1. Phase 1: Assessment – Collect Inputs and Setup Environment

  • Select Protection Plans
  • GuardDuty Findings Publishing Frequency
  • Choose/Create S3 Bucket
  • Apply S3 Bucket Policy
  • Select/Create KMS Key
  • Apply KMS Key Policy

2. Phase 2: Summary – Display Setup Plan

  • Review GuardDuty Config Summary

3. Phase 3: Configuration – Enable and Configure GuardDuty

  • Enable Detectors
  • Enable Protection Plans
  • Update Findings Publishing Frequency
  • Configure Publishing Destination

4. Phase 4: Validation – Confirm Setup

  • Validate GuardDuty Detectors
  • Validate GuardDuty Findings
1 Credits

Configure AWS GuardDuty for Threat Detection

Overview

Set up AWS GuardDuty to enhance your cloud security posture by enabling threat detection and monitoring across your AWS environment. The plan includes an assessment and configuration phases, starting with collecting relevant information, followed by the setup of necessary GuardDuty components, and concluding with validation to ensure proper setup and functionality.

Execution Details

Phase 1: Assessment – Collect Inputs and Setup Environment

  • List AWS Regions: Gather a list of all available AWS regions to understand where GuardDuty can be enabled.
  • Select AWS Regions: Guide through selecting regions for enabling GuardDuty, based on the listing.
  • Select Protection Plans: Present options such as MalwareProtection and EKSProtection, allowing you to specify which plans to activate.
  • GuardDuty Findings Publishing Frequency: Choose the frequency of publishing GuardDuty findings, offering options like FIFTEEN_MINUTES and ONE_HOUR.
  • Choose/Create S3 Bucket: Decide on an existing S3 bucket or plan new creation for storing GuardDuty findings.
  • Apply S3 Bucket Policy: Ensure the S3 bucket has necessary permissions by generating and applying a suitable policy.
  • Select/Create KMS Key: Determine the encryption key for findings, whether by selecting an existing KMS key or creating a new one.
  • Apply KMS Key Policy: Apply necessary policies to KMS keys to secure encryption operations for findings.

Phase 2: Summary – Display Setup Plan

  • Review GuardDuty Config Summary: Summarize your selections including chosen regions, protection plans, S3 bucket for findings, and encryption options, facilitating a final review.

Phase 3: Configuration – Enable and Configure GuardDuty

  • Enable Detectors: Initialize GuardDuty detectors across selected AWS regions to start monitoring.
  • Enable Protection Plans: Activate chosen protection plans, updating detectors in specified regions.
  • Update Findings Publishing Frequency: Set the frequency at which detector findings are published based on your selection.
  • Configure Publishing Destination: Link your configured S3 bucket and KMS key to the detector, enabling secure findings export.

Phase 4: Validation – Confirm Setup

  • Validate GuardDuty Detectors: Verify that detectors are active in each selected region by confirming their IDs.
  • Validate GuardDuty Findings: Ensure that findings are reported for each active detector, confirming that data ingestion is functioning correctly.

By the end of this plan, GuardDuty will be not only enabled but also properly configured to utilize its full potential in monitoring and detecting threats, ensuring secure and efficient protection of your AWS environment.