GuardDuty Flashcards

1
Q

Basics

What is GuardDuty?

important

A

Continuous security monitoring service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Basics

What is GuardDuty looking for?

important

A

Unexpected and unauthorized activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Basics

Analogy to help understand GuardDuty?

A

TSA scanning every person & bag, trained on what to look for, watching for unusual behavior

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Basics

How does GuardDuty figure out what expected behavior is?

important

A

It learns it on its own (the ML portion of the product)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Basics

Two types of inputs to GuardDuty?

A

Your account/resource logs files, Threat Intelligence Feeds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Basics

5 sources of data for GuardDuty?

A

CloudWatch Logs, Vpc Flow logs, event logs, CloudTrail, DNS logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Basics

Example of something in a Threat Intelligence Feed?

A

Known malicious source IPs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Basics

What is it looking for, what triggers it?

A

Anomolous behavior, ML thing looks for outliers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Basics

What does it produce?

A

Security Findings: you remediate or accept them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Basics

Multi-account with GuardDuty?

A

Yup, Master AWS account and Member AWS Accounts. One account can monitor mulitple member accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Basics

GuardDuty cost structure?

A

Not free, charges for lots of things

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Basics

How does GuardDuty work with mulitple accounts?

A

Master and Member accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Findings

Example of bad EC2 behavior that will trigger GuardDuty?

A

One of your EC2 instances distributing malware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Findings

How might GuardDuty think your account is compromised?

A

Unusual API calls, like weakening password strength requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Findings

What resource changes might triger GuardDuty?

A

Launching resources in a region you’ve never used before

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Findings

What can GuardDuty do once it creates a Finding?

important

A

Notify or kick-off event-driven protection/remediation

17
Q

Findings

How does GuardDuty notify or start event-driven stuff?

important

A

EventBridge

18
Q

Findings

Example of how GuardDuty can shut down an outside attacker?

A

Finding triggers on IP addr -> Event Bridge -> Lambda -> add NACL

19
Q

Protecting AWS Services

How does GuardDuty protect EKS?

A

Ship EKS logs to CWLogs, ingest by GuardDuty

20
Q

Protecting AWS Services

How does GuardDuty protect Lambda functions?

A

Monitors network activity, even when not in a VPC

21
Q

Protecting AWS Services

How does GuardDuty protect EC2 instances?

A

Scans EBS volumes for malware

22
Q

Protecting AWS Services

How does GuardDuty protect RDS?

A

Watches for suspicious login behavior

23
Q

Protecting AWS Services

How does GuardDuty protect S3 buckets?

A

Finding if bucket becomes public, monitor object operations