This article covers an overview about AWS Guard Duty and how to add a bucket policy. You can also learn how to export findings to a bucket and set up frequency to export updated active findings.
Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
Use cases
- Improve security operations visibility Exporting findings
- Assist security analysts in investigations
- Identify files containing malware
- Route insightful information on security findings
Exporting findings
GuardDuty supports exporting active findings to CloudWatch Events and, optionally, to an Amazon S3 bucket. New Active findings that GuardDuty generates are automatically exported within about 5 minutes after the finding is generated. You can set the frequency for how often updates to Active findings are exported to CloudWatch Events. The frequency that you select applies to the exporting of new occurences of existing findings to CloudWatch Events, your S3 bucket (if configured), and Detective (if integrated). For more information on updates to existing findings see GuardDuty finding aggregation .
- Note the following about export settings for findings:
- Export settings are regional, which means you need to configure export options for each Region in which you're using GuardDuty. However, you can use the same bucket in a single Region as the export destination for each Region you use GuardDuty in.
- Archived findings, including new instances of suppressed findings, aren't exported. If you unarchive a finding, its status is updated to Active, and it will be exported at the next interval.
- If you enable findings export in a GuardDuty administrator account all findings from associated member accounts that are generated in the current Region are also exported to the same location that you configured for the administrator account.
- To configure settings for exporting Active findings to an Amazon S3 bucket you will need a KMS key that GuardDuty can use to encrypt findings, and an S3 bucket with permissions that allows GuardDuty to upload objects. Review this topic to learn how to configure findings export and frequency.
Permissions required to configure findings export
When you configure options for exporting findings, you select a bucket to store the findings in and a KMS key to use for data encryption. In addition to permissions to GuardDuty actions, you must also have permissions to the following actions to successfully configure options for exporting findings.
kms:ListAliases
s3:CreateBucket
s3:GetBucketLocation
s3:ListAllMyBuckets
s3:PutBucketAcl
s3:PutBucketPublicAccessBlock
s3:PutBucketPolicy
s3:PutObject
Note: If your policy explicitly denies putObjectAcl you will be unable to publish findings.
Granting GuardDuty permission to a KMS key
GuardDuty encrypts the findings data in your bucket by using an AWS KMS key. To successfully configure findings export, you must first give GuardDuty permission to use a KMS key. You grant the permissions by changing the key policy for the key you use.
If you plan to use a new key for GuardDuty findings, create a key before proceeding. If you are using a key in another account, you need to log in to the account that owns the key to apply the key policy. You also need the key ARN for a key from another account when you configure export settings.
To modify the key policy to allow GuardDuty to use the key:
- Open the AWS KMS console at https://console.aws.amazon.com/kms.
- To change the AWS Region, use the Region selector in the upper-right corner of the page.
- Create a new key or choose an existing key that you plan to use for encrypting exported findings. The key must be in the same Region as the bucket, however, you can use this same bucket and key pair for each region you want to export findings from.
- Select your key then copy the key ARN from the General configuration panel.
- Under Key policy, choose Edit.
Tip: If Switch to policy view is displayed, choose that to display the key policy, and then choose Edit. - Add the following key policy granting GuardDuty access to your key. Replace the values in red to match your environment.
- Replace Region with the Region that the KMS key is in. Replace 111122223333 with the AWS account number of the source account that owns the GuardDuty detector. Replace KMSKeyId with the key ID of the key that you chose for encryption and replace SourceDetectorID with the source account's GuardDuty detector ID for the current Region.
- This statement allows GuardDuty to use only the key that you changed the policy for. When editing the key policy make sure your JSON syntax is valid, if you add the statement before the final statement you must add a comma after the closing bracket.
{
"Sid": "AllowGuardDutyKey",
"Effect": "Allow",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "kms:GenerateDataKey",
"Resource": "arn:aws:kms:Region:111122223333:key/KMSKeyId",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333",
"aws:SourceArn": "arn:aws:guardduty:Region:111122223333:detector/SourceDetectorID"
}
}
}
Note: If you're using GuardDuty in an manually-enabled Region, replace the value for the "Service" with the Regional endpoint for that Region. For example, if you're using GuardDuty in the Middle East (Bahrain) (me-south-1) Region, replace "Service": "guardduty.amazonaws.com" with "Service": "guardduty.me-south-1.amazonaws.com".
9. Choose Save.
10. (Optional) If you plan on using an existing bucket, copy the key ARN to a notepad for use in later steps. To locate the key ARN, see Finding the key ID and ARN.
Granting GuardDuty permissions to a bucket
When using a pre-existing bucket within your account, or in a different AWS account, you must grant GuardDuty permission to upload objects to that bucket. You grant these permissions by adding an S3 bucket policy. If you are using a pre-existing bucket, expand the following section for step-by-step instructions on adding a bucket policy.
To add a bucket policy that allows GuardDuty to upload objects your bucket
- Open the Amazon S3 console at https://console.aws.amazon.com/s3/.
- Choose the bucket you plan to use for exported findings.
- Choose Permissions, and then choose Bucket Policy.
- Copy the example policy and paste it into the Bucket policy editor.
- Replace the placeholder values in the example policy with the values appropriate for your environment.
- Replace myBucketName. Replace [optional prefix] with a folder location for your exported findings (GuardDuty will create this location during set up if it does not already exist). Replace Region with the Region that the KMS key is in. Replace 111122223333 with the AWS account number of the account where GuardDuty is set up. Replace KMSKeyId with the key ID of the key that you chose for encryption and replace SourceDetectorID with the source account's GuardDuty detector ID for the current Region.
The following example policy shows how to grant GuardDuty permission to send findings to your Amazon S3 bucket. If you change the path after you configure findings export, you must modify the policy to grant permission to the new location.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGuardDutygetBucketLocation",
"Effect": "Allow",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::myBucketName",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333",
"aws:SourceArn": "arn:aws:guardduty:Region:111122223333:detector/SourceDetectorID"
}
}
},
{
"Sid": "AllowGuardDutyPutObject",
"Effect": "Allow",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myBucketName/[optional prefix]/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333",
"aws:SourceArn": "arn:aws:guardduty:Region:111122223333:detector/SourceDetectorID"
}
}
},
{
"Sid": "DenyUnencryptedUploadsThis is optional",
"Effect": "Deny",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myBucketName/[optional prefix]/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "DenyIncorrectHeaderThis is optional",
"Effect": "Deny",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myBucketName/[optional prefix]/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:Region:111122223333:key/KMSKeyId"
}
}
},
{
"Sid": "DenyNon-HTTPS",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::myBucketName/[optional prefix]/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
Note: If you're using GuardDuty in an manually-enabled Region, replace the value for the service with the Regional endpoint for the Region. For example, if you're using GuardDuty in the Middle East (Bahrain) (me-south-1) Region, replace "Service": "guardduty.amazonaws.com" with "guardduty.me-south-1.amazonaws.com".
Exporting findings to a bucket with the Console
- When you configure findings export, you can choose an existing S3 bucket or have GuardDuty create a new bucket to store exported findings in. If you choose to use a new bucket, GuardDuty applies all necessary permissions to the created bucket. If you use an existing bucket, you must first update the bucket policy to allow GuardDuty to put findings into the bucket.
- You may also export findings to an existing bucket in another account.
- When choosing a new or existing bucket in your account, you can add a prefix. When configuring findings export GuardDuty creates a new folder in the S3 bucket for your findings. The prefix will prepend the default folder structure created by GuardDuty, which is /AWSLogs/111122223333/GuardDuty/Region.
Important: The KMS key and S3 bucket must be in the same Region.
Before completing these steps makes sure you have configured a KMS key and, if using an existing bucket, added a bucket policy to allow GuardDuty to create objects.
- New bucket in your account
- Existing bucket in your account
- Existing bucket in another account
To configure findings export using a new bucket
- Add a policy to the KMS key that GuardDuty will use to encrypt findings. For example policy, see Granting GuardDuty permission to a KMS key .
- Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
- Choose Settings.
- On the Settings page, under S3 bucket in the Finding export options section, choose Configure now.
- Choose New bucket to create a new bucket to store exported findings.
- In the Name the bucket field, enter a name for the bucket. The name must be unique across all S3 buckets. Bucket names must start with a lowercase letter or a number.
- If you used an [optional prefix] in your bucket policy you must enter that prefix under Log file prefix, otherwise this is optional. When you enter a value, the example path below the field is updated to reflect the path to bucket location where your exported findings will be stored.
- Under KMS encryption, do one of the following:
- Select Choose key from your account.
- Then choose the key alias of the key that you changed the policy for from the Key alias list.
- Select Choose key from another account.
- Then enter the full ARN to the key that you changed the policy for.
Note: The key that you choose must be in the same Region as the bucket. To learn how to find the key ARN, see Finding the key ID and ARN.
- Choose Save.
Export access error
- After you configure finding export options, if GuardDuty is unable to export findings, an error message is displayed on the Settings page. This can happen when GuardDuty can no longer access the target resource, such as when the S3 bucket is deleted or the permissions to the bucket are changed. This can also happen when the KMS key used to encrypt data in the bucket becomes inaccessible.
- When exporting fails, GuardDuty sends a notification to the email associated with the account to let you know about the issue. If you don't resolve the issue, GuardDuty disables finding export in the account. You can update the configuration to restart finding export at any time.
- If you receive this error, review the information in this topic about how to enable and configure findings export. For example, review the key policy and confirm that the correct policy is applied to the KMS key that you chose for encryption.
Setting the frequency for exporting updated active findings
Configure the frequency for exporting updated Active findings as appropriate for your environment. By default, updated findings are exported every 6 hours. This means that any findings that are updated after the most recent export are included in the next export. If updated findings are exported every 6 hours and the export occurs at 12:00, any finding that you update after 12:00 is exported at 18:00.
To set the frequency,
- Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.
- Choose Settings.
- In the Findings export options section, choose Frequency for updated findings. This sets the frequency for exporting updated Active findings to both CloudWatch Events and Amazon S3. You can choose from the following:
- Update CWE and S3 every 15 minutes
- Update CWE and S3 every 1 hour
- Update CWE and S3 every 6 hours (default)
- Choose Save.
Configuring a feed in Chronicle Instance
To configure a feed in Chronicle,
- From your Chronicle instance page, select Settings from the main menu at top left of your screen
2. Click on Feeds where you can find the data feeds that you have configured as well as the default feeds that Google provided.
3. From the Feeds page, click ADD NEW at top of the screen. The ADD FEED window appears.
4. In Set Properties tab, select SOURCE TYPE as Amazon S3 from the dropdown menu.
5. Select the Log Type as AWS GuardDuty from the dropdown menu.
6. Click Next.
7. In Input Parameters tab, paste the region, S3 URI, Access Key ID & Secret key that you copied from configuration tab of a storage bucket.
8. Click Next.
9. In the Finalize tab, click Submit.
GuardDuty logs will be ingested successfully
Comments
0 comments
Please sign in to leave a comment.