GuardDuty Flashcards
What is GuardDuty?
Amazon GuardDuty is a threat detection service that uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.
Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
Amazon GuardDuty is a security monitoring service that analyzes and processes data sources, such as AWS CloudTrail data events for Amazon S3 logs, CloudTrail management event logs, DNS logs, Amazon EBS volume data, Kubernetes audit logs, Amazon VPC flow logs, and RDS login activity.
What are the possibly datasources for GuardDuty?
AWS CloudTrail event logs
AWS CloudTrail management events
AWS CloudTrail data events for S3
Kubernetes audit logs
EKS Plance Control Logs
VPC Flow Logs
DNS logs
Elastic Block Storage (EBS) volume
RDS login activity monitoring
What are the different ways to access GuardDuty?
GuardDuty can be accessed:
- GuardDuty Console
- AWS Command line tool
- GuardDuty HTTPS API
- AWS SDK
Can you add your own log sources to GuardDuty?
No.
What is a Threat IP list?
A Threat IP list is a list of known malicious IP addresses. In addition to generating findings because of a potentially suspicious activity, GuardDuty also generates findings based on these threat lists.
What is a Trusted IP list?
A Trusted IP list is a list of trusted IP addresses for highly secure communication with your AWS environment. GuardDuty does not generate findings based on trusted IP lists.
What are suppression rules?
Suppression rules are the rules that allow you to create very specific combinations of attributes to suppress findings.
How do you create suppression rules of member accounts?
Suppression rules defined in the GuardDuty administrator account apply to the GuardDuty member accounts. GuardDuty member accounts can’t modify suppression rules.
What is a suppression rule?
A suppression rule is a set of criteria, consisting of a filter attribute paired with a value, used to filter findings by automatically archiving new findings that match the specified criteria.
What are the benefits of suppression rules?
Suppression rules can be used to filter low-value findings, false positive findings, or threats you do not intend to act on, to make it easier to recognize the security threats with the most impact to your environment.
How do you manage GuardDuty’s findings for member accounts?
You can also invite other accounts to enable GuardDuty and become associated with your AWS account in GuardDuty. If your invitations are accepted, your account is designated as the administrator GuardDuty account, and the added accounts become your member accounts. You can then view and manage those accounts’ GuardDuty findings on their behalf.
How many member accounts you can have in GuardDuty?
You can have up to 5,000 member accounts in GuardDuty.
Can users of member accounts configure GuardDuty?
Users of member accounts can configure GuardDuty as well as view and manage GuardDuty findings in their account (either through the GuardDuty management console or GuardDuty API). Users of member accounts can’t view or manage findings in other members’ accounts.
Can users of member accounts view or manage findings in other members’ accounts?
Users of member accounts can’t view or manage findings in other members’ accounts.
Is it possible for an account to be a GuardDuty administrator and a member account at the same time?
An AWS account can’t be a GuardDuty administrator and member account at the same time. An AWS account can accept only one membership invitation. Accepting a membership invitation is optional.
