AWS guardduty documentation change
Summary
Restructured documentation with expanded attack sequence examples (including EKS cluster compromise), added guidance on enabling protection plans (S3, EKS, Runtime Monitoring), clarified suppression rule behavior, and updated console navigation instructions.
Security assessment
The changes enhance documentation about GuardDuty's Extended Threat Detection capabilities, including new attack scenario examples and guidance on enabling security-focused protection plans (S3 Protection, EKS Protection). While these updates improve security awareness and feature documentation, there is no evidence of addressing a specific vulnerability or incident.
Diff
diff --git a/guardduty/latest/ug/guardduty-extended-threat-detection.md b/guardduty/latest/ug/guardduty-extended-threat-detection.md index 6911af5f8..a2dda6a14 100644 --- a//guardduty/latest/ug/guardduty-extended-threat-detection.md +++ b//guardduty/latest/ug/guardduty-extended-threat-detection.md @@ -5 +5 @@ -Enable related protection plansAdditional resources +Attack sequence threat scenario examplesHow Extended Threat Detection worksEnabling protection plans to maximize threat detectionExtended Threat Detection in GuardDuty consoleUnderstanding and managing attack sequence findingsAdditional resources @@ -11 +11 @@ GuardDuty Extended Threat Detection automatically detects multi-stage attacks th -A single finding can encompass an entire attack sequence. For example, it might detect a scenario such as: +###### Topics @@ -13 +13 @@ A single finding can encompass an entire attack sequence. For example, it might - 1. A threat actor gaining unauthorized access to a compute workload. + * Attack sequence threat scenario examples @@ -15 +15 @@ A single finding can encompass an entire attack sequence. For example, it might - 2. The actor then performing a series of actions such as privilege escalation and establishing persistence. + * How it works @@ -17 +17 @@ A single finding can encompass an entire attack sequence. For example, it might - 3. Finally, the actor exfiltrating data from an Amazon S3 resource. + * Enabling protection plans to maximize threat detection @@ -18,0 +19 @@ A single finding can encompass an entire attack sequence. For example, it might + * Extended Threat Detection in GuardDuty console @@ -19,0 +21 @@ A single finding can encompass an entire attack sequence. For example, it might + * Understanding and managing attack sequence findings @@ -20,0 +23 @@ A single finding can encompass an entire attack sequence. For example, it might + * Additional resources @@ -22 +24,0 @@ A single finding can encompass an entire attack sequence. For example, it might -Extended Threat Detection covers threat scenarios that involve compromise related to AWS credentials misuse, and data compromise attempts in your AWS accounts. For more information, see [Attack sequence finding types](./guardduty-attack-sequence-finding-types.html). @@ -24 +25,0 @@ Extended Threat Detection covers threat scenarios that involve compromise relate -Because of the nature of these threat scenarios, GuardDuty considers all attack sequence finding types as **Critical**. @@ -26 +26,0 @@ Because of the nature of these threat scenarios, GuardDuty considers all attack -The following list provides key information about Extended Threat Detection. @@ -28 +28 @@ The following list provides key information about Extended Threat Detection. -**Enabled by default** +## Attack sequence threat scenario examples @@ -29,0 +30 @@ The following list provides key information about Extended Threat Detection. +Extended Threat Detection covers threat scenarios that involve compromise related to AWS credentials misuse, data compromise attempts in Amazon S3 buckets, and container and Kubernetes resource compromise in Amazon EKS clusters. A single finding can encompass an entire attack sequence. For example, the following list describes the scenarios that GuardDuty might detect: @@ -31 +32 @@ The following list provides key information about Extended Threat Detection. -When you enable Amazon GuardDuty in your account in a specific AWS Region, Extended Threat Detection is also enabled by default. There is no additional cost associated with the usage of Extended Threat Detection. By default, it correlates events across all [Foundational data sources](./guardduty_data-sources.html). However, when you enable more GuardDuty protection plans, such as S3 Protection, this will open additional types of attack sequence detections by widening the range of event sources. This will potentially help with a more comprehensive threat analysis and better detection of attack sequences. For more information, see Enable related protection plans. +**Example 1 - AWS credentials and Amazon S3 bucket data compromise** @@ -33 +33,0 @@ When you enable Amazon GuardDuty in your account in a specific AWS Region, Exten -**How Extended Threat Detection works?** @@ -34,0 +35,28 @@ When you enable Amazon GuardDuty in your account in a specific AWS Region, Exten + * A threat actor gaining unauthorized access to a compute workload. + + * The actor then performing a series of actions such as privilege escalation and establishing persistence. + + * Finally, the actor exfiltrating data from an Amazon S3 resource. + + + + +**Example 2 - Amazon EKS cluster compromise** + + + * A threat actor attempts to exploit a container application within an Amazon EKS cluster. + + * The actor uses that compromised container to obtain privileged service account tokens. + + * The actor then leverages these elevated privileges to access sensitive Kubernetes secrets or AWS resources through pod identities. + + + + +Because of the nature of the associated threat scenarios, GuardDuty considers all [Attack sequence finding types](./guardduty-attack-sequence-finding-types.html) as **Critical**. + +The following video provides a demonstration of how you can use Extended Threat Detection. + +## How it works + +When you enable Amazon GuardDuty in your account in a specific AWS Region, Extended Threat Detection is also enabled by default. There is no additional cost associated with the usage of Extended Threat Detection. By default, it correlates events across all [Foundational data sources](./guardduty_data-sources.html). However, when you enable more GuardDuty protection plans, such as S3 Protection, EKS Protection, and Runtime Monitoring, this will open additional types of attack sequence detections by widening the range of event sources. This will potentially help with a more comprehensive threat analysis and better detection of attack sequences. For more information, see Enabling protection plans to maximize threat detection. @@ -37,0 +66,4 @@ GuardDuty correlates multiple events, including API activities and GuardDuty fin +###### Note + +When correlating events for attack sequences, Extended Threat Detection doesn't consider archived findings, including those findings that are automatically archived because of [Suppression rules](./findings_suppression-rule.html). This behavior ensures that only active, relevant signals contribute to attack sequence detection. To ensure that you're not impacted by this, review existing suppression rules in your account. For more information, see [Using suppression rules with Extended Threat Detection](./findings_suppression-rule.html#using-suppression-rules-with-extended-threat-detection). + @@ -40 +72 @@ GuardDuty is also designed to identify potential in-progress or recent attack be -**Extended Threat Detection page in GuardDuty console** +## Enabling protection plans to maximize threat detection @@ -41,0 +74 @@ GuardDuty is also designed to identify potential in-progress or recent attack be +For any GuardDuty account in a Region, the Extended Threat Detection capability gets enabled automatically. By default, this capability takes into consideration the multiple events across all [Foundational data sources](./guardduty_data-sources.html). To benefit from this capability, you don't need to enable all the [use-case focused GuardDuty protection plans](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html#features-of-guardduty). For example, with foundational threat detection, GuardDuty can identify a potential attack sequence starting from IAM privilege discovery activity on Amazon S3 APIs, and detect subsequent S3 control plane alterations, such as changes that make bucket resource policy more permissive. @@ -43 +76 @@ GuardDuty is also designed to identify potential in-progress or recent attack be -By default, the Extended Threat Detection page in GuardDuty console displays the **Status** as **Enabled**. Use the following steps to access the Extended Threat Detection page in GuardDuty console: +Extended Threat Detection is designed in a way that if you enable more protection plans, it helps GuardDuty correlate more diverse signals across multiple data sources. This will potentially enhance the breadth of security signals for comprehensive threat analysis and coverage of attack sequences. To identify findings that could potentially be one of the multiple stages in an attack sequence, GuardDuty **recommends** enabling specific protection plans – S3 Protection, EKS Protection, and Runtime Monitoring (with EKS add-on). @@ -45 +78 @@ By default, the Extended Threat Detection page in GuardDuty console displays the - 1. You can open GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/). +###### Topics @@ -47 +80 @@ By default, the Extended Threat Detection page in GuardDuty console displays the - 2. In the left navigation pane, choose **Extended Threat Detection**. + * Detecting attack sequences in Amazon EKS clusters @@ -49 +82 @@ By default, the Extended Threat Detection page in GuardDuty console displays the -This page provides details about the threat scenarios that Extended Threat Detection covers. + * Detecting attack sequences in Amazon S3 buckets @@ -51 +83,0 @@ This page provides details about the threat scenarios that Extended Threat Detec - * If you **want to** enable S3 Protection in your account, then see [Enabling S3 Protection in multiple-account environments](./s3-multiaccount.html). @@ -53 +84,0 @@ This page provides details about the threat scenarios that Extended Threat Detec - * Otherwise, there is **no action** required in this page. @@ -55,0 +87 @@ This page provides details about the threat scenarios that Extended Threat Detec +### Detecting attack sequences in Amazon EKS clusters @@ -56,0 +89 @@ This page provides details about the threat scenarios that Extended Threat Detec +GuardDuty correlated multiple security signals across EKS audit logs, runtime behavior of processes, and AWS API activity to detect sophisticated attack patterns. To benefit from Extended Threat Detection for EKS, you must enable at least one of these features – EKS Protection or Runtime Monitoring (with EKS add-on). EKS Protection monitors control plane activities through audit logs, while Runtime Monitoring observes behaviors within containers. @@ -58 +91 @@ This page provides details about the threat scenarios that Extended Threat Detec -**Understanding and managing attack sequence findings** +For maximum coverage and comprehensive threat detection, GuardDuty recommends enabling both protection plans. Together, they create a complete view of your EKS clusters, enabling GuardDuty to detect complex attack patterns. For example, it can identify an anomalous deployment of a privileged container (detected with EKS Protection), followed by persistence attempts, crypto-mining, and reverse shell creation within that container (detected with Runtime Monitoring). GuardDuty represents these related events as a single, critical-severity finding, called [AttackSequence:EKS/CompromisedCluster](./guardduty-attack-sequence-finding-types.html#attack-sequence-eks-compromised-cluster). When you enable both the protection plans, the attack sequence finding covers the following threat scenarios: @@ -59,0 +93 @@ This page provides details about the threat scenarios that Extended Threat Detec + * Compromise of containers running vulnerable web applications @@ -61 +95 @@ This page provides details about the threat scenarios that Extended Threat Detec -Attack sequence findings are just like other GuardDuty findings in your account. You can view them on the **Findings** page in the GuardDuty console. For information about viewing findings, see [Findings page in GuardDuty console](./guardduty_working-with-findings.html). + * Unauthorized access through misconfigured credentials @@ -63 +97 @@ Attack sequence findings are just like other GuardDuty findings in your account. -Similar to other GuardDuty findings, attack sequence findings are also automatically sent to Amazon EventBridge. Based on your settings, attack sequence findings are also exported to a publishing destination (Amazon S3 bucket). To set a new publishing destination or update an existing one, see [Exporting generated findings to Amazon S3](./guardduty_exportfindings.html). + * Attempts to escalate privileges @@ -65 +99 @@ Similar to other GuardDuty findings, attack sequence findings are also automatic -The following video provides a demonstration of how you can use Extended Threat Detection. + * Suspicious API requests @@ -67 +101 @@ The following video provides a demonstration of how you can use Extended Threat -## Enable related protection plans + * Attempts to access data maliciously @@ -69 +102,0 @@ The following video provides a demonstration of how you can use Extended Threat -For any GuardDuty account in a Region, the Extended Threat Detection capability gets enabled automatically. By default, this capability takes into consideration the multiple events across all [Foundational data sources](./guardduty_data-sources.html). To benefit from this capability, you don't need to enable all the [use-case focused GuardDuty protection plans](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html#features-of-guardduty). @@ -71 +103,0 @@ For any GuardDuty account in a Region, the Extended Threat Detection capability -Extended Threat Detection is designed in a way that if you enable more protection plans, this will enhance the breadth of security signals for comprehensive threat analysis and coverage of attack sequences. GuardDuty recommends enabling GuardDuty S3 Protection in your account because of the following reasons: @@ -73 +104,0 @@ Extended Threat Detection is designed in a way that if you enable more protectio -**Benefit of enabling S3 Protection with Extended Threat Detection** @@ -74,0 +106 @@ Extended Threat Detection is designed in a way that if you enable more protectio +The following list provides details when these dedicated protection plans are enabled individually: @@ -76 +108 @@ Extended Threat Detection is designed in a way that if you enable more protectio -For GuardDuty to detect an attack sequence that potentially includes data compromise in your Amazon Simple Storage Service (Amazon S3) buckets, you must enable S3 Protection in your account. This helps GuardDuty correlate more diverse signals across multiple data sources. GuardDuty uses dedicated S3 Protection plan to identify findings that could potentially be one of the multiple stages in an attack sequence. For example, with GuardDuty foundational threat detection alone, GuardDuty can identify a potential attack sequence starting from IAM privilege discovery activity on Amazon S3 APIs, and detect subsequent S3 control plane alterations, such as changes that make bucket resource policy more permissive. When you enable S3 Protection, GuardDuty expands its threat detection scope. It also gains the ability to detect potential data exfiltration activities that may occur after S3 bucket access becomes more permissive. +**EKS Protection** @@ -78 +110,38 @@ For GuardDuty to detect an attack sequence that potentially includes data compro -If S3 Protection is not enabled, GuardDuty will not be able to generate individual [S3 Protection finding types](./guardduty_finding-types-s3.html). Therefore, GuardDuty will not be able to detect multi-stage attack sequences that involve associated findings. Therefore, GuardDuty will not be able to generate attack sequences associated to compromise of data. + +Enabling EKS Protection gives GuardDuty an ability to detect attack sequences involving Amazon EKS cluster control plane activities. This allows GuardDuty to correlate EKS audit logs and AWS API activity. For example, GuardDuty can detect an attack sequence where an actor attempts unauthorized access to cluster secrets, modifies Kubernetes role-based access control (RBAC) permissions, and creates privileged pods. For more information about enabling this protection plan, see [EKS Protection](./kubernetes-protection.html). + +**Runtime Monitoring for Amazon EKS** + + +Enabling Runtime Monitoring for Amazon EKS clusters gives GuardDuty an ability to enhance EKS attack sequence detection with container-level visibility. This helps GuardDuty detect potential malicious processes, suspicious runtime behaviors, and potential malware execution. For example, GuardDuty can detect an attack sequence where a container starts exhibiting suspicious behavior, such as cryptomining processes or establishing connections to known malicious endpoints. For more information about enabling this protection plan, see [Runtime Monitoring](./runtime-monitoring.html). + +If you don't enable EKS Protection or Runtime Monitoring, GuardDuty will not be able to generate individual [EKS Protection finding types](./guardduty-finding-types-eks-audit-logs.html) or [Runtime Monitoring finding types](./findings-runtime-monitoring.html). Therefore, GuardDuty will not be able to detect multi-stage attack sequences that involve associated findings. + +### Detecting attack sequences in Amazon S3 buckets + +Enabling S3 Protection gives GuardDuty an ability to detect attack sequences involving attempts to data compromise in your Amazon S3 buckets. Without S3 Protection, GuardDuty can detect when your S3 bucket resource policy becomes overly permissive. When you enable S3 Protection, GuardDuty gains the ability to detect potential data exfiltration activities that may occur after your S3 bucket becomes overly permissive. + +If S3 Protection is not enabled, GuardDuty will not be able to generate individual [S3 Protection finding types](./guardduty_finding-types-s3.html). Therefore, GuardDuty will not be able to detect multi-stage attack sequences that involve associated findings. For more information about enabling this protection plan, see [S3 Protection](./s3-protection.html). + +## Extended Threat Detection in GuardDuty console + +By default, the Extended Threat Detection page in GuardDuty console displays the **Status** as **Enabled**. With foundational threat detection, the status represents that GuardDuty can detect a potential attack sequence involving IAM privilege discovery activity on Amazon S3 APIs and detecting subsequent S3 control plane alterations. + +Use the following steps to access the Extended Threat Detection page in GuardDuty console: + + 1. You can open GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/). + + 2. In the left navigation pane, choose **Extended Threat Detection**. + +This page provides details about the threat scenarios that Extended Threat Detection covers. + + 3. On the **Extended Threat Detection** page, view the **Related protection plans** section. If you **want to** enable dedicated protection plans to enhance threat detection coverage in your account, select **Configure** option for that protection plan. + + + + +## Understanding and managing attack sequence findings + +Attack sequence findings are just like other GuardDuty findings in your account. You can view them on the **Findings** page in the GuardDuty console. For information about viewing findings, see [Findings page in GuardDuty console](./guardduty_working-with-findings.html). + +Similar to other GuardDuty findings, attack sequence findings are also automatically sent to Amazon EventBridge. Based on your settings, attack sequence findings are also exported to a publishing destination (Amazon S3 bucket). To set a new publishing destination or update an existing one, see [Exporting generated findings to Amazon S3](./guardduty_exportfindings.html).