Pre-Deployment Considerations

AWS Account Information

This action will be described in a later step.


AWS Account Permissions (Policies)


AMP Permissions

To learn more about permissions in AMP, see Roles and Permissions.


Supported AWS GuardDuty Regions

  • Asia Pacific Northeast-1
  • Asia Pacific Northeast-2
  • Asia Pacific South-1
  • Asia Pacific Southeast-1
  • Asia Pacific Southeast-2
  • Canada Central-1
  • China North-1
  • Europe Central-1
  • Europe West-1
  • Europe West-2
  • South America East-1
  • US East-1
  • US East-2
  • US West-1
  • US West-2


Armor does not provide support for using AWS CloudFormation to set up AWS GuardDuty resources in AWS GovCloud (US).


Log Relay


Update Your AWS Permissions

According to AWS, "An IAM user is a resource in IAM that has associated credentials and permissions. An IAM user can represent a person or an application that uses its credentials to make AWS requests. This is typically referred to as a service account."


Option 1: For existing AWS service accounts

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:Describe*",
                "logs:Get*",
                "logs:List*",
                "logs:StartQuery",
                "logs:StopQuery",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:Armor_GuardDuty_Log_Group",
                "arn:aws:logs:*:*:log-group:Armor_GuardDuty_Log_Group:*",
                "arn:aws:logs:*:*:log-group:Armor_GuardDuty_Log_Group:*:*"
            ],
            "Effect": "Allow"
        }
    ]
}


Option 2: For non-existing AWS service accounts

AWS is in the process of updating the screens in their AWS console. As a result, there are two versions of the AWS CloudFormation screen; however, this step is compatible with both views.

  1. Click the following link to create a service account in AWS:
  2. Click Next.
  3. Click Next.
  4. Click Next.
  5. At the bottom of the screen, mark the box to accept the terms, and then click Create stack or Create.


Retrieve Your AWS Credentials

In a later step, you will add this information to your Armor Management Portal (AMP) account.

  1. In your AWS console, access the IAM section.
  2. In the left-side window, click Users.


  3. Locate and select the service account.
  4. Click Security credentials.
  5. Click Create access key.
  6. In the window that appears, copy your Access key ID and Secret access key. You will enter these keys in AMP in a later step.

To learn more about your keys, especially how to create a key, please visit AWS's documentation site.


Create A Remote Log Source Type

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Log & Data Management.
  3. Click External Sources.
  4. Click the plus ( + ) icon.
  5. Complete the missing fields:
  6. Enter your AWS information.
  7. Under AWS Regions, click Select All Regions.
  8. Click Save Log Source.



  9. In the window that appears, click the link to directly access your AWS account with Armor's CloudFormation stackset or stack template already imported.

    Multiple regions

    To collect and send logs from multiple regions, click this link. Afterwards, see Step 4.

    Armor and AWS recommend that you configure your account to send logs from all regions.

    https://console.aws.amazon.com/cloudformation/stacksets/home#/stacksets/new?stackSetName=guard-duty-forwarding&templateURL=https:%2F%2Fs3-us-west-2.amazonaws.com%2Flogs.armor.com%2Fguard-duty-forwarding%2Fsetup-guard-duty-forwarding.yml

    Single regionTo collect and send logs from a single region, click this link. Afterwards, see Step 5. https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=guard-duty-forwarding&templateURL=https:%2F%2Fs3-us-west-2.amazonaws.com%2Flogs.armor.com%2Fguard-duty-forwarding%2Fsetup-guard-duty-forwarding.yml



Configure the AWS GuardDuty CloudFormation StackSet Template for Multiple Regions

If you only want to send logs from one region, then see (Optional) Step 5: Configure the AWS GuardDuty CloudFormation Stack Template.

  1. In the AWS console, in Amazon S3 URL, verify that the displayed link is: https://s3-us-west-2.amazonaws.com/logs.armor.com/guard-duty-forwarding/setup-guard-duty-forwarding.yml
  2. Click Next.
  3. (Optional) In StackSet name, enter a descriptive name for the StackSet.
  4. (Optional) In Log Retention In Days, specify the number of days to maintain logs.
  5. Click Next.
  6. In Deploy stacks in accounts, enter the AWS account number for the AWS service account.
  7. Under Specify regions, under Available regions, click Add all.
  8. Click Next.
  9. Click Next.
  10. At the bottom of the screen, mark the box to accept the terms, and then click Create.
  11. Skip Step 5, and proceed to Step 6.


(Optional) Configure the AWS GuardDuty CloudFormation Stack Template for a Single Region

AWS is in the process of updating the screens in their AWS console. As a result, there are two versions of the AWS CloudFormation screen.

Review the following table to understand your particular view, and then review the appropriate option.

ViewSample Image
Old View

New View


Option 1: Old View

  1. In the AWS console, in the top menu, on the right side, select the desired region.


  2. In Specify an Amazon S3 template URL, verify that the displayed link is: https://s3-us-west-2.amazonaws.com/logs.armor.com/guard-duty-forwarding/setup-guard-duty-forwarding.yml


  3. Click Next.
  4. (Optional) In Stack name, enter a descriptive name for the stack.
    • This name must begin with a letter, and can only contain letters, numbers, and hyphens.
  5. (Optional) In Log Retention In Days, specify the number of days to maintain logs.
    • By default, Armor has configured 3 days.


  6. Click Next.
  7. (Optional) If required by your organization, under Tags, add your organization's tags to the CloudFormation deployment.
  8. (Optional) If required by your organization, under Permissions, in the drop-down menu, select IAM role ARN, and then in the corresponding field, enter AWSCloudFormationStackSetExecutionRole.


  9. Click Next.
  10. At the bottom of the screen, mark the box to accept the terms, and then click Create.


Option 2: New View

  1. In the AWS console, in the top menu, on the right side, select the desired region for log collection.


  2. In Amazon S3 URL, verify that the displayed link is: https://s3-us-west-2.amazonaws.com/logs.armor.com/guard-duty-forwarding/setup-guard-duty-forwarding.yml


  3. Click Next.
  4. (Optional) In Stack name, enter a descriptive name.
    • This name must begin with a letter, and can only contain letters, numbers, and hyphens.
  5. (Optional) In Number of days AWS GuardDuty Findings will be retained inside of AWS Log Group, specify the number of days to maintain logs.
    • By default, Armor has configured 3 days.
  6. Click Next.
  7. Click Next.
  8. At the bottom of the screen, mark the box to accept the terms, and then click Create stack.


Verify Connection in AMP

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Log & Data Management, and then select External Sources.
  3. Locate the newly created remote log source.
  4. Under Last Event, verify that a recent activity took place.
  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Log & Data Management, and then select Search.
  3. In the search field, enter your AWS account number surrounded by asterisks wildcards.

Troubleshooting

If you are having issues adding a remote collector to an AWS GuardDuty remote device, consider that:

  • You do not have proper permissions in AWS.
  • You entered the AWS account information for an incorrect AWS service account.
    • If you have multiple AWS accounts, especially child or organization accounts, you must verify that you added the service account information for the correct service account


Edit a Stack

This section only applies to single stacks, not stack sets.

Was this helpful?

Benefits

Comprehensive threat identification

Amazon GuardDuty identifies threats by continuously monitoring the network activity, data access patterns, and account behavior within the AWS environment. GuardDuty comes integrated with up-to-date threat intelligence feeds from AWS, CrowdStrike, and Proofpoint. Threat intelligence coupled with machine learning and behavior models help you detect activity such as crypto-currency mining, credential compromise behavior, unauthorized and unusual data access, communication with known command-and-control servers, or API calls from known malicious IPs.

Strengthens security through automation

In addition to detecting threats, Amazon GuardDuty also makes it easy to automate how you respond to threats, reducing your remediation and recovery time. GuardDuty can perform automated remediation actions by leveraging Amazon CloudWatch events and AWS Lambda. GuardDuty security findings are informative and actionable for security operations. The findings include the affected resource's details and attacker information, such as IP address and geo-location.

Enterprise scale and central management

Amazon GuardDuty provides multi-account support using AWS Organizations, so you can enable GuardDuty across all of your existing and new accounts. Your security team can aggregate your organization's findings across accounts into a single GuardDuty administrator account for easier management. The aggregated findings are also available through CloudWatch Events, making it easy to integrate with an existing enterprise event management system.

Topics Discussed