How To Protect Your S3 Buckets With Amazon GuardDuty
Amazon recently launched its new threat detection service to protect customer’s AWS accounts, data, and other workloads stored in S3 buckets. The threat detection engine uses artificial intelligence, machine learning, anomaly detection, and integrated threat intelligence to identify and block threats.
Read on to learn more about GuardDuty and how it can help you secure your AWS account and other related data.
What Is Amazon GuardDuty?
Amazon GuardDuty is designed to monitor and thwart dangerous behavior that threatens your AWS accounts and workloads stored on Amazon S3. It monitors unusual API calls as well as any unauthorized deployments to help identify malicious activities like cryptocurrency mining, credential compromises, unauthorized data access, and communication with unverified command-and-control servers.
Any reconnaissance conducted by attackers can also be detected using Amazon GuardDuty. The threat detection service consistently analyzes multiple events across multiple AWS data sources. Moreover, these features are accompanied by robust integrated threat intelligence feeds like Proofpoint, AWS, and CrowdStrike to save time and effort.
Other than offering real-time protection, the GuardDuty threat detection service can assist with the following:
- The service makes it easy to enable continuous monitoring of AWS accounts, workloads, and data stored in Amazon S3 buckets
- It operates independently, thus there is no risk of performance and its availability won’t impact your workload
- It delivers detailed and actionable alerts that ensure it’s easily integrated with the existing event management and workflow system
- It’s extremely cost-effective given you just need to pay for the events analyzed. There are no upfront or hidden costs
- It delivers multi-account support and can be managed through a single administrator account, thus making it easy to integrate with other enterprise management systems
How Does It Work?
GuardDuty allows you to monitor all of your AWS accounts without the need to deploy or manage any additional software. With just a few clicks on the main console, you’ll be able to continuously monitor and analyze data access activities, accounts, and networks.
The threat detection system continuously analyzes the AWS CloudTrail and the Amazon Virtual Private Cloud Flow logs for any possible malicious activity. The three types of threats that it detects are:
- Attacker Reconnaissance: Includes failed login patterns, unusual API activity, or port scanning
- Compromised Sources: Covers crypto-jacking, unusual spikes, or temporary access to the Elastic Compute Cloud
- Compromised Accounts: Handles API calls from odd locations, attempts to disable Cloud Trail, and more
The admin can supply GuardDuty with their list of safe IP addresses, but unfortunately the service doesn’t support customized detection rules. The admin can respond to every GuardDuty finding with a thumbs-up or thumbs-down to share feedback for future detections. These findings will be delivered to the Management Console in a JSON format. This aids the admin with taking necessary defensive action against the threats.
How To Enable The S3 Protection?
You can manage all your accounts from a single account using the integration with AWS organizations.
- Enabling S3 Protection for AWS Accounts: If you’ve enabled GuardDuty for your AWS account and want to add threat detection for your S3 bucket, enable the S3 Protection option from the main console. To improve overall security, repeat this process for all regions enabled in your account. After a few minutes, you can start seeing new findings related to your S3 buckets. This grants you complete details on the source of the threat and the target action
- Enabling S3 Protection for AWS Organizations: For the management of multiple accounts, the threat detection system uses its integration with AWS Organizations that allows you to delegate an account to be the administrator. The delegated administrator can enable GuardDuty for all the accounts in the organization in a single click. To automatically include new accounts in the organization, you can set Auto-enable to ON
Overall, GuardDuty is a modern-day threat detection system that uses ML and AI along with behavior and anomaly monitoring to identify and remove threats in real-time. You can take advantage of the 30-day free trial to detect threat capabilities and decide if this threat detection service is the right fit for your enterprise.