Test GuardDuty findings in dedicated accounts
Use this document to run a tester script that generates GuardDuty findings against test resources that will be deployed in your AWS account. You can perform these steps when you want to understand and learn about certain GuardDuty finding types and how the finding details look for actual resources in your account. This experience is different from generating Sample findings. For more information about the experience of testing GuardDuty findings, see Considerations.
Contents
Considerations
Before you proceed, take the following considerations into account:
-
GuardDuty recommends deploying the tester in a dedicated non-production AWS account. This approach will ensure that you are able to properly identify GuardDuty findings generated by the tester. Additionally, the GuardDuty tester deploys a variety of resources which may require IAM permissions beyond what is allowed in other accounts. Using a dedicated account ensures that permissions can be properly scoped with a clear account boundary.
-
The tester script generates over 100 GuardDuty findings with different AWS resource combinations. Presently, this does't include all the GuardDuty finding types. For a list of finding types that you can generate with this tester script, see GuardDuty findings tester script can generate.
Note
The tester script generates only AttackSequence:S3/CompromisedData for Attack sequence finding types. To visualize and understand AttackSequence:IAM/CompromisedCredentials, you can generate Sample findings in your account.
-
For the GuardDuty tester to work as expected, GuardDuty needs to be enabled in the account where the tester resources are deployed. Depending on the tests that will run, the tester evaluates whether or not the appropriate GuardDuty protection plans are enabled. For any protection plan that is not enabled, GuardDuty will request permission to enable the necessary protection plans long enough for GuardDuty to perform the tests that will generate findings. Later, GuardDuty will disable the protection plan once the testing is complete.
- Enabling GuardDuty for the first time
-
When GuardDuty gets enabled in your dedicated account for the first time in a specific Region, your account will be automatically enrolled in a 30-day free trial.
GuardDuty offers optional protection plans. At the time of enabling GuardDuty, certain protection plans also get enabled and are included in the GuardDuty 30-day free trial. For more information, see Using GuardDuty 30-day free trial.
- GuardDuty is already enabled in your account prior to running the tester script
-
When GuardDuty is already enabled, then based on the parameters, the tester script will check the configuration status of certain protection plans and other account level settings that are required to generate the findings.
By running this tester script, certain protection plans may get enabled for the first time in your dedicated account in a Region. This will start the 30-day free trial for that protection plan. For information about free trial associated with each protection plan, see Using GuardDuty 30-day free trial.
-
As long as the GuardDuty tester infrastructure is deployed, you may occasionally receive UnauthorizedAccess:EC2/TorClient findings from the PenTest instance.
GuardDuty findings tester script can generate
Presently, the tester script generates following finding types that are related to Amazon EC2, Amazon EKS, Amazon S3, IAM, and EKS audit logs:
Step 1 - Prerequisites
To prepare your test environment, you will need the following items:
-
Git – Install git command line tool based on the operating system that you use. This is required to clone the
amazon-guardduty-tester
repository. -
AWS Command Line Interface – An open source tool that enables you to interact with AWS services by using commands in your command-line shell. For more information, see Get started with AWS CLI in the AWS Command Line Interface User Guide.
-
AWS Systems Manager – To initiate Session Manager sessions with your managed nodes by using AWS CLI you must install the Session Manager plugin on your local machine. For more information, see Install Session Manager plugin for AWS CLI in the AWS Systems Manager User Guide.
-
Node Package Manager (NPM) – Install NPM to install all the dependencies.
-
Docker – You must have Docker installed. For installation instructions, see the Docker website
. To verify that Docker has been installed, run the following command and confirm there is an output similar to the following output:
$ docker --version Docker version 19.03.1
-
Subscribe to Kali Linux
image in the AWS Marketplace.
Step 2 - Deploy AWS resources
This section provides a list of key concepts and the steps to deploy certain AWS resources in your dedicated account.
Concepts
The following list provides key concepts related to the commands that help you deploy the resources:
-
AWS Cloud Development Kit (AWS CDK) – CDK is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. CDK supports a couple of programming languages to define reusable cloud components known as constructs. You can compose these together into stacks and apps. Then, you can deploy your CDK applications to AWS CloudFormation to provision or update your resources. For more information, see What is the AWS CDK? in the AWS Cloud Development Kit (AWS CDK) Developer Guide.
-
Bootstrapping – It is the process of preparing your AWS environment for usage with AWS CDK. Before you deploy a CDK stack into an AWS environment, the environment must first be bootstrapped. This process of provisioning specific AWS resources in your environment that are used by AWS CDK is part of the steps that you will perform in the next section - Steps to deploy AWS resources.
For more information about how bootstrapping works, see Bootstrapping in the AWS Cloud Development Kit (AWS CDK) Developer Guide.
Steps to deploy AWS resources
Perform the following steps to start deploying the resources:
-
Set up your AWS CLI default account and Region unless the dedicated account Region variables are manually set in the
bin/cdk-gd-tester.ts
file. For more information, see Environments in the AWS Cloud Development Kit (AWS CDK) Developer Guide. -
Run the following commands to deploy the resources:
git clone https://github.com/awslabs/amazon-guardduty-tester && cd amazon-guardduty-tester npm install cdk bootstrap cdk deploy
The last command (
cdk deploy
) creates a AWS CloudFormation stack on your behalf. The name of this stack is GuardDutyTesterStack.As a part of this script, GuardDuty creates new resources to generate GuardDuty findings in your account. It also adds the following tag key:value pair to the Amazon EC2 instances:
CreatedBy
:GuardDuty Test Script
The Amazon EC2 instances also include the EC2 instances that host EKS nodes and ECS clusters.
Instance types
GuardDuty is designed to use cost-effective instance types that provide the minimum performance necessary to successfully carry out tests. Because of vCPU requirements, the Amazon EKS node group requires
t3.medium
, and because of increased network capacity required for DenialOfService finding tests, the driver node requiresm6i.large
. For all other tests, GuardDuty usest3.micro
instance type. For more information about instance types, see Available sizes in the Amazon EC2 Instances Types Guide.
Step 3 - Run tester scripts
This is a two-step process where you first need to start a session with test driver and then, run scripts to generate GuardDuty findings with specific resource combinations.
-
After your resources are deployed, save the Region code to a variable in your current terminal session. Use the following command and replace
us-east-1
with the Region code where you deployed the resources:$ REGION=
us-east-1
-
The tester script is available only through AWS Systems Manager (SSM). To start an interactive shell on the tester host instance, query the host InstanceId.
-
Use the following command to begin your session for the tester script:
aws ssm start-session --region $REGION --document-name AWS-StartInteractiveCommand --parameters command="cd /home/ssm-user/py_tester && bash -l" --target $(aws ec2 describe-instances --region $REGION --filters "Name=tag:Name,Values=Driver-GuardDutyTester" --query "Reservations[].Instances[?State.Name=='running'].InstanceId" --output text)
The tester script is a Python-based program that dynamically builds a bash script to generate findings based on your input. You have flexibility to generate findings based on one or more AWS resource types, GuardDuty protection plans, Threat Purposes (tactics), Foundational data sources, or GuardDuty findings tester script can generate.
Use the following command examples as reference, and run one or more commands to generate findings that you want to explore:
python3 guardduty_tester.py python3 guardduty_tester.py --
all
python3 guardduty_tester.py --s3
python3 guardduty_tester.py --tacticsdiscovery
python3 guardduty_tester.py --ec2
--eks
--tacticsbackdoor
policy
execution
python3 guardduty_tester.py --eks
--runtime
only python3 guardduty_tester.py --ec2
--runtime
only --tacticsimpact
python3 guardduty_tester.py --log-sourcedns
vpc-flowlogs
python3 guardduty_tester.py --finding 'CryptoCurrency:EC2/BitcoinTool.B!DNS
'
For more information about valid parameters, you can run the following help command:
python3 guardduty_tester.py --help
Choose a preferred method to view the generated findings in your account.
Step 4 - Clean up AWS test resources
The account-level settings and other configuration status updates made during Step 3 - Run tester scripts return to the original state when the tester script concludes.
After you have run the tester script, you can choose to clean up the AWS test resources. You can choose to do this by using one of the following methods:
-
Run the following command:
cdk destroy
-
Delete the AWS CloudFormation stack with the name GuardDutyTesterStack. For information about steps, see Deleting a stack on the AWS CloudFormation console.
Troubleshooting common issues
GuardDuty has identified common issues and recommends troubleshooting steps:
-
Cloud assembly schema version mismatch
– Update AWS CDK CLI to a version compatible with the required cloud assembly version, or to the latest available version. For more information, see AWS CDK CLI compatibility. -
Docker permission denied
– Add the dedicated account user to the docker or docker-users so that the dedicated account can run the commands. For more information about steps, see Daemon socket option. -
Your requested instance type is not supported in your requested Availability Zone
– Some Availability zones don't support particular instance types. To identify which availability zones support your preferred instance type and reattempt to deploy AWS resources, perform the following steps:-
Choose a preferred method to determine which Availability zones support your instance type:
-
Attempt deploying the AWS resources again and specify an Availability zone that supports your preferred instance type.
To re-attempt deploying AWS resources
-
Set up the default Region in the
bin/cdk-gd-tester.ts
file. -
To specify the Availability zone, open the
amazon-guardduty-tester/lib/common/network/vpc.ts
file. -
In this file, replace
maxAzs: 2,
withavailabilityZones: ['
where you must specify the Availability zones for your instance type.us-east-1a
', 'us-east-1c
'], -
Continue with the remaining steps under Steps to deploy AWS resources.
-
-