Back to Details

detecting-cloud-threats-with-guardduty

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Detecting Cloud Threats with GuardDuty

使用GuardDuty检测云威胁

When to Use

适用场景

  • When establishing continuous threat detection for new or existing AWS accounts
  • When investigating GuardDuty findings related to compromised instances, credential abuse, or data exfiltration
  • When building automated incident response playbooks triggered by GuardDuty findings
  • When extending threat coverage to container workloads running on EKS, ECS, or Fargate
  • When enabling malware scanning for EBS volumes attached to suspicious EC2 instances
Do not use for Azure or GCP threat detection (see securing-azure-with-microsoft-defender or auditing-gcp-security-posture), for static code analysis, or for compliance posture monitoring (see implementing-aws-security-hub).
  • 为新的或现有AWS账户建立持续威胁检测机制时
  • 调查与实例被入侵、凭证滥用或数据泄露相关的GuardDuty检测结果时
  • 构建由GuardDuty检测结果触发的自动化事件响应剧本时
  • 将威胁检测范围扩展到运行在EKS、ECS或Fargate上的容器工作负载时
  • 为附属于可疑EC2实例的EBS卷启用恶意软件扫描时
请勿用于Azure或GCP的威胁检测(请参考securing-azure-with-microsoft-defender或auditing-gcp-security-posture),也不用于静态代码分析或合规态势监控(请参考implementing-aws-security-hub)。

Prerequisites

前提条件

  • AWS account with GuardDuty administrative permissions (guardduty:*)
  • AWS CloudTrail, VPC Flow Logs, and DNS query logs enabled (GuardDuty consumes these automatically)
  • AWS Organizations configured if deploying GuardDuty across a multi-account estate
  • EventBridge and Lambda configured for automated response workflows
  • 拥有GuardDuty管理权限(guardduty:*)的AWS账户
  • 已启用AWS CloudTrail、VPC Flow Logs和DNS查询日志(GuardDuty会自动读取这些日志)
  • 若要跨多账户部署GuardDuty,需已配置AWS Organizations
  • 已配置EventBridge和Lambda以支持自动化响应工作流

Workflow

工作流程

Step 1: Enable GuardDuty and Protection Plans

步骤1:启用GuardDuty及保护计划

Activate GuardDuty at the organization level using a delegated administrator account. Enable all protection plans including S3 Protection, EKS Audit Log Monitoring, Runtime Monitoring, Malware Protection, RDS Login Activity, and Lambda Network Activity Monitoring.
bash
undefined
使用委托管理员账户在组织级别激活GuardDuty。启用所有保护计划,包括S3保护、EKS审计日志监控、运行时监控、恶意软件保护、RDS登录活动监控和Lambda网络活动监控。
bash
undefined

Enable GuardDuty as organization delegated administrator

Enable GuardDuty as organization delegated administrator

aws guardduty create-detector
--enable
--finding-publishing-frequency FIFTEEN_MINUTES
--data-sources '{ "S3Logs": {"Enable": true}, "Kubernetes": {"AuditLogs": {"Enable": true}}, "MalwareProtection": {"ScanEc2InstanceWithFindings": {"EbsVolumes": true}} }'
aws guardduty create-detector
--enable
--finding-publishing-frequency FIFTEEN_MINUTES
--data-sources '{ "S3Logs": {"Enable": true}, "Kubernetes": {"AuditLogs": {"Enable": true}}, "MalwareProtection": {"ScanEc2InstanceWithFindings": {"EbsVolumes": true}} }'

Enable Runtime Monitoring for EC2 and ECS

Enable Runtime Monitoring for EC2 and ECS

aws guardduty update-detector
--detector-id <detector-id>
--features '[ {"Name": "RUNTIME_MONITORING", "Status": "ENABLED", "AdditionalConfiguration": [ {"Name": "ECS_FARGATE_AGENT_MANAGEMENT", "Status": "ENABLED"}, {"Name": "EC2_AGENT_MANAGEMENT", "Status": "ENABLED"} ]} ]'
aws guardduty update-detector
--detector-id <detector-id>
--features '[ {"Name": "RUNTIME_MONITORING", "Status": "ENABLED", "AdditionalConfiguration": [ {"Name": "ECS_FARGATE_AGENT_MANAGEMENT", "Status": "ENABLED"}, {"Name": "EC2_AGENT_MANAGEMENT", "Status": "ENABLED"} ]} ]'

Designate delegated admin for multi-account

Designate delegated admin for multi-account

aws guardduty enable-organization-admin-account
--admin-account-id 111122223333
undefined
aws guardduty enable-organization-admin-account
--admin-account-id 111122223333
undefined

Step 2: Configure Multi-Account Aggregation

步骤2:配置多账户聚合

Automatically enroll all organization member accounts and configure finding export to a centralized S3 bucket for retention and SIEM ingestion.
bash
undefined
自动注册所有组织成员账户,并配置将检测结果导出到集中式S3存储桶,用于留存和SIEM导入。
bash
undefined

Auto-enable GuardDuty for all org members

Auto-enable GuardDuty for all org members

aws guardduty update-organization-configuration
--detector-id <detector-id>
--auto-enable-organization-members ALL
--features '[ {"Name": "S3_DATA_EVENTS", "AutoEnable": "ALL"}, {"Name": "EKS_AUDIT_LOGS", "AutoEnable": "ALL"}, {"Name": "RUNTIME_MONITORING", "AutoEnable": "ALL"} ]'
aws guardduty update-organization-configuration
--detector-id <detector-id>
--auto-enable-organization-members ALL
--features '[ {"Name": "S3_DATA_EVENTS", "AutoEnable": "ALL"}, {"Name": "EKS_AUDIT_LOGS", "AutoEnable": "ALL"}, {"Name": "RUNTIME_MONITORING", "AutoEnable": "ALL"} ]'

Configure finding export to S3

Configure finding export to S3

aws guardduty create-publishing-destination
--detector-id <detector-id>
--destination-type S3
--destination-properties '{ "DestinationArn": "arn:aws:s3:::guardduty-findings-centralized", "KmsKeyArn": "arn:aws:kms:us-east-1:123456789012:key/key-id" }'
undefined
aws guardduty create-publishing-destination
--detector-id <detector-id>
--destination-type S3
--destination-properties '{ "DestinationArn": "arn:aws:s3:::guardduty-findings-centralized", "KmsKeyArn": "arn:aws:kms:us-east-1:123456789012:key/key-id" }'
undefined

Step 3: Interpret Finding Types and Severity Levels

步骤3:解读检测结果类型及严重级别

GuardDuty classifies findings into four severity levels: Critical, High, Medium, and Low. Each finding type follows the format ThreatPurpose:ResourceType/ThreatName. Extended Threat Detection generates attack sequence findings that correlate multiple events across time.
Key finding categories:
  • Recon: Port scanning, API enumeration (e.g., Recon:EC2/PortProbeUnprotectedPort)
  • UnauthorizedAccess: Credential abuse, console logins from unusual locations
  • CryptoCurrency: Mining activity detected on instances (e.g., CryptoCurrency:EC2/BitcoinTool.B)
  • Impact: Resource hijacking, data destruction attempts
  • AttackSequence: Multi-stage attacks correlating initial access through lateral movement to impact (Critical severity)
GuardDuty将检测结果分为四个严重级别:Critical(严重)、High(高)、Medium(中)、Low(低)。每种检测结果类型遵循“威胁目的:资源类型/威胁名称”的格式。扩展威胁检测功能会生成攻击序列检测结果,关联跨时间维度的多个事件。
核心检测结果类别:
  • 侦察:端口扫描、API枚举(例如:Recon:EC2/PortProbeUnprotectedPort)
  • 未授权访问:凭证滥用、来自异常位置的控制台登录
  • 加密货币:实例上检测到挖矿活动(例如:CryptoCurrency:EC2/BitcoinTool.B)
  • 影响:资源劫持、数据销毁尝试
  • 攻击序列:关联初始访问、横向移动到最终影响的多阶段攻击(严重级别为Critical)

Step 4: Build Automated Response with EventBridge

步骤4:使用EventBridge构建自动化响应

Create EventBridge rules that route GuardDuty findings to Lambda functions for automated containment actions such as isolating compromised EC2 instances, revoking IAM credentials, or blocking malicious IP addresses.
bash
undefined
创建EventBridge规则,将GuardDuty检测结果路由到Lambda函数,执行自动遏制操作,例如隔离被入侵的EC2实例、吊销IAM凭证或阻止恶意IP地址。
bash
undefined

EventBridge rule for high/critical GuardDuty findings

EventBridge rule for high/critical GuardDuty findings

aws events put-rule
--name GuardDutyHighSeverity
--event-pattern '{ "source": ["aws.guardduty"], "detail-type": ["GuardDuty Finding"], "detail": { "severity": [{"numeric": [">=", 7]}] } }'
aws events put-rule
--name GuardDutyHighSeverity
--event-pattern '{ "source": ["aws.guardduty"], "detail-type": ["GuardDuty Finding"], "detail": { "severity": [{"numeric": [">=", 7]}] } }'

Target Lambda function for auto-remediation

Target Lambda function for auto-remediation

aws events put-targets
--rule GuardDutyHighSeverity
--targets '[{ "Id": "AutoRemediateTarget", "Arn": "arn:aws:lambda:us-east-1:123456789012:function/guardduty-auto-remediate" }]'

Auto-remediation Lambda example for isolating a compromised EC2 instance:

```python
import boto3

def lambda_handler(event, context):
    finding = event['detail']
    finding_type = finding['type']
    severity = finding['severity']

    if finding_type.startswith('UnauthorizedAccess:EC2') and severity >= 7:
        instance_id = finding['resource']['instanceDetails']['instanceId']
        ec2 = boto3.client('ec2')

        # Create isolation security group (no inbound/outbound rules)
        vpc_id = finding['resource']['instanceDetails']['networkInterfaces'][0]['vpcId']
        isolation_sg = ec2.create_security_group(
            GroupName=f'isolation-{instance_id}',
            Description='GuardDuty auto-isolation',
            VpcId=vpc_id
        )

        # Replace all security groups with isolation group
        ec2.modify_instance_attribute(
            InstanceId=instance_id,
            Groups=[isolation_sg['GroupId']]
        )

        # Tag instance for investigation
        ec2.create_tags(
            Resources=[instance_id],
            Tags=[{'Key': 'SecurityStatus', 'Value': 'ISOLATED'},
                  {'Key': 'GuardDutyFinding', 'Value': finding_type}]
        )

        return {'status': 'isolated', 'instance': instance_id}
aws events put-targets
--rule GuardDutyHighSeverity
--targets '[{ "Id": "AutoRemediateTarget", "Arn": "arn:aws:lambda:us-east-1:123456789012:function/guardduty-auto-remediate" }]'

用于隔离被入侵EC2实例的自动修复Lambda示例:

```python
import boto3

def lambda_handler(event, context):
    finding = event['detail']
    finding_type = finding['type']
    severity = finding['severity']

    if finding_type.startswith('UnauthorizedAccess:EC2') and severity >= 7:
        instance_id = finding['resource']['instanceDetails']['instanceId']
        ec2 = boto3.client('ec2')

        # Create isolation security group (no inbound/outbound rules)
        vpc_id = finding['resource']['instanceDetails']['networkInterfaces'][0]['vpcId']
        isolation_sg = ec2.create_security_group(
            GroupName=f'isolation-{instance_id}',
            Description='GuardDuty auto-isolation',
            VpcId=vpc_id
        )

        # Replace all security groups with isolation group
        ec2.modify_instance_attribute(
            InstanceId=instance_id,
            Groups=[isolation_sg['GroupId']]
        )

        # Tag instance for investigation
        ec2.create_tags(
            Resources=[instance_id],
            Tags=[{'Key': 'SecurityStatus', 'Value': 'ISOLATED'},
                  {'Key': 'GuardDutyFinding', 'Value': finding_type}]
        )

        return {'status': 'isolated', 'instance': instance_id}

Step 5: Investigate Extended Threat Detection Attack Sequences

步骤5:调查扩展威胁检测的攻击序列

Review Critical-severity attack sequence findings that correlate multiple signals across EC2, ECS, and EKS. These findings represent multi-stage attacks such as initial access through compromised credentials followed by persistence, lateral movement, and crypto mining.
bash
undefined
查看严重级别为Critical的攻击序列检测结果,这些结果关联了EC2、ECS和EKS中的多个信号。此类检测结果代表多阶段攻击,例如通过泄露凭证获取初始访问权限,随后进行持久化、横向移动和加密货币挖矿。
bash
undefined

List critical attack sequence findings

List critical attack sequence findings

aws guardduty list-findings
--detector-id <detector-id>
--finding-criteria '{ "Criterion": { "severity": {"Gte": 9}, "type": {"Eq": ["AttackSequence:EC2/CompromisedInstanceGroup", "AttackSequence:ECS/CompromisedCluster", "AttackSequence:EKS/CompromisedCluster"]} } }'
aws guardduty list-findings
--detector-id <detector-id>
--finding-criteria '{ "Criterion": { "severity": {"Gte": 9}, "type": {"Eq": ["AttackSequence:EC2/CompromisedInstanceGroup", "AttackSequence:ECS/CompromisedCluster", "AttackSequence:EKS/CompromisedCluster"]} } }'

Get full finding details with attack sequence timeline

Get full finding details with attack sequence timeline

aws guardduty get-findings
--detector-id <detector-id>
--finding-ids <finding-id>
undefined
aws guardduty get-findings
--detector-id <detector-id>
--finding-ids <finding-id>
undefined

Step 6: Integrate with Security Hub and SIEM

步骤6:与Security Hub和SIEM集成

Forward GuardDuty findings to AWS Security Hub for centralized aggregation and to external SIEM platforms via S3 export or Amazon Security Lake for long-term retention and cross-source correlation.
bash
undefined
将GuardDuty检测结果转发到AWS Security Hub进行集中聚合,并通过S3导出或Amazon Security Lake转发到外部SIEM平台,用于长期留存和跨源关联。
bash
undefined

Verify GuardDuty integration with Security Hub

Verify GuardDuty integration with Security Hub

aws securityhub get-enabled-standards
aws securityhub get-enabled-standards

Enable Amazon Security Lake with GuardDuty as a source

Enable Amazon Security Lake with GuardDuty as a source

aws securitylake create-data-lake
--configurations '[{ "region": "us-east-1", "lifecycleConfiguration": { "expiration": {"days": 365} } }]'
undefined
aws securitylake create-data-lake
--configurations '[{ "region": "us-east-1", "lifecycleConfiguration": { "expiration": {"days": 365} } }]'
undefined

Key Concepts

核心概念

TermDefinition
Extended Threat DetectionGuardDuty capability that correlates multiple signals across time to detect multi-stage attacks, generating Critical-severity attack sequence findings
Runtime MonitoringProtection plan that deploys a security agent to EC2 instances, ECS tasks, and EKS pods to detect runtime threats at the OS level
Finding SeverityFour-tier classification (Low, Medium, High, Critical) where Critical indicates confirmed multi-stage attacks requiring immediate response
Malware ProtectionOn-demand and automatic EBS volume scanning triggered by suspicious EC2 behavior to detect malware without agent installation
Delegated AdministratorOrganization member account designated to manage GuardDuty across all accounts in an AWS Organization
Suppression RuleFilter that automatically archives findings matching specific criteria to reduce noise from known benign activity
Threat IntelligenceIP reputation lists and domain threat feeds used by GuardDuty to identify communication with known malicious infrastructure
术语定义
Extended Threat DetectionGuardDuty的一项功能,可关联跨时间维度的多个信号以检测多阶段攻击,生成严重级别为Critical的攻击序列检测结果
Runtime Monitoring一项保护计划,会在EC2实例、ECS任务和EKS Pod中部署安全代理,在操作系统层面检测运行时威胁
Finding Severity四级分类(Low、Medium、High、Critical),其中Critical表示已确认的多阶段攻击,需要立即响应
Malware Protection由可疑EC2行为触发的按需和自动EBS卷扫描功能,无需安装代理即可检测恶意软件
Delegated Administrator被指定为AWS Organization中所有账户管理GuardDuty的组织成员账户
Suppression Rule一种过滤器,可自动归档符合特定条件的检测结果,减少已知良性活动产生的干扰信息
Threat IntelligenceGuardDuty用于识别与已知恶意基础设施通信的IP信誉列表和域名威胁源

Tools & Systems

工具与系统

  • Amazon GuardDuty: Core threat detection service analyzing CloudTrail, VPC Flow Logs, DNS logs, and runtime telemetry
  • Amazon EventBridge: Serverless event bus for routing GuardDuty findings to automated response targets
  • AWS Security Hub: Centralized security findings aggregation supporting automated remediation workflows
  • Amazon Security Lake: OCSF-normalized data lake for long-term security log retention and cross-service correlation
  • Amazon Detective: Graph-based investigation service that visualizes relationships between GuardDuty findings, resources, and API activity
  • Amazon GuardDuty: 核心威胁检测服务,分析CloudTrail、VPC Flow Logs、DNS日志和运行时遥测数据
  • Amazon EventBridge: 无服务器事件总线,用于将GuardDuty检测结果路由到自动化响应目标
  • AWS Security Hub: 集中式安全检测结果聚合平台,支持自动化修复工作流
  • Amazon Security Lake: 符合OCSF标准的数据湖,用于长期安全日志留存和跨服务关联
  • Amazon Detective: 基于图的调查服务,可视化GuardDuty检测结果、资源和API活动之间的关系

Common Scenarios

常见场景

Scenario: Cryptocurrency Mining Detected on ECS Cluster

场景:ECS集群中检测到加密货币挖矿活动

Context: GuardDuty generates a CryptoCurrency:Runtime/BitcoinTool.B finding with High severity targeting an ECS Fargate task. Runtime Monitoring detected the execution of a mining binary within a container.
Approach:
  1. Review the finding details to identify the ECS cluster, task definition, and container image
  2. Stop the affected ECS task immediately and quarantine the container image in ECR
  3. Check CloudTrail for the ecs:RegisterTaskDefinition and ecs:RunTask calls to identify who deployed the malicious image
  4. Scan the Docker image with ECR enhanced scanning to identify the embedded mining binary
  5. Review IAM credentials used to push the image and revoke compromised access
  6. Update ECR image scanning policies to block images with known mining signatures
Pitfalls: Stopping the task without preserving the container image loses forensic evidence. Failing to trace back to the RegisterTaskDefinition API call misses the initial compromise vector.
背景: GuardDuty生成了严重级别为High的CryptoCurrency:Runtime/BitcoinTool.B检测结果,目标是一个ECS Fargate任务。运行时监控检测到容器内执行了挖矿二进制文件。
处理方法:
  1. 查看检测结果详情,确定ECS集群、任务定义和容器镜像
  2. 立即停止受影响的ECS任务,并在ECR中隔离该容器镜像
  3. 检查CloudTrail中的ecs:RegisterTaskDefinition和ecs:RunTask调用,确定谁部署了恶意镜像
  4. 使用ECR增强扫描功能扫描Docker镜像,识别嵌入的挖矿二进制文件
  5. 检查用于推送镜像的IAM凭证,吊销泄露的访问权限
  6. 更新ECR镜像扫描策略,阻止带有已知挖矿签名的镜像
注意事项: 停止任务时若未保留容器镜像,会丢失取证证据。若未追溯到RegisterTaskDefinition API调用,会遗漏初始入侵途径。

Output Format

输出格式

GuardDuty Threat Detection Summary
====================================
Account: 123456789012 (production)
Region: us-east-1
Period: 2025-02-01 to 2025-02-23

CRITICAL FINDINGS (Immediate Action Required):
[CRIT-001] AttackSequence:EC2/CompromisedInstanceGroup
  - Instances: i-0abc123def, i-0def456abc
  - Attack Chain: Credential theft -> Persistence -> Crypto mining
  - First Signal: 2025-02-15T08:23:00Z
  - Duration: 4 hours across 3 stages
  - Status: Auto-isolated via Lambda

HIGH FINDINGS:
[HIGH-001] UnauthorizedAccess:IAMUser/MaliciousIPCaller
  - Principal: arn:aws:iam::123456789012:user/ci-deploy
  - Source IP: 198.51.100.42 (Tor exit node)
  - API Calls: 47 calls to ec2:RunInstances
  - Status: Access key deactivated

[HIGH-002] CryptoCurrency:Runtime/BitcoinTool.B
  - Resource: ECS Task arn:aws:ecs:us-east-1:123456789012:task/cluster/task-id
  - Image: 123456789012.dkr.ecr.us-east-1.amazonaws.com/app:v2.1
  - Process: /tmp/.hidden/xmrig --pool stratum+tcp://pool.example.com:3333
  - Status: Task stopped, image quarantined

STATISTICS:
  Total Findings: 23
  Critical: 1 | High: 3 | Medium: 8 | Low: 11
  Auto-Remediated: 4
  Pending Investigation: 2
GuardDuty威胁检测摘要
====================================
账户: 123456789012 (生产环境)
区域: us-east-1
周期: 2025-02-01 至 2025-02-23

严重检测结果(需立即处理):
[CRIT-001] AttackSequence:EC2/CompromisedInstanceGroup
  - 实例: i-0abc123def, i-0def456abc
  - 攻击链: 凭证窃取 -> 持久化 -> 加密货币挖矿
  - 首次信号: 2025-02-15T08:23:00Z
  - 持续时间: 跨3个阶段,共4小时
  - 状态: 通过Lambda自动隔离

高优先级检测结果:
[HIGH-001] UnauthorizedAccess:IAMUser/MaliciousIPCaller
  - 主体: arn:aws:iam::123456789012:user/ci-deploy
  - 源IP: 198.51.100.42 (Tor出口节点)
  - API调用: 47次ec2:RunInstances调用
  - 状态: 访问密钥已停用

[HIGH-002] CryptoCurrency:Runtime/BitcoinTool.B
  - 资源: ECS任务 arn:aws:ecs:us-east-1:123456789012:task/cluster/task-id
  - 镜像: 123456789012.dkr.ecr.us-east-1.amazonaws.com/app:v2.1
  - 进程: /tmp/.hidden/xmrig --pool stratum+tcp://pool.example.com:3333
  - 状态: 任务已停止,镜像已隔离

统计信息:
  总检测结果数: 23
  严重: 1 | 高: 3 | 中: 8 | 低: 11
  自动修复: 4
  待调查: 2