Waf Charm

Blog

AWS for beginners

Amazon GuardDuty for beginners

【Table of contents】

  1. 1. What is Amazon GuardDuty?
  2. 2. Who is Amazon GuardDuty recommended for?
  3. 3. Conclusion
  • 1. What is Amazon GuardDuty?

    Amazon GuardDuty is a solution that detects attacks on AWS environments and AWS accounts.
    Anyone who uses AWS can use it, and it is easy to use because there is no need to install software.
    In addition, you can easily detect threats in your AWS environment with an inexpensive billing system.

    Here's a quick summary of Amazon GuardDuty's features.

    • ・A service that monitors and notifies you of the security status of your AWS environment and AWS accounts.
    • ・No complicated setup required. You only need to enable it on AWS.
    • ・Detects possible attacks from logs analyzed by machine learning.
    • ・Inexpensive billing system, so you can use it without hesitation.

    In other words, GuardDuty is a solution that can detect attacks on AWS environments and AWS account security in general.
     

    • a) Why do we need GuardDuty?

      With AWS, anyone can now build a public server more easily than in a traditional on-premises environment.
      On the other hand, the ease of use has made security issues inevitable.

      In the case of a cloud environment such as AWS, you can easily disclose your environment to the public, and there are certainly servers that have security flaws.

      There is no problem if you set the security properly on the user side, but if you are a new user or just a casual user of a verification environment, you may not have high security settings and may be vulnerable to threat attacks.

      In fact, the number of attackers targeting environments built on AWS is on the rise, making users with poor security settings easy prey.

      That's where AWS provider Amazon's solution for detecting threats by leveraging the vast amount of logs and information it has to offer.

      If you've never gotten around to verifying your security, or if you just leave it at that, you'll benefit from the ease and certainty of GuardDuty.
       

    • b) What are the benefits of using GuardDuty?

      The benefits of Amazon GuardDuty are as follows

      • ・Comprehensive threat identification
      • ・Increased security through automation
      • ・Enterprise scale and centralized management
      • (Citation:https://aws.amazon.com/guardduty/

      GuardDuty primarily detects logs and account activity logs on the AWS network.

      The logs subject to GuardDuty's analysis are hundreds of billions of events across multiple AWS, including AWS CloudTrail, Amazon VPC flow logs, and DNS logs.

      The logs are then subjected to AWS's own machine learning to detect possible attacks, such as crypto currency mining, attacks on accounts and credentials, or communications from known C2 servers or malicious IP addresses.

      GuardDuty can also take advantage of automatic remediation actions by using Amazon CloudWatch events in combination with AWS Lambda.

      While GuardDuty can't be defended by itself, it can be used in conjunction with other AWS solutions to further enhance security.

      In addition, GuardDuty allows you to centrally manage the detection status across multiple AWS accounts. This is also a great benefit for enterprise users who don't want to have to go through every single AWS account.
       

    • c) How much does GuardDuty cost?

      As for Amazon GuardDuty's fee, it's a monthly fee.

      As of December 2019, the rates in Asia Pacific (Tokyo) are as follows:

      • ・VPC flow log and DNS log analysis
      • ・The first 500GB of a month: 1.18USD or more per 1GB
      • ・Up to 2,000GB in a month: 0.59USD or more per 1GB
      • ・If you exceed 2,500GB in a month: 0.29USD or more per 1GB
      • ・AWS CloudTrail event analysis: 4.72 USD per million events

      However, if you don't know how much the log capacity will actually be, and don't know how much it will cost, don't worry.
      GuardDuty has a 30-day free trial, so you can rest assured that you'll be able to test it in action. It also shows you the capacity of the log and the expected usage fee, so you can predict how much it will cost when it is actually put into operation.
       

    • d) How to use GuardDuty?

      To use Amazon GuardDuty, simply press the Activate button on the AWS console.

      There are no complicated steps.

      However, you will need to set the output settings for the VPC flow log, which is the output log, and the settings for creating a trail using AWS CloudTrail's log analysis separately.

      Also, don't forget to set notifications, manage multiple accounts, etc.
       

  • 2. Who is Amazon GuardDuty recommended for?

    Derived from this, Amazon GuardDuty is recommended by the following people.

    • ・If you are unsure about the security measures of AWS
    • ・People who are concerned about the response and protection after detection
    • ・People who have taken security measures for AWS but want to know the actual detection status of threats
    • ・People who want to know the security detection status with as little effort as possible.
    • ・People who want to know the detection status with multiple AWS accounts

    In other words, we recommend this solution to those who want to implement security measures easily and reliably in an AWS environment.
     

  • 3. Conclusion

    While AWS is easy to use, many people don't know what to do to maintain security.

    The advantage of GuardDuty is that it has an inexpensive monthly payment system with low setup and operating costs.

    There is also a free trial, so if you are considering introducing it, you may want to verify it in advance.