Detecting Cloud Threats with GuardDuty
使用GuardDuty检测云威胁
- When establishing continuous threat detection for new or existing AWS accounts
- When investigating GuardDuty findings related to compromised instances, credential abuse, or data exfiltration
- When building automated incident response playbooks triggered by GuardDuty findings
- When extending threat coverage to container workloads running on EKS, ECS, or Fargate
- When enabling malware scanning for EBS volumes attached to suspicious EC2 instances
Do not use for Azure or GCP threat detection (see securing-azure-with-microsoft-defender or auditing-gcp-security-posture), for static code analysis, or for compliance posture monitoring (see implementing-aws-security-hub).
- 为新的或现有AWS账户建立持续威胁检测机制时
- 调查与实例被入侵、凭证滥用或数据泄露相关的GuardDuty检测结果时
- 构建由GuardDuty检测结果触发的自动化事件响应剧本时
- 将威胁检测范围扩展到运行在EKS、ECS或Fargate上的容器工作负载时
- 为附属于可疑EC2实例的EBS卷启用恶意软件扫描时
请勿用于Azure或GCP的威胁检测(请参考securing-azure-with-microsoft-defender或auditing-gcp-security-posture),也不用于静态代码分析或合规态势监控(请参考implementing-aws-security-hub)。
- AWS account with GuardDuty administrative permissions (guardduty:*)
- AWS CloudTrail, VPC Flow Logs, and DNS query logs enabled (GuardDuty consumes these automatically)
- AWS Organizations configured if deploying GuardDuty across a multi-account estate
- EventBridge and Lambda configured for automated response workflows
- 拥有GuardDuty管理权限(guardduty:*)的AWS账户
- 已启用AWS CloudTrail、VPC Flow Logs和DNS查询日志(GuardDuty会自动读取这些日志)
- 若要跨多账户部署GuardDuty,需已配置AWS Organizations
- 已配置EventBridge和Lambda以支持自动化响应工作流
Step 1: Enable GuardDuty and Protection Plans
步骤1:启用GuardDuty及保护计划
Activate GuardDuty at the organization level using a delegated administrator account. Enable all protection plans including S3 Protection, EKS Audit Log Monitoring, Runtime Monitoring, Malware Protection, RDS Login Activity, and Lambda Network Activity Monitoring.
使用委托管理员账户在组织级别激活GuardDuty。启用所有保护计划,包括S3保护、EKS审计日志监控、运行时监控、恶意软件保护、RDS登录活动监控和Lambda网络活动监控。
Enable GuardDuty as organization delegated administrator
Enable GuardDuty as organization delegated administrator
aws guardduty create-detector
--enable
--finding-publishing-frequency FIFTEEN_MINUTES
--data-sources '{
"S3Logs": {"Enable": true},
"Kubernetes": {"AuditLogs": {"Enable": true}},
"MalwareProtection": {"ScanEc2InstanceWithFindings": {"EbsVolumes": true}}
}'
aws guardduty create-detector
--enable
--finding-publishing-frequency FIFTEEN_MINUTES
--data-sources '{
"S3Logs": {"Enable": true},
"Kubernetes": {"AuditLogs": {"Enable": true}},
"MalwareProtection": {"ScanEc2InstanceWithFindings": {"EbsVolumes": true}}
}'
Enable Runtime Monitoring for EC2 and ECS
Enable Runtime Monitoring for EC2 and ECS
aws guardduty update-detector
--detector-id <detector-id>
--features '[
{"Name": "RUNTIME_MONITORING", "Status": "ENABLED",
"AdditionalConfiguration": [
{"Name": "ECS_FARGATE_AGENT_MANAGEMENT", "Status": "ENABLED"},
{"Name": "EC2_AGENT_MANAGEMENT", "Status": "ENABLED"}
]}
]'
aws guardduty update-detector
--detector-id <detector-id>
--features '[
{"Name": "RUNTIME_MONITORING", "Status": "ENABLED",
"AdditionalConfiguration": [
{"Name": "ECS_FARGATE_AGENT_MANAGEMENT", "Status": "ENABLED"},
{"Name": "EC2_AGENT_MANAGEMENT", "Status": "ENABLED"}
]}
]'
Designate delegated admin for multi-account
Designate delegated admin for multi-account
aws guardduty enable-organization-admin-account
--admin-account-id 111122223333
aws guardduty enable-organization-admin-account
--admin-account-id 111122223333
Step 2: Configure Multi-Account Aggregation
步骤2:配置多账户聚合
Automatically enroll all organization member accounts and configure finding export to a centralized S3 bucket for retention and SIEM ingestion.
自动注册所有组织成员账户,并配置将检测结果导出到集中式S3存储桶,用于留存和SIEM导入。
Auto-enable GuardDuty for all org members
Auto-enable GuardDuty for all org members
aws guardduty update-organization-configuration
--detector-id <detector-id>
--auto-enable-organization-members ALL
--features '[
{"Name": "S3_DATA_EVENTS", "AutoEnable": "ALL"},
{"Name": "EKS_AUDIT_LOGS", "AutoEnable": "ALL"},
{"Name": "RUNTIME_MONITORING", "AutoEnable": "ALL"}
]'
aws guardduty update-organization-configuration
--detector-id <detector-id>
--auto-enable-organization-members ALL
--features '[
{"Name": "S3_DATA_EVENTS", "AutoEnable": "ALL"},
{"Name": "EKS_AUDIT_LOGS", "AutoEnable": "ALL"},
{"Name": "RUNTIME_MONITORING", "AutoEnable": "ALL"}
]'
Configure finding export to S3
Configure finding export to S3
aws guardduty create-publishing-destination
--detector-id <detector-id>
--destination-type S3
--destination-properties '{
"DestinationArn": "arn:aws:s3:::guardduty-findings-centralized",
"KmsKeyArn": "arn:aws:kms:us-east-1:123456789012:key/key-id"
}'
aws guardduty create-publishing-destination
--detector-id <detector-id>
--destination-type S3
--destination-properties '{
"DestinationArn": "arn:aws:s3:::guardduty-findings-centralized",
"KmsKeyArn": "arn:aws:kms:us-east-1:123456789012:key/key-id"
}'
Step 3: Interpret Finding Types and Severity Levels
步骤3:解读检测结果类型及严重级别
GuardDuty classifies findings into four severity levels: Critical, High, Medium, and Low. Each finding type follows the format ThreatPurpose:ResourceType/ThreatName. Extended Threat Detection generates attack sequence findings that correlate multiple events across time.
Key finding categories:
- Recon: Port scanning, API enumeration (e.g., Recon:EC2/PortProbeUnprotectedPort)
- UnauthorizedAccess: Credential abuse, console logins from unusual locations
- CryptoCurrency: Mining activity detected on instances (e.g., CryptoCurrency:EC2/BitcoinTool.B)
- Impact: Resource hijacking, data destruction attempts
- AttackSequence: Multi-stage attacks correlating initial access through lateral movement to impact (Critical severity)
GuardDuty将检测结果分为四个严重级别:Critical(严重)、High(高)、Medium(中)、Low(低)。每种检测结果类型遵循“威胁目的:资源类型/威胁名称”的格式。扩展威胁检测功能会生成攻击序列检测结果,关联跨时间维度的多个事件。
核心检测结果类别:
- 侦察:端口扫描、API枚举(例如:Recon:EC2/PortProbeUnprotectedPort)
- 未授权访问:凭证滥用、来自异常位置的控制台登录
- 加密货币:实例上检测到挖矿活动(例如:CryptoCurrency:EC2/BitcoinTool.B)
- 影响:资源劫持、数据销毁尝试
- 攻击序列:关联初始访问、横向移动到最终影响的多阶段攻击(严重级别为Critical)
Step 4: Build Automated Response with EventBridge
步骤4:使用EventBridge构建自动化响应
Create EventBridge rules that route GuardDuty findings to Lambda functions for automated containment actions such as isolating compromised EC2 instances, revoking IAM credentials, or blocking malicious IP addresses.
创建EventBridge规则,将GuardDuty检测结果路由到Lambda函数,执行自动遏制操作,例如隔离被入侵的EC2实例、吊销IAM凭证或阻止恶意IP地址。
EventBridge rule for high/critical GuardDuty findings
EventBridge rule for high/critical GuardDuty findings
aws events put-rule
--name GuardDutyHighSeverity
--event-pattern '{
"source": ["aws.guardduty"],
"detail-type": ["GuardDuty Finding"],
"detail": {
"severity": [{"numeric": [">=", 7]}]
}
}'
aws events put-rule
--name GuardDutyHighSeverity
--event-pattern '{
"source": ["aws.guardduty"],
"detail-type": ["GuardDuty Finding"],
"detail": {
"severity": [{"numeric": [">=", 7]}]
}
}'
Target Lambda function for auto-remediation
Target Lambda function for auto-remediation
aws events put-targets
--rule GuardDutyHighSeverity
--targets '[{
"Id": "AutoRemediateTarget",
"Arn": "arn:aws:lambda:us-east-1:123456789012:function/guardduty-auto-remediate"
}]'
Auto-remediation Lambda example for isolating a compromised EC2 instance:
```python
import boto3
def lambda_handler(event, context):
finding = event['detail']
finding_type = finding['type']
severity = finding['severity']
if finding_type.startswith('UnauthorizedAccess:EC2') and severity >= 7:
instance_id = finding['resource']['instanceDetails']['instanceId']
ec2 = boto3.client('ec2')
# Create isolation security group (no inbound/outbound rules)
vpc_id = finding['resource']['instanceDetails']['networkInterfaces'][0]['vpcId']
isolation_sg = ec2.create_security_group(
GroupName=f'isolation-{instance_id}',
Description='GuardDuty auto-isolation',
VpcId=vpc_id
)
# Replace all security groups with isolation group
ec2.modify_instance_attribute(
InstanceId=instance_id,
Groups=[isolation_sg['GroupId']]
)
# Tag instance for investigation
ec2.create_tags(
Resources=[instance_id],
Tags=[{'Key': 'SecurityStatus', 'Value': 'ISOLATED'},
{'Key': 'GuardDutyFinding', 'Value': finding_type}]
)
return {'status': 'isolated', 'instance': instance_id}
aws events put-targets
--rule GuardDutyHighSeverity
--targets '[{
"Id": "AutoRemediateTarget",
"Arn": "arn:aws:lambda:us-east-1:123456789012:function/guardduty-auto-remediate"
}]'
用于隔离被入侵EC2实例的自动修复Lambda示例:
```python
import boto3
def lambda_handler(event, context):
finding = event['detail']
finding_type = finding['type']
severity = finding['severity']
if finding_type.startswith('UnauthorizedAccess:EC2') and severity >= 7:
instance_id = finding['resource']['instanceDetails']['instanceId']
ec2 = boto3.client('ec2')
# Create isolation security group (no inbound/outbound rules)
vpc_id = finding['resource']['instanceDetails']['networkInterfaces'][0]['vpcId']
isolation_sg = ec2.create_security_group(
GroupName=f'isolation-{instance_id}',
Description='GuardDuty auto-isolation',
VpcId=vpc_id
)
# Replace all security groups with isolation group
ec2.modify_instance_attribute(
InstanceId=instance_id,
Groups=[isolation_sg['GroupId']]
)
# Tag instance for investigation
ec2.create_tags(
Resources=[instance_id],
Tags=[{'Key': 'SecurityStatus', 'Value': 'ISOLATED'},
{'Key': 'GuardDutyFinding', 'Value': finding_type}]
)
return {'status': 'isolated', 'instance': instance_id}
Step 5: Investigate Extended Threat Detection Attack Sequences
步骤5:调查扩展威胁检测的攻击序列
Review Critical-severity attack sequence findings that correlate multiple signals across EC2, ECS, and EKS. These findings represent multi-stage attacks such as initial access through compromised credentials followed by persistence, lateral movement, and crypto mining.
查看严重级别为Critical的攻击序列检测结果,这些结果关联了EC2、ECS和EKS中的多个信号。此类检测结果代表多阶段攻击,例如通过泄露凭证获取初始访问权限,随后进行持久化、横向移动和加密货币挖矿。
List critical attack sequence findings
List critical attack sequence findings
aws guardduty list-findings
--detector-id <detector-id>
--finding-criteria '{
"Criterion": {
"severity": {"Gte": 9},
"type": {"Eq": ["AttackSequence:EC2/CompromisedInstanceGroup",
"AttackSequence:ECS/CompromisedCluster",
"AttackSequence:EKS/CompromisedCluster"]}
}
}'
aws guardduty list-findings
--detector-id <detector-id>
--finding-criteria '{
"Criterion": {
"severity": {"Gte": 9},
"type": {"Eq": ["AttackSequence:EC2/CompromisedInstanceGroup",
"AttackSequence:ECS/CompromisedCluster",
"AttackSequence:EKS/CompromisedCluster"]}
}
}'
Get full finding details with attack sequence timeline
Get full finding details with attack sequence timeline
aws guardduty get-findings
--detector-id <detector-id>
--finding-ids <finding-id>
aws guardduty get-findings
--detector-id <detector-id>
--finding-ids <finding-id>
Step 6: Integrate with Security Hub and SIEM
步骤6:与Security Hub和SIEM集成
Forward GuardDuty findings to AWS Security Hub for centralized aggregation and to external SIEM platforms via S3 export or Amazon Security Lake for long-term retention and cross-source correlation.
将GuardDuty检测结果转发到AWS Security Hub进行集中聚合,并通过S3导出或Amazon Security Lake转发到外部SIEM平台,用于长期留存和跨源关联。
Verify GuardDuty integration with Security Hub
Verify GuardDuty integration with Security Hub
aws securityhub get-enabled-standards
aws securityhub get-enabled-standards
Enable Amazon Security Lake with GuardDuty as a source
Enable Amazon Security Lake with GuardDuty as a source
aws securitylake create-data-lake
--configurations '[{
"region": "us-east-1",
"lifecycleConfiguration": {
"expiration": {"days": 365}
}
}]'
aws securitylake create-data-lake
--configurations '[{
"region": "us-east-1",
"lifecycleConfiguration": {
"expiration": {"days": 365}
}
}]'
| Term | Definition |
|---|
| Extended Threat Detection | GuardDuty capability that correlates multiple signals across time to detect multi-stage attacks, generating Critical-severity attack sequence findings |
| Runtime Monitoring | Protection plan that deploys a security agent to EC2 instances, ECS tasks, and EKS pods to detect runtime threats at the OS level |
| Finding Severity | Four-tier classification (Low, Medium, High, Critical) where Critical indicates confirmed multi-stage attacks requiring immediate response |
| Malware Protection | On-demand and automatic EBS volume scanning triggered by suspicious EC2 behavior to detect malware without agent installation |
| Delegated Administrator | Organization member account designated to manage GuardDuty across all accounts in an AWS Organization |
| Suppression Rule | Filter that automatically archives findings matching specific criteria to reduce noise from known benign activity |
| Threat Intelligence | IP reputation lists and domain threat feeds used by GuardDuty to identify communication with known malicious infrastructure |
| 术语 | 定义 |
|---|
| Extended Threat Detection | GuardDuty的一项功能,可关联跨时间维度的多个信号以检测多阶段攻击,生成严重级别为Critical的攻击序列检测结果 |
| Runtime Monitoring | 一项保护计划,会在EC2实例、ECS任务和EKS Pod中部署安全代理,在操作系统层面检测运行时威胁 |
| Finding Severity | 四级分类(Low、Medium、High、Critical),其中Critical表示已确认的多阶段攻击,需要立即响应 |
| Malware Protection | 由可疑EC2行为触发的按需和自动EBS卷扫描功能,无需安装代理即可检测恶意软件 |
| Delegated Administrator | 被指定为AWS Organization中所有账户管理GuardDuty的组织成员账户 |
| Suppression Rule | 一种过滤器,可自动归档符合特定条件的检测结果,减少已知良性活动产生的干扰信息 |
| Threat Intelligence | GuardDuty用于识别与已知恶意基础设施通信的IP信誉列表和域名威胁源 |
- Amazon GuardDuty: Core threat detection service analyzing CloudTrail, VPC Flow Logs, DNS logs, and runtime telemetry
- Amazon EventBridge: Serverless event bus for routing GuardDuty findings to automated response targets
- AWS Security Hub: Centralized security findings aggregation supporting automated remediation workflows
- Amazon Security Lake: OCSF-normalized data lake for long-term security log retention and cross-service correlation
- Amazon Detective: Graph-based investigation service that visualizes relationships between GuardDuty findings, resources, and API activity
- Amazon GuardDuty: 核心威胁检测服务,分析CloudTrail、VPC Flow Logs、DNS日志和运行时遥测数据
- Amazon EventBridge: 无服务器事件总线,用于将GuardDuty检测结果路由到自动化响应目标
- AWS Security Hub: 集中式安全检测结果聚合平台,支持自动化修复工作流
- Amazon Security Lake: 符合OCSF标准的数据湖,用于长期安全日志留存和跨服务关联
- Amazon Detective: 基于图的调查服务,可视化GuardDuty检测结果、资源和API活动之间的关系
Scenario: Cryptocurrency Mining Detected on ECS Cluster
场景:ECS集群中检测到加密货币挖矿活动
Context: GuardDuty generates a CryptoCurrency:Runtime/BitcoinTool.B finding with High severity targeting an ECS Fargate task. Runtime Monitoring detected the execution of a mining binary within a container.
Approach:
- Review the finding details to identify the ECS cluster, task definition, and container image
- Stop the affected ECS task immediately and quarantine the container image in ECR
- Check CloudTrail for the ecs:RegisterTaskDefinition and ecs:RunTask calls to identify who deployed the malicious image
- Scan the Docker image with ECR enhanced scanning to identify the embedded mining binary
- Review IAM credentials used to push the image and revoke compromised access
- Update ECR image scanning policies to block images with known mining signatures
Pitfalls: Stopping the task without preserving the container image loses forensic evidence. Failing to trace back to the RegisterTaskDefinition API call misses the initial compromise vector.
背景: GuardDuty生成了严重级别为High的CryptoCurrency:Runtime/BitcoinTool.B检测结果,目标是一个ECS Fargate任务。运行时监控检测到容器内执行了挖矿二进制文件。
处理方法:
- 查看检测结果详情,确定ECS集群、任务定义和容器镜像
- 立即停止受影响的ECS任务,并在ECR中隔离该容器镜像
- 检查CloudTrail中的ecs:RegisterTaskDefinition和ecs:RunTask调用,确定谁部署了恶意镜像
- 使用ECR增强扫描功能扫描Docker镜像,识别嵌入的挖矿二进制文件
- 检查用于推送镜像的IAM凭证,吊销泄露的访问权限
- 更新ECR镜像扫描策略,阻止带有已知挖矿签名的镜像
注意事项: 停止任务时若未保留容器镜像,会丢失取证证据。若未追溯到RegisterTaskDefinition API调用,会遗漏初始入侵途径。
GuardDuty Threat Detection Summary
====================================
Account: 123456789012 (production)
Region: us-east-1
Period: 2025-02-01 to 2025-02-23
CRITICAL FINDINGS (Immediate Action Required):
[CRIT-001] AttackSequence:EC2/CompromisedInstanceGroup
- Instances: i-0abc123def, i-0def456abc
- Attack Chain: Credential theft -> Persistence -> Crypto mining
- First Signal: 2025-02-15T08:23:00Z
- Duration: 4 hours across 3 stages
- Status: Auto-isolated via Lambda
HIGH FINDINGS:
[HIGH-001] UnauthorizedAccess:IAMUser/MaliciousIPCaller
- Principal: arn:aws:iam::123456789012:user/ci-deploy
- Source IP: 198.51.100.42 (Tor exit node)
- API Calls: 47 calls to ec2:RunInstances
- Status: Access key deactivated
[HIGH-002] CryptoCurrency:Runtime/BitcoinTool.B
- Resource: ECS Task arn:aws:ecs:us-east-1:123456789012:task/cluster/task-id
- Image: 123456789012.dkr.ecr.us-east-1.amazonaws.com/app:v2.1
- Process: /tmp/.hidden/xmrig --pool stratum+tcp://pool.example.com:3333
- Status: Task stopped, image quarantined
STATISTICS:
Total Findings: 23
Critical: 1 | High: 3 | Medium: 8 | Low: 11
Auto-Remediated: 4
Pending Investigation: 2
GuardDuty威胁检测摘要
====================================
账户: 123456789012 (生产环境)
区域: us-east-1
周期: 2025-02-01 至 2025-02-23
严重检测结果(需立即处理):
[CRIT-001] AttackSequence:EC2/CompromisedInstanceGroup
- 实例: i-0abc123def, i-0def456abc
- 攻击链: 凭证窃取 -> 持久化 -> 加密货币挖矿
- 首次信号: 2025-02-15T08:23:00Z
- 持续时间: 跨3个阶段,共4小时
- 状态: 通过Lambda自动隔离
高优先级检测结果:
[HIGH-001] UnauthorizedAccess:IAMUser/MaliciousIPCaller
- 主体: arn:aws:iam::123456789012:user/ci-deploy
- 源IP: 198.51.100.42 (Tor出口节点)
- API调用: 47次ec2:RunInstances调用
- 状态: 访问密钥已停用
[HIGH-002] CryptoCurrency:Runtime/BitcoinTool.B
- 资源: ECS任务 arn:aws:ecs:us-east-1:123456789012:task/cluster/task-id
- 镜像: 123456789012.dkr.ecr.us-east-1.amazonaws.com/app:v2.1
- 进程: /tmp/.hidden/xmrig --pool stratum+tcp://pool.example.com:3333
- 状态: 任务已停止,镜像已隔离
统计信息:
总检测结果数: 23
严重: 1 | 高: 3 | 中: 8 | 低: 11
自动修复: 4
待调查: 2