Threat detection with AWS GuardDuty. Events are sourced from RDS Aurora, S3 and EC2.
Set the variables:
cp config/template.tfvars .auto.tfvarsCreate the resources:
Tip
GuardDuty will be automatically enabled by Terraform
terraform plan
terraform apply -auto-approveConnect to the instance and check the initialization:
cloud-init status --waitThe configuration will also provision IP sets in TXT format for:
- Trusted IPs
- Threat IPs
Execute an on-demand scan on an instance:
aws guardduty start-malware-scan \
--resource-arn 'arn:aws:ec2:us-east-2:000000000000:instance/i-00000000000000000'
Check for the supported systems and requirements.
The VPC endpoint com.amazonaws.us-east-2.guardduty-data will be created by Terraform. GuardDuty service states it does not charge for these endpoints.
Let GuardDuty use automated agent configuration, or install it manually.
If SSM Default Host Management is enabled, the agent will be automatically installed.
Otherwise, install the agent manually:
aws ssm send-command \
--document-name "AWS-ConfigureAWSPackage" \
--instance-ids "i-00000000000000000" \
--parameters '{"action":["Install"],"installationType":["Uninstall and reinstall"],"name":["AmazonGuardDuty-RuntimeMonitoringSsmPlugin"]}'Example of Amazon Linux instance covered by GuardDuty:
