GuardDuty

Question 1

Basics

What is GuardDuty?

important

Answer 1

Continuous security monitoring service

Question 2

Basics

What is GuardDuty looking for?

important

Answer 2

Unexpected and unauthorized activity

Question 3

Basics

Analogy to help understand GuardDuty?

Answer 3

TSA scanning every person & bag, trained on what to look for, watching for unusual behavior

Question 4

Basics

How does GuardDuty figure out what expected behavior is?

important

Answer 4

It learns it on its own (the ML portion of the product)

Question 5

Basics

Two types of inputs to GuardDuty?

Answer 5

Your account/resource logs files, Threat Intelligence Feeds

Question 6

Basics

5 sources of data for GuardDuty?

Answer 6

CloudWatch Logs, Vpc Flow logs, event logs, CloudTrail, DNS logs

Question 7

Basics

Example of something in a Threat Intelligence Feed?

Answer 7

Known malicious source IPs

Question 8

Basics

What is it looking for, what triggers it?

Answer 8

Anomolous behavior, ML thing looks for outliers

Question 9

Basics

What does it produce?

Answer 9

Security Findings: you remediate or accept them

Question 10

Basics

Multi-account with GuardDuty?

Answer 10

Yup, Master AWS account and Member AWS Accounts. One account can monitor mulitple member accounts.

Question 11

Basics

GuardDuty cost structure?

Answer 11

Not free, charges for lots of things

Question 12

Basics

How does GuardDuty work with mulitple accounts?

Answer 12

Master and Member accounts

Question 13

Findings

Example of bad EC2 behavior that will trigger GuardDuty?

Answer 13

One of your EC2 instances distributing malware

Question 14

Findings

How might GuardDuty think your account is compromised?

Answer 14

Unusual API calls, like weakening password strength requirements

Question 15

Findings

What resource changes might triger GuardDuty?

Answer 15

Launching resources in a region you’ve never used before

Question 16

Findings

What can GuardDuty do once it creates a Finding?

important

Answer 16

Notify or kick-off event-driven protection/remediation

Question 17

Findings

How does GuardDuty notify or start event-driven stuff?

important

Answer 17

EventBridge

Question 18

Findings

Example of how GuardDuty can shut down an outside attacker?

Answer 18

Finding triggers on IP addr -> Event Bridge -> Lambda -> add NACL

Question 19

Protecting AWS Services

How does GuardDuty protect EKS?

Answer 19

Ship EKS logs to CWLogs, ingest by GuardDuty

Question 20

Protecting AWS Services

How does GuardDuty protect Lambda functions?

Answer 20

Monitors network activity, even when not in a VPC

Question 21

Protecting AWS Services

How does GuardDuty protect EC2 instances?

Answer 21

Scans EBS volumes for malware

Question 22

Protecting AWS Services

How does GuardDuty protect RDS?

Answer 22

Watches for suspicious login behavior

Question 23

Protecting AWS Services

How does GuardDuty protect S3 buckets?

Answer 23

Finding if bucket becomes public, monitor object operations