← Back to Labs
Fundamental00:30:00

Introduction to Amazon GuardDuty

Task 1Task 2Task 3Task 4Task 5Task 6
Task 1

Task 1: Sign in to AWS Management Console

↑ Top
  1. Click on the Open Console button, and you will get redirected to AWS Console in a new browser tab.
  2. On the AWS sign-in page, Leave the Account ID as default. Never edit/remove the 12 digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in AWS Console and click on the Sign in button.
  3. On the AWS sign-in page,
  4. Leave the Account ID as default. Never edit/remove the 12 digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab.
  5. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in AWS Console and click on the Sign in button.
  6. Once Signed In to the AWS Management Console, Make the default AWS Region as US East (N. Virginia) us-east-1.
Task 2

Task 2: Enabling Amazon GuardDuty

↑ Top
  1. Make sure to choose the US East (N. Virginia) us-east-1 region in the AWS Management console dashboard, which is present in the top right corner.
  2. Navigate to the Services menu at the top and click on GuardDuty in the Security, Identity and Compliance section.
  3. Click on Get started.
  4. Task 2: Enabling Amazon GuardDuty
  5. Click on Enable GuardDuty. With one click, the service will be enabled.
  6. Task 2: Enabling Amazon GuardDuty
  7. In the Findings page, you will see the warning You don’t have any findings because there is no malicious activity happening in your AWS Account. Ignore the warnings, wherever you find.
Task 3

Task 3: Exploring Amazon GuardDuty

↑ Top
  1. Click on Settings in the left panel.
  2. You will see a Detector ID. A detector is a resource that represents the GuardDuty service.
  3. Service roles: GuardDuty uses a service role to monitor your data sources on your behalf.
  4. Task 3: Exploring Amazon GuardDuty
  5. Findings export options: Findings are automatically sent to CloudWatch Events. You can also export findings to an S3 bucket. New findings are exported within 5 minutes. No need to change anything.
  6. Suspend GuardDuty: Suspend GuardDuty: When you suspend GuardDuty, it stops monitoring your AWS environment and doesn't generate new findings. Your existing findings remain intact and aren't affected. Disable GuardDuty: When you disable GuardDuty, you not only stop GuardDuty from monitoring your AWS environment and generating new findings, you also lose your existing findings and your GuardDuty configurations. You can’t recover the data later.
  7. Suspend GuardDuty:
  8. Suspend GuardDuty: When you suspend GuardDuty, it stops monitoring your AWS environment and doesn't generate new findings. Your existing findings remain intact and aren't affected.
  9. Disable GuardDuty: When you disable GuardDuty, you not only stop GuardDuty from monitoring your AWS environment and generating new findings, you also lose your existing findings and your GuardDuty configurations. You can’t recover the data later.
  10. Click on Lists below Settings.
  11. In the List Manager, you can add the Trusted IP Lists and Threat IP Lists.
  12. Note : If the page is blank, please refresh the webpage 2-3 times.
  13. Trusted IP Lists: Trusted IP lists consist of IP addresses that are whitelisted for secure communication with your AWS environment. GuardDuty does not generate findings for IP addresses that are included in trusted IP lists.
  14. Threat IP Lists: Threat lists consist of known malicious IP addresses. GuardDuty generates findings for IP addresses that are included in threat lists.
  15. Task 3: Exploring Amazon GuardDuty
  16. Click on Accounts above the settings.
  17. Task 3: Exploring Amazon GuardDuty
  18. You can invite other accounts to enable GuardDuty and become associated with your AWS account.
  19. When an invitation is accepted, your account is designated as the master GuardDuty account.
  20. The account that accepts the invitation becomes a member account associated with your master account.
  21. You can then view and manage the GuardDuty findings on behalf of the member account. In GuardDuty, a master account (per region) can have up to 1000 member accounts.
Task 4

Task 4: Generating Sample Findings

↑ Top
  1. Since there are no potential threats in our AWS Account, let us generate some sample findings and learn about them.
  2. Navigate to settings from left panel, scroll down and click on Generate sample findings.
  3. Task 4: Generating Sample Findings
  4. To find your sample findings, go to Findings from left panel.
  5. Wait until the loading is completed. In the top-right corner, you should see several findings.
  6. You can use filter criteria to filter your findings.
  7. Task 4: Generating Sample Findings
  8. Click on one of the sample findings.
  9. You can see various parameters like severity, region, Account ID, Resource ID, Resource Affected, etc.
  10. Task 4: Generating Sample Findings
  11. Go through the sample to learn more about the different severities.
Task 5

Task 5: Validation of the Lab

↑ Top
  1. Once the labs steps are completed, please click on Validation button on right side panel.
  2. This will validate the resources in the AWS account and displays whether you have completed this lab successfully or not.
  3. Sample Output:
  4. Task 5: Validation of the Lab
Task 6

Task 6: Disabling GuardDuty

↑ Top
  1. Go to the settings and click on DisableGuardDuty under suspend GuardDuty to stop it.
  2. Click on Disable to confirm.
  3. You have successfully disabled GuardDuty.
  4. You have successfully used the AWS management console to enable Amazon GuardDuty.
  5. You have successfully explored the options of Amazon GuardDuty Service like Settings, Lists, and Accounts.
  6. You have generated some sample findings and reviewed them.
  7. You have successfully disabled Amazon GuardDuty.
  8. Sign out of AWS Account.
  9. You have successfully completed the lab.
  10. Once you have completed the steps click on End Lab from the lab console.
← Back to Labs