AWS GuardDuty Flashcards
What is GuardDuty?
Threat detection, GD is looking at data sources in your account and identifying if there is a threat.
What is the structure of Guard Duty?
You have one account where Gard Duty is used and you can then invite other accounts, such as accounts in your orgnization.
How does Guard-duty identify threats?
Guard-duty monitors
- Route 53
- VPC Flow Logs
- CloudTrail
- AWS Accounts
What is a Guard-duty finding?
This is an item thet is produced by GD when it detects a threat. We at a bunch of info like Severity, Region, Count, Threat Type, Affected Resource, Source info
How do I receive events form GuardDuty?
CloudWatch Events, you can use CWE to trigger on other resources such an SNS, Lambda, etc.
What are the sources GuardDuty is monitoring?
- Route 53
- VPC Flow Logs
- CloudTrail
- AWS Accounts
How cna you get threat intelligence form other accounts in you orgnization?
With GuardDuty you can invite other accounts in you orgnization to join and this becomes the master account.
Can an AWS account be a member of multiple GuardDutys account?
No
What have you to set up in GuardDuty to get GD started?
Service role permissions
I have several IPs that are showing up in GuardDuty as a threat, what cna I do to stop this?
You can place the IP’s on a threat list to have them excluded from GD findings.
I have knowing bad actor IP’s that I would like to know if these are seeing on our AWS networks, how cna I make this happen?
Add then to the threat list and these will be identified.
How many threat lists can you have per account?
You cna have 6 threat list per region per account.
How many trusted lists can you have per account?
You cna have 1 per region per account.
Are GuardDuty finding real-time?
No
Can you managed multiple accounts with guard duty?
Yes, it a bit different than other AWS services, you can ask other accounts to join.
