GitHub Code
https://github.com/zghafari/guardduty
What is GuardDuty?
GuardDuty in a nutshell is a threat detection service that continuously monitors your AWS accounts and workloads for malicious or unauthorized behavior. It’s sort of like have custom config rules setup, except amazon is taking care of it for you and its fully managed.
What does it monitor?
- Backdoor
- Behavior
- CryptoCurrency
- PenTest
- Persistence
- Policy
- Recon
- ResourceConsumption
- Stealth
- Trojan
- UnauthorizedAccess
Technical Details of GuardDuty
GuardDuty works by creating what is called a “Detector”. A detector is an object that represents the AWS Service. For GuardDuty to become operational it is necessary to have this detector created. To create the detector programmatically the CreateDetector API operation will need to be run.
GuardDuty in a multi-account organization.
So we know that GuardDuty requires a detector to be created on an account for it to be operational and only one detector is allowed per account.
In a multi-account environment there will be one master and multiple member accounts. Lets’ take a look a look step by step with what operations are required to set this up in such an environment.
- Create detectors on all member accounts. This will render the GuardDuty service to become operational.
- Run the CreateMembers API operation on the master account. This will create the members on what will become the master account for GuardDuty. Two parameters will have to be supplied, detector-id and account-details. The detector-id will be the id of the master detector (detector id on account you are running CreateMembers). account-details will contain the account id and root email address of each account as a list.
- Run the InviteMembers API operation on the same master account to send an invitation out to the member accounts. This also has two parameters. The master detector-id and all the member account-ids you would like to invite to join the master.
- Finally you can now accept the invitation by running the AcceptInvitation API operation on each member account. You must specify the detector-id of the current member account, the master account-id and the invitation-id.
Terraform Modules
So we now know what API operations will be called and what operations are run on the master and what is run on the member. Lets take a look at some of the terraform operations available to us.
Master GuardDuty Module Structure
- Create Detector
- Create GuardDuty Member
- Note: You must manually accept member account invitations before GuardDuty will begin sending cross-account events. Terraform and Cloudformation does not offer an API operation to accomplish this.
Master GuardDuty Variables
variable "member_account_ids" { type = "list" } variable "member_account_emails" { type = "list" }
Master GuardDuty Module Code
resource "aws_guardduty_detector" "master" { enable = true } resource "aws_guardduty_member" "prod_member" { count = "${length(var.member_account_ids)}" detector_id = "${aws_guardduty_detector.master.id}" account_id = "${element(var.member_account_ids, count.index)}" email = "${element(var.member_account_emails, count.index)}" invite = true invitation_message = "GuardDuty Invite - Please accept this invitation if you are expecting it." }
Member GuardDuty Module Structure
Member GuardDuty Module Code
resource "aws_guardduty_detector" "member" { enable = true }
Comments
sol
defessus
PNG
Pants
card
ability
Saichovsky
Was someone testing the comment section? Anyway, I am curious about something here - I see that you created a detector for the master account, then […] Read MoreWas someone testing the comment section? Anyway, I am curious about something here - I see that you created a detector for the master account, then you created member accounts, assigning each one of them the master's detector id (I'll assume the count is 1). Then you went ahead to create a detector for the member. So what happens to the member detector id since the guardduty_member as the master's detector id assigned to it, but then again a detector is created for the member... Read Less
calculating
Junction
Ergonomic
program
Group
Pound Sterling
whiteboard
benchmark
redundant
wireless
Reduced
quantifying
Dynamic
Alaska
Crest
Profound
online
hacking
Pants
Cambridgeshire
calculate
RAM
hack
Incredible
Paradigm
SDD
IB
throughput
Inverse
connect
programming
Borders
infrastructures
Supervisor
Utah
hack
Forward
Nauru
Chief
magenta
e-business
cyan
azure
capacitor
Cambridgeshire
optimize
virtual
cross-platform
Senior
payment
Customer
Developer
Coordinator
Senegal
index
payment
Handcrafted Wooden Mouse
leverage
CSS
Shores
invoice
Facilitator
Open-source
Points
Incredible
digital
Personal Loan Account
programming
archive
Research
dynamic
Sleek
Generic
iterate
bypassing
well-modulated
Metrics
action-items
yellow
dynamic
Ameliorated
product
USB
Pre-emptive
parsing
Triple-buffered
Station
bluetooth
Data
calculating
Health
Implementation
invoice
cross-platform
pixel
static
Electronics
HTTP
portals
AI
Dynamic
Lead
invoice
Bedfordshire
interactive
innovative
auxiliary
Towels
withdrawal
strategic
Jewelery
azure
silver
interfaces
Functionality
Global
ivory
Colorado
projection
e-enable
generate
sky blue
Avon
Awesome Soft Cheese
capacitor
systems
Radial
CFA Franc BCEAO
Tasty
Dynamic
Borders
open architecture
Towels
Multi-lateral
monitor
Applications
Dam
SCSI
Interactions
Liberia
calculating
EXE
Branding
Malta
feed
Solomon Islands Dollar
Investor
bandwidth
local
Moroccan Dirham
Inverse
Won
pixel
Home Loan Account
Nevada
system
B2C
Games
International
Connecticut
Beauty
Borders
invoice
multi-byte
Operations
override
Corporate
Forward
eyeballs
core
Philippine Peso
optical
Dynamic
modular
Licensed Steel Chicken
Cross-group
Small Frozen Gloves
Buckinghamshire
1080p
reboot
North Dakota
Granite
Identity
Berkshire
salmon
Granite
navigating
Bedfordshire
Iowa
Security
mobile
Fresh
bluetooth
Berkshire
Incredible
Buckinghamshire
Bedfordshire
Rubber
orchestration
deposit
Frozen
Ball
protocol
override
pink
Rustic
access
Metal
Belize Dollar
e-markets
Communications
Illinois
Electronics
Colorado
Bedfordshire
Fish