Amazon GuardDuty Monitoring

Updated Sep 27, 2023

Configure Amazon GuardDuty monitoring

Configure Amazon GuardDuty monitoring

Amazon GuardDuty® is a threat detection service that continuously monitors your AWS accounts and resources for unexpected and potentially malicious activity in your AWS environment. To integrate this service with Arctic Wolf® Cloud Detection and Response, configure Amazon GuardDuty to forward its findings to Arctic Wolf. Your Concierge Security® Team (CST) analyzes these findings, eliminates false positives, and provides guidance within the context of your security posture.

Note: GuardDuty is a chargeable service, based on the traffic and usage of your AWS account. We recommend reviewing the GuardDuty pricing documentation before enabling the service.

Requirements

An AWS user or Identity and Access Management (IAM) role with AdministratorAccess or an equivalent IAM policy.
Access to the AWS Management Console.

Before you begin

Previously, an Arctic Wolf CloudFormation stack was required for GuardDuty configuration. If you configured GuardDuty using that stack, you must remove the stack, as described in Deprecated stacks in Update AWS CloudFormation Stacks, and then follow the steps here to enable GuardDuty.
Confirm that your AWS account credentials are Healthy. See Provide AWS Credentials to Arctic Wolf.
Contact your CST to confirm that Arctic Wolf is receiving your CloudTrail events. See Configure AWS CloudTrail Event Monitoring.

Steps

Note: You must complete these steps in each region that you want to forward GuardDuty findings from.

Enable GuardDuty monitoring
Enable S3 protection
Enable EKS protection
Configure GuardDuty to write logs
Configure GuardDuty to export logs
Verify GuardDuty configuration

Step 1: Enable GuardDuty monitoring

If you have:

A single AWS account — Proceed to Enable GuardDuty monitoring for a single account.
Multiple AWS accounts that you manage with AWS Organizations — Proceed to Enable GuardDuty monitoring for multiple accounts with AWS Organizations.

Note: Arctic Wolf recommends using AWS Organizations and leveraging a delegated administrator account, since this configuration automatically enables GuardDuty for all member accounts.
Multiple AWS accounts and do not use AWS Organizations — Proceed to Enable GuardDuty monitoring for multiple account without AWS Organizations.

Enable GuardDuty monitoring for a single account

Review Supported AWS regions and identify the region that you want Arctic Wolf to monitor.
Sign in to the GuardDuty console.

The console opens to the Findings page if GuardDuty is enabled.
If the Findings page does not appear, complete these steps to enable GuardDuty in your preferred AWS region:
1. Click Get Started.
2. Click Enable GuardDuty.
Tip: See Enable GuardDuty in the AWS documentation for more information about enabling GuardDuty.
Proceed to Enable S3 Protection.

Enable GuardDuty monitoring for multiple accounts with AWS Organizations

If you use AWS Organizations:
- Without AWS Control Tower — Follow the three-step process to designate a delegated GuardDuty administrator account in Managing GuardDuty accounts with AWS Organizations.
- With AWS Control Tower — Follow the three-step process in Managing GuardDuty accounts with AWS Organizations to delegate your default audit account as the GuardDuty administrator in all regions of your Control Tower managed organization.
Sign in to the GuardDuty console with your delegated administrator account.
In the navigation menu, click Settings > Accounts.
If the Auto-enable is OFF option appears, select that option to automatically enable GuardDuty for new member accounts when they join your organization.
Proceed to Enable S3 Protection.

Enable GuardDuty monitoring for multiple account without AWS Organizations

For each account you want Arctic Wolf to monitor:

Sign in to the GuardDuty console.
If the Findings page does not appear:
1. Click Get Started.
2. Click Enable GuardDuty.
Proceed to Enable S3 Protection.

Step 2: Enable S3 protection

Sign in to the GuardDuty console.
In the navigation menu, click Settings > S3 Protection.
Confirm that S3 Protection is enabled for this account.

Step 3: Enable EKS protection

Enable Elastic Kubernetes Service (EKS) protection for the GuardDuty accounts that you want Arctic Wolf to monitor.

Tips:

See Kubernetes protection in GuardDuty in the Amazon documentation for more information about enabling EKS protection.
See EKS Best Practice Guides in the GitHub documentation for information about suggested EKS best practices in your organization.

If you have:

One account that Arctic Wolf is monitoring — Proceed to Enable EKS protection for a single account.
If you have multiple accounts that an administrator manages — Proceed to Enable EKS protection for multiple accounts.

Enable EKS protection for a single account

Sign in to the GuardDuty console.
In the navigation menu, click Settings > Kubernetes protection.
If you see a notice similar to "Kubernetes Audit Logs Monitoring is not enabled for this account," click Enable to enable EKS protection.
Proceed to Configure GuardDuty to write logs.

Enable EKS protection for multiple accounts

Note:

Only GuardDuty delegated administrator accounts can configure EKS in multi-account environments.
If you use AWS Organizations, this procedure automatically enables EKS protection for all new and existing accounts.

As an administrator, sign in to the GuardDuty console.
In the navigation menu, click Settings > Kubernetes protection.
To enable automatic EKS protection for new and existing member accounts, click Enable all.
Click Update Settings.
Proceed to Configure GuardDuty to write logs.

Step 4: Configure GuardDuty to write logs

Note: If you have already configured GuardDuty to export logs to a S3 bucket, then stop here and contact your CST for further instructions.

How you configure GuardDuty to export logs depends on whether or not you configured Cloudtrail event monitoring in Configure AWS Cloudtrail Event Monitoring with the same account you assigned as your delegated GuardDuty administrator in the previous steps.

To check if you used the same account or a different account for these configurations:

Compare the 12-digit Account ID value in the GuardDuty console to the AWS Account ID value on the Connected Accounts page in the Arctic Wolf Unified Portal.
If the account numbers:
- Match — Proceed to Write GuardDuty logs to the same account.
- Do not match — Proceed to Write GuardDuty logs to a different account.

Write GuardDuty logs to the same account

To write GuardDuty logs to a local Arctic Wolf S3 bucket that is in the same AWS account:

Note: Repeat these steps for every region where you have enabled GuardDuty monitoring.

Sign in to the GuardDuty console.
In the navigation menu, click Settings.
In the Findings export options setting, under S3 Bucket, click Configure now.
Click Existing bucket in your account.
Under Choose a bucket, select the bucket with a name similar to awn-logs-bucket-<account-id>-<region>, where <account-id> is the 12-digit ID number of your current AWS account and <region> is the region of the S3 bucket.
Leave the Log file prefix blank.
Under KMS Encryption, click Choose a key from your account.
Under Key Alias, select AWNKMSKey.
Click Save.
Proceed to Configure GuardDuty to export logs.

Write GuardDuty logs to a different account

If you:

Use AWS Control Tower — Proceed to Add the bucket policy for AWS Control Tower to add the necessary bucket policy to the awn-logs-bucket-<account-id>-<region> bucket.
Do not use AWS Control Tower — Proceed to Write GuardDuty logs

Step 1: Add the bucket policy for AWS Control Tower

For most environments, the base stack adds the permissions needed for the newly created log bucket. However, AWS Control Tower guardrails prevent the addition of the necessary policy.

Sign in to the AWS Management Console.
Open the Amazon S3 Console and select the awn-logs-bucket-<account-id>-<region> bucket, where <account-id> is your 12-digit AWS account number and <region> is the region of the bucket.
Click the Permissions tab.
In the Bucket policy section, click Edit.

Copy this policy and paste it into the Policy field, replacing <bucket-name> with the name of your bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GuardDutyPutObject",
            "Effect": "Allow",
            "Principal": {
                "Service": "guardduty.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<bucket-name>/*"
        },
        {
            "Sid": "GuardDutyGetBucketLocation",
            "Effect": "Allow",
            "Principal": {
                "Service": "guardduty.amazonaws.com"
            },
            "Action": "s3:GetBucketLocation",
            "Resource": "arn:aws:s3:::<bucket-name>"
        }
    ]
}

Click Save changes.
Proceed to Write GuardDuty Logs

Step 2: Write GuardDuty logs

To write GuardDuty logs to a different AWS account that Arctic Wolf already monitors, for example, if you use AWS Organizations or AWS Control Tower:

Sign in to the AWS account that Arctic Wolf already monitors in the Amazon Management Console, and then click Services > Key Management Service.
In the KMS console navigation menu, click Customer managed keys.
Copy the Key ID value for the AWNKMSKey key, for use in a later step.
From the Services menu, click S3.
In the Buckets list, select the account bucket name, similar to awn-logs-bucket-<account-id>-<region>, where the <account-id> is the 12-digit ID of the AWS account that Arctic Wolf already monitors and the <region> is the region of the S3 bucket.

Tip: This bucket was created when you created your Arctic Wolf CloudFormation stack in Configuring AWS CloudTrail Event Monitoring.
Click the Properties tab, and then copy the Amazon Resource Name (ARN) value, for use in a later step.
In the Services menu, click GuardDuty to open the GuardDuty console.
In the GuardDuty console navigation menu, click Settings.
In the Findings export options section, under S3 Bucket, click Configure now.
Click Existing bucket in another account.
Under Bucket ARN, enter the bucket ARN that you copied.
Under Key ARN, enter the AWNKMSKey Key ID value that you copied.
Click Save.
Repeat the above steps for any other region that you want to forward GuardDuty findings from.
Proceed to Configure GuardDuty to export logs.

Step 5: Configure GuardDuty to export logs

Tip: See Setting the frequency for exporting updated active findings in the Amazon documentation for more information about this process.

To ensure that Arctic Wolf can send alerts in a timely manner:

Sign in to the GuardDuty console.
In the navigation menu, click Settings.
In the Findings export options section, select Frequency for updated findings, and then select Update CWE and S3 every 15 minutes.
Click Save.

Step 6: Verify GuardDuty configuration

To verify that the GuardDuty configuration works, trigger sample GuardDuty findings to write in your account:

Sign in to the GuardDuty console.
In the navigation menu, click Settings.
On the Settings page, under Sample findings, click Generate sample findings.
In the navigation menu, click Findings.
The sample findings are displayed on the Current findings page with a "SAMPLE" prefix.
Contact your CST to confirm that Arctic Wolf received these sample findings.

Tip: If you have access to Raw Log Search in the Arctic Wolf Unified Portal, you can check Raw Log Search for these sample findings.

Next steps

Proceed to Configure AWS S3 Bucket Log Monitoring to send logs to Arctic Wolf.

For all AWS configuration options, see Configure AWS Account Monitoring.