StackZone Feature: GuardDuty Advanced Notification

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
This service is designed to scan contents inside your container workloads, S3 Buckets, compute instance workloads along with AWS Accounts and Users for potential threats at scale.

GuardDuty Advanced Notifications built by StackZone is a core account feature which we can build for you inside your Security Account. These notifications are what we call Advanced Notifications and each one can be triggered on or off depending on which you feel adds value to your security posture.

To enable these and others, head on over to the StackZone Console and under provisioning, head to Core Accounts. From here choose the Security Account and select the subpage GuardDuty

These Advanced Notifications are listed within the GuardDuty Remediations section

This finding informs you that a CloudTrail trail within your AWS environment was disabled. This can be an attacker's attempt to disable logging to cover their tracks by eliminating any trace of their activity while gaining access to your AWS resources for malicious purposes. This finding can be triggered by a successful deletion or update of a trail. This finding can also be triggered by a successful deletion of an S3 bucket that stores the logs from a trail that is associated with GuardDuty.

The AWS account password policy was weakened on the listed account within your AWS environment. For example, it was deleted or updated to require fewer characters, not require symbols and numbers, or required to extend the password expiration period. This finding can also be triggered by an attempt to update or delete your AWS account password policy. The AWS account password policy defines the rules that govern what kinds of passwords can be set for your IAM users. A weaker password policy permits the creation of passwords that are easy to remember and potentially easier to guess, thereby creating a security risk.

This finding informs you that an S3 API operation may have been invoked from an IP address that is associated with known malicious activity. The observed API is commonly associated with the discovery stage of an attack when an adversary is gathering information about your AWS environment. Examples include GetObjectAcl and ListObjects.

This finding also covers the scope of an API operation (for example, an attempt to launch an EC2 instance, create a new IAM user, or modify your AWS privileges) that was invoked from a known malicious IP address.This can indicate unauthorized access to AWS resources within your environment.

This notification can inform you of one of many grouped IAM Findings through GuardDuty

They can range from various IAM Anomalous Behaviour patterns picked up by GuardDuty, to potential unauthorized console access for an IAM User you have in your account, to potentially malicious IP calls logged against an IAM User.

A number of different findings can be outlined here if you are interested in the range of what AWS has to offer for IAM GuardDuty findings.

This finding informs you that an EC2 instance in your AWS environment is querying a domain that resolves to the EC2 metadata IP address (169.254.169.254). A DNS query of this kind may indicate that the instance is a target of a DNS rebinding technique. This technique can be used to obtain metadata from an EC2 instance, including the IAM credentials associated with the instance.

DNS rebinding involves tricking an application running on the EC2 instance to load return data from a URL, where the domain name in the URL resolves to the EC2 metadata IP address (169.254.169.254). This causes the application to access EC2 metadata and possibly make it available to the attacker.

It is possible to access EC2 metadata using DNS rebinding only if the EC2 instance is running a vulnerable application that allows injection of URLs, or if someone accesses the URL in a web browser running on the EC2 instance.

This finding informs you that the listed EC2 instance in your AWS environment is behaving in a way that deviates from the established baseline. This EC2 instance has no prior history of sending this much traffic to this remote host.

This finding informs you that the listed EC2 instance in your AWS environment is communicating with a remote host on port 25. This behavior is unusual because this EC2 instance has no prior history of communications on port 25. Port 25 is traditionally used by mail servers for SMTP communications. This finding indicates your EC2 instance might be compromised for use in sending out spam.

This finding informs you that the listed EC2 instance in your AWS environment is behaving in a way that deviates from the established baseline. This EC2 instance has no prior history of communications on this remote port.

This finding informs you that the listed EC2 instance in your AWS environment is engaged in a possible port scan attack because it is trying to connect to multiple ports over a short period of time. The purpose of a port scan attack is to locate open ports to discover which services the machine is running and to identify its operating system.

This finding informs you that an EC2 instance in your AWS environment is communicating with an IP address included on a threat list that you uploaded. In GuardDuty, a threat list consists of known malicious IP addresses. GuardDuty generates findings based on uploaded threat lists. The threat list used to generate this finding will be listed in the finding's details.

This Notification can tell you if a GuardDuty S3 Event has been noticed in your account, it could be one of a few different findings, from Pentest findings to S3 Policy changes which include public access granted to S3 Buckets or Account Block Public Access setting which has been disabled.

There are also some calls which range around malicious IP requests which can be logged by GuardDuty

Q: Why am I not receiving any email notifications?

A: Your GuardDuty Advanced Notifications are passed onto the SNS Topic "StackZone-Aggregate-Security-Notifications" which can be configured in your Core Accounts  -> Security Shared Topic page. Here is a guide which shows you how to do this.

Q: Why do some emails come through from AWS with the subject title "None"

A: This is a known issue and the limitation from AWS with how we construct these notifications.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here