This repository walks you through a scenario covering threat detection and remediation using Amazon GuardDuty;
TBD ...
GuarddutyEnabledStack
: This stack for enabled detector setting.GuarddutyHandsOnStack
: This stack will deploy malicious and compromised instances and resources.
- AWS CDK – This solution uses the CDK Template language in Typescript to create each resource.
- Amazon EC2 – It's will created 2 malicious instances and 2 compromised instance.
- Amazon S3 – Logging and compromised detection data is stored in an Simple Storage Service (S3) Bucket.
- Amazon DynamoDB – Sample for compromised database table.
- Amazon SNS – Notification.
- AWS Lambda – Capture GuardDuty finding event and send response email to Admin.
- Amazon Eventbridge – Capture GuardDuty finding event and send response email to Admin.
Scenario | GuardDuty Finding |
---|---|
Compromised AWS IAM credentials | UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom |
Compromised EC2 instance | UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom |
Compromised S3 Bucket | Stealth:S3/ServerAccessLoggingDisabled |
IAM Role credential exfiltration | (TBD)UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS |
EKS Findings Remediation | (TBD)Policy:Kubernetes/AdminAccessToDefaultServiceAccount |
EKS Findings Remediation | (TBD)Discovery:Kubernetes/SuccessfulAnonymousAccess |
EKS Findings Remediation | (TBD)Policy:Kubernetes/AnonymousAccessGranted |
EKS Findings Remediation | (TBD)Execution:Kubernetes/ExecInKubeSystemPod |
EKS Findings Remediation | (TBD)PrivilegeEscalation:Kubernetes/PrivilegedContainer |
EKS Findings Remediation | (TBD)Persistence:Kubernetes/ContainerWithSensitiveMount |
EKS Findings Remediation | (TBD)Policy:Kubernetes/ExposedDashboard |
Create your AWS account at http://aws.amazon.com by following the instructions on the site. Then create IAM User permission setting AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
in your environment variables.
Install AWS CDK CLI from npm
$ npm i -g aws-cdk
For first initial, run bootstrap
deploy in your acoount.
$ cdk bootstrap aws://${your-account-id}/us-east-1
Install dependencies packages.
$ npm install
Configuration setting file config.json, The deployment administrator will be notified for revoke old sessions.
# config.json
{
"namePrefix": "GuardDuty-HandsOn",
"email": "root@mail.com"
}
$ cdk ls
GuarddutyEnabledStack
GuarddutyHandsOnStack
If you have enabled the GuardDuty dectector setting, then you can deploy GuarddutyHandsOnStack
directly
$ cdk deploy GuarddutyHandsOnStack
Or deploy all stacks
$ cdk deploy --all
To build the project and run the test, issue these commands.
$ npm run build && npm test