Getting Hands on with Amazon GuardDuty
This repository walks you through a scenario covering threat detection and remediation using Amazon GuardDuty; a managed threat detection service. The scenario simulates an attack that spans a few threat vectors, representing just a small sample of the threats that GuardDuty is able to detect.
In addition, you will look at how to view and analyze GuardDuty findings, how to send alerts based on the findings, and, finally, how to remediate findings.
The AWS CloudFormation template used for this scenario builds out the resources needed to simulate attacks and auto-remediate the GuardDuty findings using a combination of CloudWatch Event Rules and AWS Lambda Functions.
- Level: 300
- Duration: 1-2 hours
- Prerequisites: AWS Account, Admin IAM User, AWS CLI
- CSF Functions: Protect, Detect, Respond
- CAF Components: Preventative, Detective, Responsive
- AWS Services: Amazon CloudWatch, Amazon GuardDuty, AWS CloudTrail, AWS Lambda, Security Groups, Amazon SNS
Please use the us-west-2 (Oregon) region for this workshop.
This workshop is broken up into the three scenarios below:
We will detect and remediate a compromised host using Amazon GuardDuty, Amazon CloudWatch Event Rules and AWS Lambda.
We will identify a malicious host attempting to make API calls inside our AWS environment and remediate the host manually.
We will identity that credentials have been exfiltrated from a compromised host and identify the API calls taken from an external host using those credentials. In addition we will review the automated remediation taken through AWS Lambda.
We will identity a malicious host attempting to make S3 API calls inside our AWS environment and remediate the host manually.