GuardDuty Flashcards
Basics
What is GuardDuty?
important
Continuous security monitoring service
Basics
What is GuardDuty looking for?
important
Unexpected and unauthorized activity
Basics
Analogy to help understand GuardDuty?
TSA scanning every person & bag, trained on what to look for, watching for unusual behavior
Basics
How does GuardDuty figure out what expected behavior is?
important
It learns it on its own (the ML portion of the product)
Basics
Two types of inputs to GuardDuty?
Your account/resource logs files, Threat Intelligence Feeds
Basics
5 sources of data for GuardDuty?
CloudWatch Logs, Vpc Flow logs, event logs, CloudTrail, DNS logs
Basics
Example of something in a Threat Intelligence Feed?
Known malicious source IPs
Basics
What is it looking for, what triggers it?
Anomolous behavior, ML thing looks for outliers
Basics
What does it produce?
Security Findings: you remediate or accept them
Basics
Multi-account with GuardDuty?
Yup, Master AWS account and Member AWS Accounts. One account can monitor mulitple member accounts.
Basics
GuardDuty cost structure?
Not free, charges for lots of things
Basics
How does GuardDuty work with mulitple accounts?
Master and Member accounts
Findings
Example of bad EC2 behavior that will trigger GuardDuty?
One of your EC2 instances distributing malware
Findings
How might GuardDuty think your account is compromised?
Unusual API calls, like weakening password strength requirements
Findings
What resource changes might triger GuardDuty?
Launching resources in a region you’ve never used before