GuardDuty needs to be configured separately in each region. Here are a few key points about GuardDuty's regional nature:
- GuardDuty performs monitoring and analysis of data within individual AWS regions. Findings are generated and remain within these regions.
- To monitor accounts and workloads across multiple regions, GuardDuty must be enabled separately in each region.
- Customers can aggregate findings from different regions using services like CloudWatch Events to send findings to a centralized target like S3 bucket.
- Most AWS regions support GuardDuty. Refer to the documentation for the latest list.
- It is recommended to enable GuardDuty in all supported regions for comprehensive coverage, even for regions not actively used. This allows monitoring of global services like IAM.
Sources
[1] Intelligent Threat Detection – Amazon GuardDuty FAQs – Amazon Web Services
[2] Getting started with GuardDuty - Amazon GuardDuty
[3] How do I set up a trusted IP address list for GuardDuty?
| Description | Link |
|---|---|
| SecOps | SecOps |
| SecOps Config / CloudTrail | SecOps CloudTrail |
| SecOps Config / Guard Duty | SecOps Guard Duty |
| SecOps Config / Load Balancers | SecOps Load Balancer |
| SecOps Config / Security Hub | SecOps Security Hub |
aws guardduty help | egrep 'delete|describe|get|list|invit'
ACCS='791232313887 534701031479'
SRC_DID='62afd68d165a3a35c84581f84319b5da'Update KMS policy for Alias actr-log-landing-zone-s3-key.
{
"Sid": "Allow GuardDuty to encrypt findings",
"Effect": "Allow",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "404063023013",
"aws:SourceArn": "arn:aws:guardduty:us-east-1:404063023013:detector/d0c0dd2315a6bf6147b8eb446264fcff"
}
}
},Update S3 Access Policy for ge-aero-central-bit-bucket .
{
"Sid": "GuardDutyKmsAccessy",
"Effect": "Allow",
"Action": [
"kms:List*",
"eks:Read*"
],
"Resource": "arn:aws:guardduty:*:*:addon/*/aws-guardduty-agent/*"
},aws guardduty list-detectors
aws guardduty list-filters --detector-id $SRC_DID
aws guardduty describe-malware-scans --detector-id $SRC_DID
aws guardduty describe-organization-configuration --detector-id $SRC_DID # err - Not Org Mgmt
aws guardduty get-invitations-count
aws guardduty get-members --detector-id $SRC_DID --account-ids $ACCS
aws guardduty list-invitations
aws guardduty list-members --detector-id $SRC_DID
aws guardduty list-organization-admin-accounts # err - Not Org Masteraws guardduty delete-invitations --account-ids
aws guardduty delete-members --account-idsThe request is rejected either because
- no such invitation exists, or
- the current account is still associated to the given master account, or
- the current account has not yet declined the invitation from the given master account
# From New Master
aws guardduty invite-members --account-ids# From Target Account
DES_DID='destination_detector_id'
DES_ADMIN='destination_admin_id'
# accept
aws guardduty accept-administrator-invitation \
--detector-id $DES_DID \
--administrator-id $DES_ADMIN \
--invitation-id <value>
# decline
aws guardduty decline-invitations \
--account-ids <value>
Bucket: arn:aws:s3:::ge-aero-central-bit-bucket/guardduty
KMS: arn:aws:kms:us-east-1:404063023013:key/mrk-e93ded3c418545fe89e23009a6297da8Bucket: arn:aws-us-gov:s3:::ge-gov-cloudtrail-bucket
KMS: arn:aws-us-gov:kms:us-gov-west-1:135950234967:key/22b36957-92f8-4727-bc0f-fda6e09354ff
,
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": "*",
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws-us-gov:iam::135950234967:user/directs3/*"
}
}
}