Using Amazon GuardDuty: CloudWatch Alerts

In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

Purpose: An attacker can exploit misconfigurations and perform malicious tasks, so it is important to have a system/service that can detect all potential security threats which an attacker can take advantage of. In this article we will look at how we can use AWS Simple Notification Service (SNS) with CloudWatch to generate alerts using AWS GuardDuty Findings.

Technical difficulty:

|   Novice   |   Beginner   |   Competent   |   Proficient   |   Expert

What is AWS GuardDuty Service?

Amazon GuardDuty is a threat detection service that continuously monitors your AWS Service accounts, workloads, and data stored in Amazon S3 for malicious activity and provides detailed security findings for visibility and remediation.

To identify and prioritize potential threats, the service uses machine learning, anomaly detection, and integrated threat intelligence. Threat intelligence combined with machine learning and behavior models helps in the detection of activity such as cryptocurrency mining, credential compromise, unauthorized and unusual data access, communication with known command-and-control servers, or API calls from known malicious IPs.

What are GuardDuty Findings?

A GuardDuty finding represents a potential security issue detected within your network. GuardDuty generates a finding whenever it detects unexpected and potentially malicious activity in your AWS environment.

What is AWS CloudWatch?

Amazon CloudWatch continuously monitors your Amazon Web Services (AWS) resources and the applications you run on AWS. CloudWatch can be used to collect and track metrics, which are variables that can be measured for your resources and applications.

With CloudWatch, you can create alarms that watch metrics and send notifications or automatically make changes to the resources you are monitoring when a threshold is breached. You also get system-wide visibility into resource utilization, application performance, and operational health.

What is Amazon Simple Notification Service?

Amazon SNS is a managed service that allows publishers to deliver messages to subscribers. Publishers communicate with subscribers asynchronously by sending messages to a topic, which serves as a logical access point and communication channel. Clients can subscribe to the SNS topic and receive published messages through any supported endpoint type, including Amazon Kinesis Data Firehose, Amazon SQS, AWS Lambda, HTTP, email, mobile push notifications, and mobile text messages (SMS).

How to use SNS notifications to prevent CyberAttacks?

Using the AWS GuardDuty service, we can identify misconfigurations and potential security threats that an attacker could exploit. But what if we had a system in place that sent us emails alerting us to GuardDuty findings? We can complete this task with the help of CloudWatch and the SNS notifications service. 

Simply, creating and subscribing to an SNS topic is all that is required. Next, configure GuardDuty such that email notifications of GuardDuty findings are sent automatically to the provided email address.

Now, we will perform a lab and see it practically.

Lab Scenario

We have set up the below scenario in our INE labs for our students to practice. The screenshots have been taken from our online lab environment.

Lab Link: GuardDuty: CloudWatch Alerts

Objective

Set up GuardDuty to automatically send notifications via email of GuardDuty findings depending on their severity using Simple Notification Service (SNS) and CloudWatch.

Solution

Step 1: Click the lab link button to get access credentials. Login to the AWS account with these credentials.

Step 2: Enable GuardDuty from the console. Search for GuardDuty in the search bar and navigate to the GuardDuty dashboard.

Step 3: AWS provides a 30 days free trial for the GuardDuty service. Click on Get Started to use this free trial.

Step 4: To enable the GuardDuty service, click on the Enable GuardDuty button.

There will not be any findings at first.

Step 5:  Create an SNS topic that will allow us to send notifications. Search for “SNS” in the search bar and navigate to “Simple Notification Service”.

Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. It enables you to send messages to users at scale via SMS, mobile push, and email.

Step 6:  Set topic name as “GuardDuty_to_Email” and click on “Next step” button.

SNS topic is a logical access point that acts as a communication channel. A topic lets you group multiple endpoints.

Step 7:  Select “Standard” as type and set name and display name as “GuardDuty_to_Email”.

Click on  “Create topic”.

Successfully created SNS topic.

Step 8:  Create an SNS subscription for your topic. Click on “Create subscription”.

To receive messages published to a topic, you must subscribe to an endpoint to the topic. When you subscribe to an endpoint to a topic, the endpoint begins to receive messages published to the associated topic.

Step 9:  Set protocol as email and provide an email to get notifications.

Click on “Create subscription”.

Successfully created a subscription.

After subscribing to the endpoint, Amazon SNS will send a subscription confirmation message to the endpoint which is the provided email address.

Step 10:  Check the provided email account for a subscription confirmation email. Click on “Confirm subscription” from the mail sent from the domain “sns.amazonaws.com”.

This will navigate to the subscription confirmation page.

Subscription confirmed successfully.

Step 11: Create a CloudWatch Events rule to send events to the SNS topic. Search for “CloudWatch” in the search bar and navigate to the CloudWatch dashboard.

Amazon CloudWatch Events delivers a near real-time stream of system events that describe changes in AWS resources. Here we are creating custom responses to GuardDuty findings with Amazon CloudWatch Events.

Step 12:  Click on “Rules” under events from the navigation pane.

Step 13:  Click on “Back to CloudWatch Events” button.

Step 14:  Click on “Create rule”.

In order to receive notifications about GuardDuty findings based on CloudWatch Events, you must create a CloudWatch Events rule and a target for GuardDuty. This rule enables CloudWatch to send notifications for findings that GuardDuty generates to the target that is specified in the rule.

Step 15:  Choose “Event pattern” and set service name as “GuardDuty” and event type as “GuardDuty Finding”.

Click on “Edit”.

Step 16:  Copy and paste the provided JSON code and click on “Save”.

JSON code:

{"source":["aws.guardduty"],"detail-type":["GuardDuty Finding"],"detail":{"severity":[4,4,4.1,4.2,4.3,4.4,4.5,4.6,4.7,4.8,4.9,5,5,5.1,5.2,5.3,5.4,5.5,5.6,5.7,5.8,5.9,6,6,6.1,6.2,6.3,6.4,6.5,6.6,6.7,6.8,6.9,7,7,7.1,7.2,7.3,7.4,7.5,7.6,7.7,7.8,7.9,8,8,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8,8.9]}}

The above code will alert for any Medium to High finding.

Step 17:  Click on “Add target”.

Step 18:  Select “SNS topic” and choose topic “GuardDuty_to_Email” .Expand Configure input and then choose Input Transformer. Set Input Path and Input Template as the following and click on “Configure details”.

Input Path: 

{
    "severity": "$.detail.severity",
    "Account_ID": "$.detail.accountId",
    "Finding_ID": "$.detail.id",
    "Finding_Type": "$.detail.type",
    "region": "$.region",
    "Finding_description": "$.detail.description"
}

Input Template: 

"AWS <Account_ID> has a severity <severity> GuardDuty finding type <Finding_Type> in the <region> region."
"Finding Description:"
"<Finding_description>. "
"For more details open the GuardDuty console at https://console.aws.amazon.com/guardduty/home?region=<region>#/findings?search=id=<Finding_ID>"

Step 19:  Now set the rule name as “guardduty_role” and description as “GuardDuty Rule” and make the state “Enabled”.

Click on “Create rule”.

Successfully created CloudWatch Events rule.

Step 20:  Navigate back to GuardDuty dashboard and create sample findings to check the notifications. Click on “Settings”.

Step 21:  Click on the “Generate sample findings” button to generate sample findings.

You can generate sample findings with Amazon GuardDuty to help you visualize and understand the various finding types that GuardDuty can generate. When you generate sample findings, GuardDuty populates your current findings list with one sample finding for each supported finding type.

Successfully created sample findings. The findings will be available in the findings dashboard and will trigger notifications.

Step 22:  Check the provided email account for the notification mails.

Note: GuardDuty sends a notification within 5 minutes of a finding.

The email will be based on the template format that we set earlier while configuring the CloudWatch Events rule.

Successfully created an SNS topic and subscription, and configured a CloudWatch Events rule that will send a message to the SNS topic depending on the results of GuardDuty.

References:

1. Amazon GuardDuty (https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html)
2. GuardDuty findings with Amazon CloudWatch Events (https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html)

Conclusion

Congratulations! In this article, we learned how to set up GuardDuty to automatically send notifications via email of GuardDuty findings depending on their severity using Simple Notification Service (SNS) and CloudWatch.

Try out AWS GuardDuty hands-on in our lab! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!