Case Study

Turbot Guardrails for Amazon GuardDuty

Turbot provides Guardrails for a number of AWS security, identity, and compliance products. Turbot has recently expanded our Guardrail policies for Amazon GuardDuty to help enterprises ensure that Amazon GuardDuty is setup and configured according to defined policies for threat detection to continuously monitor for malicious or unauthorized behavior across AWS accounts and workloads.

Turbot Team
5 min. read - Aug 09, 2018
Turbot provides Guardrails for a number of AWS security, identity, and compliance products. Turbot has recently expanded our Guardrail policies for Amazon GuardDuty to help enterprises ensure that Amazon GuardDuty is setup and configured according to defined policies for threat detection to continuously monitor for malicious or unauthorized behavior across AWS accounts and workloads.

Turbot provides Guardrails for a number of AWS security, identity, and compliance products. Turbot has recently expanded our Guardrail policies for Amazon GuardDuty to help enterprises ensure that Amazon GuardDuty is setup and configured according to defined policies for threat detection to continuously monitor for malicious or unauthorized behavior across AWS accounts and workloads.

Turbot Guardrails provides point and click policy enforcements to setup and configure Amazon GuardDuty Master and Member account configurations.

Turbot Guardrails Enables GuardDuty at Scale:

  • Enable / Disable Amazon GuardDuty Master and Member accounts to explicitly prevent Amazon GuardDuty service being configured outside of the Enterprise Amazon GuardDuty Master Account.

  • When enabling the Amazon GuardDuty Master Account, additional Turbot Guardrails policies can be set to build trust between Master and Member Accounts. Turbot Guardrails simplifies automation of the Master account request and Member account acceptance, as well as deployment of Amazon GuardDuty Detectors in all specified regions. Many of our Enterprise customers will simply trust all of their AWS Accounts; within minutes Turbot Guardrails automates the complete setup and continues to enforce that new AWS accounts are added to the Amazon GuardDuty Master Account.

  • Turbot Guardrails can be set to enable / disable specific regions allowed in which GuardDuty Detectors, IP Sets, and Threat Sets may reside (e.g. if outside of the approved region, Turbot Guardrails will suspend or delete unapproved resources based on Guardrail policy settings).

  • As part of Turbot Guardrails Identity Engine, enterprises can easily assign Amazon GuardDuty roles and identity policies consistent with other Turbot - AWS IAM Policies managed. This includes Turbot Guardrails time-based identity policy management.

Auto Setup Amazon GuardDuty Sources:

Amazon GuardDuty relies on CloudTrail, VPC Flow Logs and DNS Logs to be configured for Amazon GuardDuty to monitor threats. Turbot's existing Guardrails for setting up CloudTrail, VPC Flow Logs, and AWS DNS Providers in DHCP Option Sets ensure all data sources are continuously configured for all accounts and associated VPCs. Note: Amazon GuardDuty does not require CloudTrail and VPC Flow Logs enabled to operate, it is best practice to enable these data sources to own and retain your own logs. Turbot Guardrails provides additional log management Guardrails to ensure logs are protected from being altered, and retention Guardrails to ensure appropriate rotation of logs in accordance with company policy.

Enforce Amazon GuardDuty IP and Threat Lists:

  • Enforce specific IP Set and Threat Set File Formats (txt, fire_eye, etc.) that are approved for the environment. Auto-remediation of unapproved file formats not supported according to policy.

  • Enforce specific IP Set and Threat Set lists to simplify management and control of approved lists. When setting IP and Threat Sets, Turbot Guardrails will automatically create list .txt files with specified CIDR ranges, store the .txt file in locked down logging buckets already managed by Turbot Guardrails as part of the enterprise's standard logging and retention policies, and associate the list to the Amazon GuardDuty Master account configurations.

Manage Findings and Remediation:

  • Turbot Guardrails Cloud Configuration Management Database (CMDB) version controls user activity and configuration changes across the enterprises' cloud environments, services, and operating systems. Turbot Guardrails has extended the Turbot Guardrails Cloud CMDB to include Amazon GuardDuty Detectors, IP and Threat Sets. This allows Enterprises to view their current and prior state Amazon GuardDuty configurations, along with cached cross account full text search of Amazon GuardDuty configurations.

  • Enable Amazon GuardDuty Findings to be stored in locked down logging buckets already managed by Turbot Guardrails as part of the enterprise's standard logging and retention policies.

  • As Amazon GuardDuty reports Findings, Turbot Guardrails will alarm on the finding as part of the Turbot Guardrails Controls reporting while providing a feedback loop on how to remediate the finding with Turbot Guardrails to correct the issue and prevent the finding from occurring again.

Example:
EC2 instance has an unprotected port that is being probed by a known malicious host.
Turbot Guardrails Recommendation:
a. Set AWS > VPC > Security Group Rules Approved policy to Enforce: Delete unapproved Security Group Rules.
b. Remove '- Public' or do not include '- Public' from AWS > VPC > Security Group Rules Approved Ingress Restrict to Sources policy.

Contact us to learn more about Turbot Guardrails for Amazon GuardDuty or schedule a demo to see how Turbot Guardrails can automate Cloud Governance.