated threat intelligence feeds. When a potential threat is detected, the service delivers an alert to GuardDuty console and AWS CloudWatch events.

With Amazon GuardDuty, it can be enabled and customers can have a more intelligent and cost-effective option for threat detection in the AWS Cloud.


In this lab, you will build a threat list to AWS GuardDuty using your public ip address and an AWS web server. After setting up AWS GuardDuty and active your list. Log in your server and you will see GuardDuty detect it.

Step by Step

Create s3 bucket and store threat list into S3

Storing your threat-list in S3 bucket in order to let GuardDuty find your threat-list.

● Create a txt file and add your public IP in it in order to test your GuardDuty(You can check your ip via whatismyipaddress or you can try other ip. In your list, IP addresses must appear one per line.

● Create a bucket on S3 and upload threat-list you created.
Copy path of your threat list and GuardDuty will use this path to find your threat-list.

Active your GuardDuty

We will add a new threat list and connect with uploaded txt and GuardDuty will start detecting whether your account is dangerous or not.

● On the service menu, select GuardDuty.
● Choose Get started and enable GuardDuty.

● On the left panel, select lists and add a threat list.

● In Add a threat list,

  • For your List name, enter threatlist_yourname.
  • Paste the path (from your txt file) you copied before.
  • Drop down format menu and click Plaintext.

● Click I agree and add list, until you see green check.

● With Mac, log in to your server using ssh.
With Windows, log in to your server with putty.
● After a few minutes click Findings on the left panel.
● Now you can see how AWS web console access is detected by GuardDuty.

Subscribe Notifications

With AWS SNS Service, it will send all notifications to your email from GuardDuty’s findings.

● On service menu, select SNS
● Choose Create Topic, enter your Topic Name and Display Name as SNS-FromGuardDuty and create
● Select the topic you created and Subscribe to topic in Actions

  • Choose E-mail in protocol menu
  • Enter your email in Endpoint and click create

● You will receive verify email after few minutes and click Confirm Subscription

Create a role

IAM role connect Lambda and GuardDuty to let GuardDuty distinguish dangerous activity whether is in list or not

  1. On Service menu, select IAM
  2. On the left panel, choose roles and Create
  3. Choose AWS Service, lambda and click Next:Permission
  4. Search AWSLambdaBasicExecutionRole and select it.
  5. Click Next:Tag, Review, enter role name : GuardDuty-Finding-ToSNS-yourname and click create.
  6. Select the role you created and click Add Inline policy

> Note : 為你剛剛建立的 Topic ARN。

● Click Review policy,and Create

  • Name: GuardD uty-Finding-ToSNS-Policy

Use Lambda Function to Deliver Notification

You will receive notifications from GuardDuty.

● On Service menu, select Lambda.
● On the left panel choose Functions and Create Function
● Choose Author from scratch

  • Enter GuardDuty-To-SNS-yourname in Name
  • Select Run time with python 3.6
  • Select Role with Choose an existing role
  • Select Existing role with GuardDuty-finding-SNS-yourname (role you created)

● Input code

● In Environment variables

  • Enter Key with SNSTopicArn
  • Enter Value with : arn:aws:iam:: XXX19643XXXX:role/GuardDuty-finding-SNS(Your Topic ARN)

● Click Save

Connect GuardDuty and L ambda

When GuardDuty receive notifications from Lambda, AWS SNS Service will send the notification to your email

● On the Service menu, click Cloudwatch
● On the left panel click rule and Create role
● Click Event Pattern

  • Select Service Name with G uardDuty
  • Select Event Type with G uardDuty Finding
  • Click Add Target
  • Select Function with GuardDuty-To-SNS-yourname

● Click Configure details
● Configure rule details:

  • Name : GuardDuty-to-SNS-Rule
  • State : make sure enable d is checked
  • Click Create rule

● Log in your email, you are going to receive notifications

Open the email and you will see more details about this notification.


Finding Type : some examples of Threat purpose

  • UnauthorizedAccess : indicates that GuardDuty is detecting suspicious activity or a suspicious activity pattern by an unauthorized individual.
  • Recon : indicates that a reconnaissance attack is underway, scoping out vulnerabilities in your AWS environment by probing ports, listing users, database tables, and so on.

Severity Levels for GuardDuty Findings : Values 0 and 9.0 to 10.0 are currently reserved for future use.

  • Low : the value of severity parameter falls within the 0.1 to 3.9 range, indicates suspicious or malicious activity that was blocked before it compromised your resource.
  • Medium : the value of severity parameter falls within the 4.0 to 6.9 range,indicates suspicious activity, for example, a large amount of traffic being returned to a remote host that is hiding behind the Tor network, or activity that deviates from normally observed behavior.
  • High : the value of the severity parameter falls within the 7.0 to 8.9 range, indicates that the resource in question (an EC2 instance or a set of IAM user credentials) is compromised and is actively being used for unauthorized purposes.


We have configured AWS GuardDuty for threat detection and tested how it works. Now you can detect malicious behavior using AWS GuardDuty, test it through your IP. You can create your own list and observe the activities by yourself.

AWS GuardDuty is a managed service which does threat detection intelligently and collect different inputs and show how it acts and reported to you.

Security is now an important issue for everyone in the world, you should try it.


<< Reprinted from eCloudture Blog >>

2019-09-27T17:02:24+00:00 2019/09/27 |News, Security|