AWS Loft Security Week – GuardDuty




This week was Security Week at the free AWS Loft SF. I went to the Threat Detection & Remediation (GuardDuty) day, since I use it.



GuardDuty aggregates logs from 3 sources (VPC Flow Logs, AWS CloudTrail event logs and DNS logs) and lets you filter the events you want.

GuardDuty is free for 30 days and will report on what future use will cost, so when you’re ready, just enable it. Since it monitors other AWS logs, there’s no impact on your other services or instances.

One of the filter methods is a lambda, which can call another lambda (chained lambdas.)

If you create a separate “forensics account” in the same AZ, you can automatically do some sophisticated things:

  1. forward logs and events for analysis that is isolated from your production account
  2. have your lambda move (ie. “quarantine”) a suspect host from your production account to the forensics account.

The lecture “A Case Study on Insider Threat Detection” was mostly on GuardDuty. In my experience, Loft lecturers are excellent, and this was no exception.

Afterwards was a detailed 2-part lab where you create two hosts, have them interact, and view the events in GuardDuty. Bring a mouse to AWS labs, because you’ll be doing a lot of clicking around. 🙂

I noticed that most of the attendees and even the “Ask the Experts” were not familiar with newer AWS services and features, like GuardDuty and PrivateLink. Such is the rapid progress that AWS is making.

Gripes: The pasta salad was slightly crunchy (pasta was under-cooked by about 3 minutes) and there was no half-and-half for the coffee. Also, the previous Loft configuration with lectures upstairs and Ask the Experts downstairs made more sense, since putting them on the same floor causes noise interference problems.

AWS Pop-up Loft
1446 Market Street, San Francisco
Feb 20 – Feb 23 10:00AM – 4:00PM
(You should register the week in advance for AWS Loft events, but you can also register on-site with a photo id.)

AWS Forensics Marketplace Vendors
AWS Loft London: Incident Response and Forensics Slides
/r/aws: Is AWS GuardDuty an IDS/IPS?

This entry was posted in Cloud, Linux, Tech. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.