DEV Community

Cover image for Aws GuardDuty and S3 Malware Protection with GuardDuty
Orhan Kamo
Orhan Kamo

Posted on

Aws GuardDuty and S3 Malware Protection with GuardDuty

Guardduty is one of the must-have cybersecurity services among AWS services. Threat analysis, a suspicious login that did not exist before (for example, it can be a request from an unexpected country). It can perform discovery with threat intelligent to protect AWS accounts. It can analyze using mainly the following services and logs.
· CloudTrail Events Logs: unusal API callls, unauthorized deployments

· CloudTrail Managment Events: create VPC subnet, create trail

· CloudTrail S3 Data Events: get object, list object, delete object

· VPC Flow Logs: unusual internal traffic, unusual IP address

· DNS Logs: compromised EC2 instances sending encoded data within DNS queries
It also analyzes EKS Audit Logs, RDS and Aurora, EBS, Lambda, S3 Data Events.
In addition to blocking GuardDuty CryptoCurrency attacks, you can take automatic actions with EventBridge. Let's examine a sample event formation with the diagram below.

Image description

As can be seen above, we receive logs from the log sources on the left with GuardDuty and let's assume that a suspicious situation has occurred. GuardDuty sends this information with EventBridge and we can send a notification with SNS or take action automatically using Lambda.
First I create an S3 bucket.
Now let's do a scenario of using GuardDuty. In the scenario I will use an s3 bucket and try to load eicar here.

I created S3 bucket ( name testgaurd) and go to the guardDuty.

Image description
We do not need all-features. Click "GuardDuty Malware Protection for S3 only"

Image description

Browse S3 ad choose testguard bucket.

Image description

There is an important point here. We need to assign a role, otherwise we cannot access and enable GuardDuty S3 bucket because it is not authorised. For the permissions that should be here, we say View permission, copy the ones here and then add a role and policy on the IAM side with Create role and attached role on GuardDuty permission

Finally wecan upload Eicar ( malware file).

Image description

And GuardDuty detect malware file

Image description

Top comments (1)

Collapse
 
hellomichibye profile image
Michael Wittig

Great overview of AWS GuardDuty’s malware protection! For those exploring alternative solutions, our product bucketAV provides enhanced S3 malware scanning capabilities. Unlike GuardDuty, bucketAV offers customizable scanning options, real-time alerts, and comprehensive reporting designed specifically for S3 buckets. We’ve written a detailed comparison of bucketAV vs. GuardDuty for S3 here that dives deeper into the features we offer. This might be helpful for teams needing more flexibility and control over their S3 security.