Amazon Guard​Duty

Amazon GuardDuty Detector Suspended

This plugin ensures Amazon GuardDuty Detectors are not suspended for the region.

Risk Level: Low

Description

This plugin ensures Amazon GuardDuty Detectors are not suspended for the region. Suspended detectors stop generating new security findings. Enabling GuradDuty will provide you with a detailed analysis of various AWS data sources and potential security risks. Unauthorized API calls from malicious IP addresses can also be monitored with GuardDuty. It is recommended to enable GuardDuty Detectors for all the AWS accounts.   

About the Service

Amazon GuradDuty: It provides intelligent threat detection for your AWS Accounts. With regular scans, it monitors your AWS account and workloads to provide detailed findings of potential security threats and remediation. 

Amazon GuardDuty threat detection which can be broadly classified into - account compromise, instance compromise, malicious reconnaissance, and bucket compromise. GuardDuty delivers more accurate findings using machine learning to filter out lists of malicious IPs and domains.

All the findings can be generated with just a few clicks by enabling the Amazon GuardDuty detector.

Impact

Amazon GuardDuty generates findings related to potential security threats. They can range from unprotected ports, possible brute force SSH attacks to API operations invoked by malicious IP addresses. Such findings are extremely important to secure the AWS infrastructure from potential attacks related to aforementioned threats.

By not enabling Amazon GuardDuty detectors, you might miss out on important High level threats which may lead to severely vulnerable resources. Suspended detectors do not generate new findings.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon GuardDuty Console. You can use this link (https://console.aws.amazon.com/guardduty) to navigate directly if already logged in. 
  3. The Findings page is displayed. Click on Settings from the left panel.
  4. Move down to the Suspend GuardDuty section and check the first button. If it displays “Re-enable GuardDuty”, the detector is currently disabled and is not generating new security findings.
  5. Repeat steps 3 to 4 for all the AWS regions you want to investigate.

Steps for Remediation

Enable the suspended GuardDuty detectors for all regions with AWS resources.

  1. Log In to your AWS Console.
  2. Open the Amazon GuardDuty Console. You can use this link (https://console.aws.amazon.com/guardduty) to navigate directly if already logged in. 
  3. The Findings page is displayed. Click on Settings from the left panel.
  4. Move down to the Suspend GuardDuty section and  click on Re-enable GuardDuty,  to enable the detector so that it can generate new security findings.
  5. Repeat steps 3 to 4 for all the vulnerable GuardDuty detectors.