Threat detection with AWS GuardDuty.
Events are sourced from RDS Aurora, S3 and EC2.
💡 GuardDuty will be enabled by Terraform
terraform plan
terraform apply -auto-approveThe configuration will also provision IP sets in TXT format for:
- Trusted IPs
- Threat IPs
Execute an on-demand scan on an instance:
aws guardduty start-malware-scan \
--resource-arn 'arn:aws:ec2:us-east-2:000000000000:instance/i-00000000000000000'
The VPC endpoint com.amazonaws.us-east-2.guardduty-data will be created by Terraform. GuardDuty service states it does not charge for these endpoints.
Let GuardDuty use automated agent configuration, or install it manually.
If SSM Default Host Management is enabled, the agent will be automatically installed.
Otherwise, install the agent manually:
aws ssm send-command \
--document-name "AWS-ConfigureAWSPackage" \
--instance-ids "i-00000000000000000" \
--parameters '{"action":["Install"],"installationType":["Uninstall and reinstall"],"name":["AmazonGuardDuty-RuntimeMonitoringSsmPlugin"]}'As of today, Ubuntu is not yet supported:
Although the support for Ubuntu is not available right now, it will be in the near future.
Installing for Ubuntu will trigger an error message like this:
failed to find platform: no manifest found for platform: ubuntu, version 22.04, architecture arm64
Example of Amazon Linux instance covered by GuardDuty:
