Demo: Integrating Amazon Detective with GuardDuty - Detect, Investigate, Act
As I promised you in my last article, I prepared a POC for Amazon Detective. At this demo, I try to show the capabilities of Amazon Detective and integration with GuardDuty.
First of all, I have created a VPC with 2 Public and 2 Private Subnets with an IGW for public access and obtained a public IP for my resources. In addition, I have created an EC2 instance with Amazon Linux OS.
EC2 details are as below:
In addition, because we will be working with GuardDuty, we have to add “GuardDutyManaged: true” to the tags.
Ok, let's review our scenario. I will implement the previous scenario with nmap
Install nmap using this command:
After installation, run this command to confirm the installation
You can do a simulation for port scanning with this command:
With this command, you will scan ports from 1-1000 on the related EC2 instance.
Ok, with this command we will create “An outbound port scan” on our EC2 instance. With that, a finding will appear on the GuardDuty finding part that can show all details about this finding.
You can find all details about this finding, which includes the Finding ID, type, Severity, Instance Details like Public IP, Hostname, Private IP, scanned port sample and etc.
But if you want to investigate this finding and determine the root cause of this finding, it's better to use Amazon Detective. You can try Amazon Detective at no additional charge with a 30-day free trial. With the free trial, you get the full Amazon Detective feature set over the 30-day period. During the free trial, you can see projected costs for each account. If you're using AWS Organizations, you can also see the projected cost of all accounts. You can find all of details and pricing at this link.
After enabling Amazon Detective, Integration with GuardDuty will establish automatically. You can start to review the finding details and investigate the finding. You can start to investigate from the GuardDuty Finding page.
As you can see in the Picture, you can investigate around fınding EC2 instance, AWS account, Public IP address, and Private IP address.
İf you click on one of them, for example, finding ID, you will refer to the Detective service.
As you can all the details around this finding are shown in the Detective service. About finding the type, used port, which country or ISP has used this EC2 is obvious.
After investigation, you can archive this finding for further investigation around it at another time. In the summary page, you can find all of details about your account. About active users, about active resources like EC2, Kubernetes, etc.
You can find all details about Successful or failed API calls with the user, both SSO users and functional IAM users. For example, below, you can find details about the user name “emir”.
Also, you can see all of the details about IP addresses that were used to connect with this user and all of the Success or failure API calls. Also, you can review details about the API method by the service and Access Key ID that are used for the connection.
Or, if you want to review details based on geolocation, you can review it from the New Behavior tab.
If you click on the EC2 instance in the summary page, you can see all of details about finding and affected traffic on EC2. Details like Inbound and Outbound Traffic, Local and Remote ports, and inbound and outbound connections.
And the important part of the process will be reviewing all details about IPs that are requested for connection, which can be rejected or accepted based on your security design. You can query all of these logs with Security Lake, but first of all, you have to deploy an integration between them.
Key Takeaways:
As you can see, there are so many features and facilities that you can use in Amazon Detective for your workload security. The most important advantage of this service is integration between the other security tools like Security Lake, GuardDuty, and Security Hub that can send findings to the Amazon Detective and also ingest data from CloudTrail and VPC Flow log.