GuardDuty - Protection plans

Prequisite

Make sure the EC2 instance has the SSM Management Role (instance profile). For how to add instance profile to an EC2 instance, please refer more in https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-permissions.html#attach-instance-profile.

Amazon S3 protection in Amazon GuardDuty

  1. Visit the S3 Protection page under Protection plans in the GuardDuty console.

  2. Make sure that S3 Protection is enabled. VPC

EKS Protection in Amazon GuardDuty

  1. Visit the EKS Protection page under Protection plans in the GuardDuty console.

  2. Make sure that EKS Audit Log Monitoring is enabled. Note: Console experience for GuardDuty EKS Runtime Monitoring is now managed as part of the new Runtime Monitoring feature. VPC

Runtime Monitoring in Amazon GuardDuty

  1. Visit the Runtime Monitoring page under Protection plans in the GuardDuty console. VPC

  2. Make sure that Runtime Monitoring is enabled along with Automated agent configuration for each Amazon EKS, AWS Fargate (ECS only), and Amazon EC2. VPC

  3. On the Runtime Monitoring page, switch to the tab Runtime coverage. What are the “Coverage statistics”? While out of scope for this workshop, learn more about setting up Runtime Monitoring at https://docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring.html . VPC

Note: If the EC2 Instance Coverage status is unhealthy and the Issue status is “No Agent Reporting” or something related to SSM VPC it may be due to SSM agent can not be installed in the EC2 instance. You can clarify by check /var/log/amzn-guardduty-agent in the instance (AL2, AL2023). Further read https://docs.aws.amazon.com/guardduty/latest/ug/gdu-assess-coverage-ec2.html#ec2-runtime-monitoring-coverage-issues-troubleshoot

VPC

Malware Protection for EC2 in Amazon GuardDuty

  1. Visit the Malware Protection page under Protection plans in the GuardDuty console.

VPC

  1. GuardDuty automatically initiates a malware scan after generating a finding indicative of malware in an EC2 instance or a container workload. Make sure that GuardDuty-initiated malware scan is enabled. VPC Here are some EC2 malware scans VPC If you follow a scan through Scan ID VPC EICAR-Test file is a file to check whether the threat detection function works. It is not a real virus.

  2. Scroll down and toggle Retain scanned snapshots when malware is detected on.

VPC

RDS Protection in Amazon GuardDuty

  1. Visit the RDS Protection page under Protection plans in the GuardDuty console.

VPC

  1. Make sure that RDS Login Activity Monitoring is enabled.

VPC

Lambda Protection in Amazon GuardDuty

  1. Visit the Lambda Protection page under Protection plans in the GuardDuty console.

VPC 14. Make sure that Lambda Network Activity Monitoring is enabled.

VPC