Loading...
Loading...
This skill teaches security teams how to deploy and operationalize Amazon GuardDuty for continuous threat detection across AWS accounts and workloads. It covers enabling protection plans for S3, EKS, EC2 runtime monitoring, and Lambda, interpreting finding severity levels, and building automated response workflows using EventBridge and Lambda.
npx skill4agent add mukul975/anthropic-cybersecurity-skills detecting-cloud-threats-with-guardduty# Enable GuardDuty as organization delegated administrator
aws guardduty create-detector \
--enable \
--finding-publishing-frequency FIFTEEN_MINUTES \
--data-sources '{
"S3Logs": {"Enable": true},
"Kubernetes": {"AuditLogs": {"Enable": true}},
"MalwareProtection": {"ScanEc2InstanceWithFindings": {"EbsVolumes": true}}
}'
# Enable Runtime Monitoring for EC2 and ECS
aws guardduty update-detector \
--detector-id <detector-id> \
--features '[
{"Name": "RUNTIME_MONITORING", "Status": "ENABLED",
"AdditionalConfiguration": [
{"Name": "ECS_FARGATE_AGENT_MANAGEMENT", "Status": "ENABLED"},
{"Name": "EC2_AGENT_MANAGEMENT", "Status": "ENABLED"}
]}
]'
# Designate delegated admin for multi-account
aws guardduty enable-organization-admin-account \
--admin-account-id 111122223333# Auto-enable GuardDuty for all org members
aws guardduty update-organization-configuration \
--detector-id <detector-id> \
--auto-enable-organization-members ALL \
--features '[
{"Name": "S3_DATA_EVENTS", "AutoEnable": "ALL"},
{"Name": "EKS_AUDIT_LOGS", "AutoEnable": "ALL"},
{"Name": "RUNTIME_MONITORING", "AutoEnable": "ALL"}
]'
# Configure finding export to S3
aws guardduty create-publishing-destination \
--detector-id <detector-id> \
--destination-type S3 \
--destination-properties '{
"DestinationArn": "arn:aws:s3:::guardduty-findings-centralized",
"KmsKeyArn": "arn:aws:kms:us-east-1:123456789012:key/key-id"
}'# EventBridge rule for high/critical GuardDuty findings
aws events put-rule \
--name GuardDutyHighSeverity \
--event-pattern '{
"source": ["aws.guardduty"],
"detail-type": ["GuardDuty Finding"],
"detail": {
"severity": [{"numeric": [">=", 7]}]
}
}'
# Target Lambda function for auto-remediation
aws events put-targets \
--rule GuardDutyHighSeverity \
--targets '[{
"Id": "AutoRemediateTarget",
"Arn": "arn:aws:lambda:us-east-1:123456789012:function/guardduty-auto-remediate"
}]'import boto3
def lambda_handler(event, context):
finding = event['detail']
finding_type = finding['type']
severity = finding['severity']
if finding_type.startswith('UnauthorizedAccess:EC2') and severity >= 7:
instance_id = finding['resource']['instanceDetails']['instanceId']
ec2 = boto3.client('ec2')
# Create isolation security group (no inbound/outbound rules)
vpc_id = finding['resource']['instanceDetails']['networkInterfaces'][0]['vpcId']
isolation_sg = ec2.create_security_group(
GroupName=f'isolation-{instance_id}',
Description='GuardDuty auto-isolation',
VpcId=vpc_id
)
# Replace all security groups with isolation group
ec2.modify_instance_attribute(
InstanceId=instance_id,
Groups=[isolation_sg['GroupId']]
)
# Tag instance for investigation
ec2.create_tags(
Resources=[instance_id],
Tags=[{'Key': 'SecurityStatus', 'Value': 'ISOLATED'},
{'Key': 'GuardDutyFinding', 'Value': finding_type}]
)
return {'status': 'isolated', 'instance': instance_id}# List critical attack sequence findings
aws guardduty list-findings \
--detector-id <detector-id> \
--finding-criteria '{
"Criterion": {
"severity": {"Gte": 9},
"type": {"Eq": ["AttackSequence:EC2/CompromisedInstanceGroup",
"AttackSequence:ECS/CompromisedCluster",
"AttackSequence:EKS/CompromisedCluster"]}
}
}'
# Get full finding details with attack sequence timeline
aws guardduty get-findings \
--detector-id <detector-id> \
--finding-ids <finding-id># Verify GuardDuty integration with Security Hub
aws securityhub get-enabled-standards
# Enable Amazon Security Lake with GuardDuty as a source
aws securitylake create-data-lake \
--configurations '[{
"region": "us-east-1",
"lifecycleConfiguration": {
"expiration": {"days": 365}
}
}]'| Term | Definition |
|---|---|
| Extended Threat Detection | GuardDuty capability that correlates multiple signals across time to detect multi-stage attacks, generating Critical-severity attack sequence findings |
| Runtime Monitoring | Protection plan that deploys a security agent to EC2 instances, ECS tasks, and EKS pods to detect runtime threats at the OS level |
| Finding Severity | Four-tier classification (Low, Medium, High, Critical) where Critical indicates confirmed multi-stage attacks requiring immediate response |
| Malware Protection | On-demand and automatic EBS volume scanning triggered by suspicious EC2 behavior to detect malware without agent installation |
| Delegated Administrator | Organization member account designated to manage GuardDuty across all accounts in an AWS Organization |
| Suppression Rule | Filter that automatically archives findings matching specific criteria to reduce noise from known benign activity |
| Threat Intelligence | IP reputation lists and domain threat feeds used by GuardDuty to identify communication with known malicious infrastructure |
GuardDuty Threat Detection Summary
====================================
Account: 123456789012 (production)
Region: us-east-1
Period: 2025-02-01 to 2025-02-23
CRITICAL FINDINGS (Immediate Action Required):
[CRIT-001] AttackSequence:EC2/CompromisedInstanceGroup
- Instances: i-0abc123def, i-0def456abc
- Attack Chain: Credential theft -> Persistence -> Crypto mining
- First Signal: 2025-02-15T08:23:00Z
- Duration: 4 hours across 3 stages
- Status: Auto-isolated via Lambda
HIGH FINDINGS:
[HIGH-001] UnauthorizedAccess:IAMUser/MaliciousIPCaller
- Principal: arn:aws:iam::123456789012:user/ci-deploy
- Source IP: 198.51.100.42 (Tor exit node)
- API Calls: 47 calls to ec2:RunInstances
- Status: Access key deactivated
[HIGH-002] CryptoCurrency:Runtime/BitcoinTool.B
- Resource: ECS Task arn:aws:ecs:us-east-1:123456789012:task/cluster/task-id
- Image: 123456789012.dkr.ecr.us-east-1.amazonaws.com/app:v2.1
- Process: /tmp/.hidden/xmrig --pool stratum+tcp://pool.example.com:3333
- Status: Task stopped, image quarantined
STATISTICS:
Total Findings: 23
Critical: 1 | High: 3 | Medium: 8 | Low: 11
Auto-Remediated: 4
Pending Investigation: 2