https://github.com/epomatti/aws-guardduty
AWS GuardDuty demo with S3, RDS, EC2
https://github.com/epomatti/aws-guardduty
aws aws-guardduty aws-security guardduty malware rds terraform
Last synced: 3 months ago
JSON representation
AWS GuardDuty demo with S3, RDS, EC2
- Host: GitHub
- URL: https://github.com/epomatti/aws-guardduty
- Owner: epomatti
- License: mit
- Created: 2023-08-14T01:40:58.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2024-05-07T20:33:25.000Z (about 1 year ago)
- Last Synced: 2025-01-17T18:34:46.869Z (5 months ago)
- Topics: aws, aws-guardduty, aws-security, guardduty, malware, rds, terraform
- Language: HCL
- Homepage:
- Size: 136 KB
- Stars: 0
- Watchers: 2
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# AWS GuardDuty
Threat detection with AWS GuardDuty. Events are sourced from RDS Aurora, S3 and EC2.
Set the variables:
```sh
cp config/template.tfvars .auto.tfvars
```
Create the resources:
> [!TIP]
> GuardDuty will be automatically enabled by Terraform
```sh
terraform plan
terraform apply -auto-approve
```
Connect to the instance and check the initialization:
```sh
cloud-init status --wait
```
The configuration will also provision IP sets in `TXT` format for:
- Trusted IPs
- Threat IPs
## 🟧 EC2 Malware Scan
Execute an on-demand scan on an instance:
```sh
aws guardduty start-malware-scan \
--resource-arn 'arn:aws:ec2:us-east-2:000000000000:instance/i-00000000000000000'
```
## 🚨 Runtime Monitoring
Check for the [supported systems and requirements][5].
The VPC endpoint `com.amazonaws.us-east-2.guardduty-data` will be created by Terraform. GuardDuty service states it does not charge for these endpoints.
Let GuardDuty use [automated][3] agent configuration, or install it manually.
If SSM Default Host Management is enabled, the agent will be automatically installed.
Otherwise, install the agent manually:
```sh
aws ssm send-command \
--document-name "AWS-ConfigureAWSPackage" \
--instance-ids "i-00000000000000000" \
--parameters '{"action":["Install"],"installationType":["Uninstall and reinstall"],"name":["AmazonGuardDuty-RuntimeMonitoringSsmPlugin"]}'
```
Example of Amazon Linux instance covered by GuardDuty:
[1]: https://aws.amazon.com/guardduty/faqs/
[2]: https://docs.aws.amazon.com/guardduty/latest/ug/malware-protection.html
[3]: https://docs.aws.amazon.com/guardduty/latest/ug/how-runtime-monitoring-works-ec2.html#use-automated-agent-config-ec2
[4]: https://docs.aws.amazon.com/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.html#validating-architecture-req-ec2
[5]: https://docs.aws.amazon.com/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.html