Sprinto Dashboard

How to resolve Sprinto check for enabling AWS GuardDuty

Sprinto check: AWS GuardDuty should be enabled

Understanding GuardDuty

GuardDuty is a comprehensive threat detection service designed to monitor various AWS data sources, including AWS CloudTrail management events, AWS CloudTrail data events for Amazon S3, DNS logs, Amazon EKS audit logs, and Amazon VPC flow logs. It actively analyzes Amazon EBS volume data for Malware Protection in Amazon GuardDuty, a feature that needs separate activation within GuardDuty.

Key Features of GuardDuty:

  1. Data Sources:

    • AWS CloudTrail management events

    • AWS CloudTrail data events for Amazon S3

    • DNS logs

    • Amazon EKS audit logs

    • Amazon VPC flow logs

    • Amazon EBS volume data (with Malware Protection)

  2. Security Findings:

    • GuardDuty generates security findings based on the analysis of the provided data sources.

    • It identifies potential threats, unauthorized activities, and unusual behaviors in your AWS environment.

Enabling GuardDuty:

When you enable GuardDuty, it immediately begins monitoring your environment and generating security findings. GuardDuty can be disabled at any time to stop processing the specified data sources.

Considerations:

  • GuardDuty is a regional service requiring configuration in each region you want to monitor.

  • It is recommended to enable GuardDuty in all supported AWS Regions for comprehensive threat detection.

  • Any user with administrator privileges can enable GuardDuty, but creating a dedicated IAM user, role, or group for GuardDuty management is a security best practice.

Service-Linked Role:

  • When GuardDuty is enabled for the first time in any region, it creates a service-linked role named AWSServiceRoleForAmazonGuardDuty.

  • This role includes necessary permissions and trust policies for GuardDuty to consume and analyze events directly from AWS CloudTrail, VPC Flow logs, and DNS logs.

Free Trial:

  • Upon enabling GuardDuty in a region for the first time, your AWS account is automatically enrolled in a 30-day GuardDuty free trial for that region.

Step-by-step guide

Ensure that you configure GuardDuty in all AWS Regions you wish to monitor to maximize its effectiveness.

  1. Go to the AWS Management Console and log in to your AWS account.

  2. In the AWS Management Console, search for and select GuardDuty from the search bar.

  3. On the GuardDuty dashboard, click on the Get Started button to initiate the setup process.

  4. Select the AWS region where you want to enable GuardDuty.

  5. On the Enable GuardDuty page, choose Yes to enable GuardDuty for your account.

  6. If you already have a GuardDuty detector, choose the existing one. Otherwise, create a new detector.

  7. Review your settings and click Enable GuardDuty.

  8. GuardDuty activation may take a few minutes. Once activated, GuardDuty will start analyzing events and providing findings.

  9. After activation, explore GuardDuty findings in the GuardDuty console. GuardDuty will provide information on potential threats and recommended actions.

That's it! You have successfully enabled AWS GuardDuty for your AWS account. For any further assistance or to explore GuardDuty features, refer to the AWS GuardDuty documentation.

Sprinto retrieves the changes and sets the check status to “Passing.”

If you need any assistance with the check, please get in touch with Sprinto Support.

PreviousHow to resolve Sprinto check for enabling AWS DynamoDB point in time recoveryNextHow to resolve Sprinto check for enabling data encryption on Azure SQL Database