Detect and alert on AWS account threats with our GuardDuty wrapper
By: Ian Ward
Today we open sourced a wrapper around Amazon Web Services’ new GuardDuty offering to help detect threats and compromise in AWS cloud accounts and EC2s. We worked with AWS to help test this new product and developed this wrapper in the process. At any given moment, Mapbox runs thousands of EC2s and tens of thousands of ECS containers. While we take several steps to secure our infrastructure and applications, the faster a threat or compromise across our fleet can be detected, the more likely we’ll be able to safeguard against it.
GuardDuty adds a massive level of visibility into threat detection on our AWS accounts and resources, delivering a product which would have otherwise been a massive internal engineering project difficult to equal. Without having to build any integration, GuardDuty can continuously analyze all of our CloudTrail, VPC, and DNS query logs for threats and signs of intrusion. Logs are compared against threat intelligence feeds, using heuristics and machine learning to help pinpoint anything from a server being probed by a malicious IP, all the way to whether an EC2s is communicating with a known bad actor such as a DDoS command and control server, bitcoin mining botnet, or other.
Nearly three years ago we wrote Patrol, a security monitoring and detection framework for AWS which utilized our lightweight lambda creation and deployment framework called lambda-cfn. patrol-rules-guardduty is an addition to our Patrol ruleset and allows high risk GuardDuty findings to be sent to our 24/7/365 security operations on-call team via CloudWatch Events and PagerDuty.
- Check out the patrol-rules-guardduty source code
- Read more about Patrol
- Learn how we deploy quickly create and deploy fully monitored lambda functions with lambda-cfn
AWS cloud intrusion detection with GuardDuty was originally published in Points of interest on Medium, where people are continuing the conversation by highlighting and responding to this story.