Introduction to Amazon GuardDuty with Terraform

Amazon GuardDuty:

Intelligent threat detection service
Continuously monitors, profiles and analyses events across AWS accounts and resources for potential threats
Exposes threats quickly using:

Anomaly detection
Machine learning (ML)
Behavioral modeling
Threat intelligence feeds from AWS and leading third parties

Helps protecting AWS accounts, workloads, and data from threats

To protect your AWS accounts and resources it is analysing tens of billions of events per minute across multiple AWS data sources, such as:

AWS CloudTrail event logs
Amazon Virtual Private Cloud (Amazon VPC) Flow Logs
DNS query logs
Amazon Simple Storage Service (Amazon S3) data plane events
Amazon Elastic Kubernetes Service (Amazon EKS) audit logs
Amazon Relational Database Service (Amazon RDS) login events

Enabling Amazon GuardDuty via Terraform

To enable Amazon GuardDuty monitoring and feedback reporting we need to use aws_guardduty_detector resource.

main.tf:

resource "aws_guardduty_detector" "this" {

enable = true

}

$ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:

+ create

Terraform will perform the following actions:

# aws_guardduty_detector.this will be created

+ resource "aws_guardduty_detector" "this" {

+ account_id = (known after apply)

+ arn = (known after apply)

+ enable = true

+ finding_publishing_frequency = (known after apply)

+ id = (known after apply)

+ tags_all = (known after apply)

+ datasources {

+ kubernetes {

+ audit_logs {

+ enable = (known after apply)

}

+ malware_protection {

+ scan_ec2_instance_with_findings {

+ ebs_volumes {

+ enable = (known after apply)

}

+ s3_logs {

+ enable = (known after apply)

}

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?

Terraform will perform the actions described above.

Only 'yes' will be accepted to approve.

Enter a value: yes

aws_guardduty_detector.this: Creating...

aws_guardduty_detector.this: Creation complete after 1s [id=e6c7f038a9682cf6ff6bb514c110a66f]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

If GuardDuty Detector already exists for the current account (e.g. it was added manually, in AWS Console), terraform apply might error out:

aws_guardduty_detector.this: Creating...

╷

│ Error: creating GuardDuty Detector: BadRequestException: The request is rejected because a detector already exists for the current account.

│ {

│ RespMetadata: {

│ StatusCode: 400,

│ RequestID: "6e9a9855-a801-4f98-ab5e-8c4461a307fe"

│ },

│ Message_: "The request is rejected because a detector already exists for the current account.",

│ Type: "InvalidInputException"

│ }

│

│ with aws_guardduty_detector.this,

│ on main.tf line 6, in resource "aws_guardduty_detector" "this":

│ 6: resource "aws_guardduty_detector" "this" {

To fix this we can list all detectors for the given profile:

% aws guardduty list-detectors --profile my-profile

{

"DetectorIds": [

"81cc2fd56fb7a205e9bd39d16ecb1dd2"

]

}

...and we need to import this resource to Terraform state. For Terraform versions before v1.5.0 this can be only done via CLI command:

% terraform import aws_guardduty_detector.this 81cc2fd56fb7a205e9bd39d16ecb1dd2

Acquiring state lock. This may take a few moments...

...

aws_guardduty_detector.this: Importing from ID "81cc2fd56fb7a205e9bd39d16ecb1dd2"...

aws_guardduty_detector.this: Import prepared!

Prepared aws_guardduty_detector for import

aws_guardduty_detector.this: Refreshing state... [id= 81cc2fd56fb7a205e9bd39d16ecb1dd2]

Import successful!

The resources that were imported are shown above. These resources are now in

your Terraform state and will henceforth be managed by Terraform.

Releasing state lock. This may take a few moments...

The recommended way for Terraform v1.5.0+ is to use import block:

import {

to = aws_guardduty_detector.this

id = 81cc2fd56fb7a205e9bd39d16ecb1dd2

}

Once we've provisioned the resource, let's check in AWS Console which protection plans are now enabled:

S3 Protection

From AWS Console side info panel:

S3 protection enables Amazon GuardDuty to monitor object-level API operations to identify potential security risks for data within your S3 buckets.

GuardDuty monitors CloudTrail management events involving your S3 resources, which include bucket-level API operations such as ListBuckets, DeleteBuckets, and PutBucketReplication. This capability is a core part of the service and cannot be disabled. S3 protection is an expansion of existing GuardDuty CloudTrail monitoring capability that allows CloudTrail data events, such as ListObjects, DeleteObject, and PutObject, to be monitored in addition to CloudTrail management events.

This feature is enabled by default for new accounts but can be optionally disabled or enabled at any time from this page. You can also enable S3 protection for all member accounts in your organization from this page. To disable S3 protection for a member account, use the Actions menu on the Accounts page.

GuardDuty highly recommends that you enable this feature to help ensure that your S3 resources are fully monitored.

EKS Protection

From AWS Console side info panel:

EKS Protection in Amazon GuardDuty provides threat detection coverage to help you protect Amazon Elastic Kubernetes Service (Amazon EKS) clusters within your AWS environment. EKS Protection includes configuration for EKS Audit Log Monitoring and EKS Runtime Monitoring.

EKS Audit Log Monitoring – Helps you detect potentially suspicious activities in EKS clusters within Amazon Elastic Kubernetes Service (Amazon EKS), using Kubernetes audit logs.
Kubernetes audit logs capture sequential actions within your Amazon EKS cluster, including activities from users, applications using the Kubernetes API, and the control plane.

EKS Runtime Monitoring – Provides runtime threat detection for Amazon EKS nodes and containers within your AWS environment.
With the support of an Amazon EKS add-on GuardDuty security agent, EKS Runtime Monitoring monitors and processes runtime events for your Amazon EKS clusters to identify potential security threats in your environment.

If you configure your accounts with EKS Audit Log Monitoring and EKS Runtime Monitoring together, you can achieve optimal EKS Protection both at the cluster control plane level and down to the individual pod or container operating system level.

Runtime Monitoring

It is still disabled. To enable it via Terraform we need to use aws_guardduty_detector_feature resource.

From AWS Console side info panel:

Runtime Monitoring helps GuardDuty monitor and analyze the operating system-level events to help you detect potential threats in specific AWS workloads within your AWS environment. Runtime Monitoring was previously only available for Amazon Elastic Kubernetes Service (Amazon EKS) resources, but GuardDuty has now expanded the Runtime Monitoring feature to provide threat detection for the Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Compute Cloud (Amazon EC2) resources.

Presently, the Amazon EC2 instance support is available as a preview release and is subject to change.

The console support for EKS Runtime Monitoring is now available within Runtime Monitoring. To use the console support, you must migrate your existing EKS Runtime Monitoring configuration to Runtime Monitoring.

Malware Protection for EC2

From AWS Console side info panel:

Malware Protection helps you detect the potential presence of malware in Amazon EC2 instances and container workloads in your account. It scans the Amazon EBS volumes attached to these Amazon EC2 instances or container workloads. Malware Protection offers two types of scan – GuardDuty-initiated malware scan and On-demand malware scan.

GuardDuty-initiated malware scan

Enable GuardDuty-initiated malware scan to initiate an agentless scan of the Amazon EBS volumes attached to the Amazon EC2 instances and container workloads, automatically whenever GuardDuty generates any of the Findings that invoke GuardDuty-initiated malware scan. If GuardDuty-initiated malware scan is enabled for the first time in your account, it is included in the 30-day free trial period.

If you want to skip certain resources from the automatic scanning process, you can add the tags associated with those Amazon EC2 resources to the exclusion list. If you want to ensure that certain resources are scanned, add the tags associated with those Amazon EC2 resources to the inclusion list. At any point in time, you can choose to follow either inclusion list or exclusion list.

Malware Protection also provides an option to retain the scanned snapshots of your Amazon EBS volumes. By default, the snapshots retention setting is turned off. If you want to retain the scanned snapshots in your AWS account, ensure to turn on this setting.

Both scan options and snapshots retention setting must be configured before the scan gets initiated.

On-demand malware scan

To initiate an on-demand malware scan on the Amazon EBS volumes attached to your Amazon EC2 instance, provide the Amazon Resource Name (ARN) associated with your Amazon EC2 instance. Initiating an on-demand malware scan doesn't require any configuration. If you're a delegated GuardDuty administrator account who is initiating an on-demand malware scan on behalf of one of the member accounts, ensure that the GuardDuty member account has GuardDuty activated. If you're initiating an On-demand malware scan and the Malware Protection service-linked role (SLR) is not available in your account, GuardDuty will create it automatically for your account.

Because On-demand malware scan is independent of GuardDuty-initiated malware scan, you can initiate an on-demand malware scan even when you have turned on GuardDuty-initiated malware scan. On-demand malware scan doesn't have a 30-day free trial period. For each on-demand malware scan, the usage cost applies to the total Amazon EBS volume scanned for each malware scan. For more information, see Amazon GuardDuty pricing. For information about the cost of creating the Amazon EBS volume snapshots and their retention, see Amazon EBS pricing.

RDS Protection

From AWS Console side info panel:

GuardDuty RDS Protection helps you protect Amazon Aurora databases in your account. Enable the RDS Protection feature to analyze and profile RDS login activity for potential access threats to your supported databases. RDS Protection doesn't require additional infrastructure; it is designed so as not to affect the performance of your database instances.

When you enable the RDS Protection feature, GuardDuty automatically starts to monitor login events for your databases directly from the Amazon Aurora service. When RDS Protection is not enabled, GuardDuty neither ingests RDS login activity nor detects anomalous or suspicious login behavior. You can enable or disable the RDS Protection feature for any account at any time.

Lambda Protection

From AWS Console side info panel:

Lambda Protection helps you identify potential security threats when your AWS Lambda functions gets invoked. After your enable Lambda Protection, GuardDuty will start monitoring Lambda network activity logs associated with the Lambda function in your AWS account. When your Lambda function gets invoked and GuardDuty identifies suspicious network traffic that indicates the presence of a potentially malicious piece of code in your Lambda function, GuardDuty generates a finding.