Amazon GuardDuty™ is a threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. It was introduced at AWS re:Invent 2017, and allows you to get threat visibility at the click of a button.
It’s a great way to gain a level of threat awareness on your infrastructure, and see what is hitting it.
Alert Logic developed Cloud Insight Essentials to help you make better sense of the findings from Amazon GuardDuty and take action to stop and prevent similar attacks.
Cloud Insight Essentials basically takes the following approach:
- Centralize all GuardDuty findings
- Provide context on the type of finding, and the assets being attacked
- Provide short-term response guidance, and suggest long-term structural improvements, through a set of configuration best practice configuration checks on your infrastructure (you can extend these to vulnerability scans on the workloads running on your instances).
As an Amazon GuardDuty customer, you may choose to either have multiple individual GuardDuty accounts that you look at individually, or use the technique of using a Master account and member accounts to centralize all the findings of one region, which is explained in this Amazon blog. This technique is not able to consolidate GuardDuty findings across regions yet, but Alert Logic Cloud Insight Essentials can help with that. Alert Logic can collect GuardDuty findings from many accounts, across multiple regions, and bring these together for central analysis, handling and reporting.
Here’s what we need from you to get you going:
- For each AWS account you want threat and exposure visibility, we’ll ask you to create a role with a set of permissions for us to discover and continually monitor your environment. The role will also allow us to check your environment against a set of configuration best practices, and notify you when we identify issues that require your attention.
- For each region where you have accounts with GuardDuty enabled, we will ask you to deploy a GuardDuty collector using a CloudFormation template. This consists of some lambda functions that will forward the GuardDuty CloudWatch events for that region to Alert Logic.
And that’s it. As soon as you’ve done that, we’ll start automatically discovering your accounts, across multiple regions, and show you what issues we find.
And we’ll give you a centralized view of all your GuardDuty findings, across regions, with the ability to filter by region.
And of course, you can use our reporting to analyze how attacks are distributed—for example an incident heatmap by time, by region, or account, or VPC in the Targeted Deployment explorer.