Hands-On Demo: Enhancing AWS Security with Amazon GuardDuty Using AWS CLI and Boto3

Leave a Comment / By /

In this hands-on demo, we’ll explore Amazon GuardDuty using the AWS Command Line Interface (CLI) and Boto3, the AWS SDK for Python. GuardDuty is a powerful threat detection service provided by AWS, offering continuous monitoring of your AWS accounts and workloads for malicious activity. It delivers detailed security findings, enhancing your cloud security posture.

Prerequisites

Before you begin, ensure you have the AWS CLI and Boto3 installed and configured with the necessary IAM user permissions to access GuardDuty. Additionally, make sure you have Python installed on your system.

Task 1: Enable Amazon GuardDuty

Let’s start by enabling Amazon GuardDuty using the AWS CLI.

     # Enable GuardDuty in the US East (N. Virginia) region
aws guardduty create-detector --enable

Task 2: Explore Amazon GuardDuty with Boto3

Now, let’s use Boto3 to explore GuardDuty settings, permissions, and lists.

import boto3

# Initialize the GuardDuty client
gd_client = boto3.client('guardduty')

# Get detector settings
detector_response = gd_client.get_detector()
detector_id = detector_response['DetectorId']
print(f"Detector ID: {detector_id}")

# Get permissions information
permissions_response = gd_client.get_master_account(DetectorId=detector_id)
master_account_id = permissions_response['Master']['AccountId']
print(f"Master Account ID: {master_account_id}")

# List trusted IP sets
trusted_ip_sets_response = gd_client.list_ip_sets(DetectorId=detector_id)
for trusted_ip_set in trusted_ip_sets_response['IpSetIds']:
    print(f"Trusted IP Set ID: {trusted_ip_set}")

# List threat IP sets
threat_ip_sets_response = gd_client.list_threat_intel_sets(DetectorId=detector_id)
for threat_ip_set in threat_ip_sets_response['ThreatIntelSetIds']:
    print(f"Threat IP Set ID: {threat_ip_set}")

Add member to account: 

import boto3

# Create a GuardDuty client
client = boto3.client('guardduty')

# Create a list of account IDs to invite to GuardDuty
account_ids = ['123456789012', '987654321098']

# Invite the accounts to GuardDuty
response = client.invite_members(
    DetectorId='YOUR_DETECTOR_ID',
    AccountIds=account_ids
)

# Print the response
print(response)

Add IP to Threat Lists:

To add an IP address to the threat list in Amazon GuardDuty using Boto3, you can use the create_threat_intel_set and update_threat_intel_set methods. Here’s a step-by-step guide:

  1. Initialize the Boto3 GuardDuty client:Before you can interact with GuardDuty, you need to initialize the Boto3 client: import boto3 # Initialize the GuardDuty client gd_client = boto3.client(‘guardduty’)
  2. Create a Threat Intel Set:You can create a new Threat Intel Set to add the IP address to. If the Threat Intel Set already exists, you can skip this step. 
    
# Define the Threat Intel Set name and format
threat_intel_set_name = "MyThreatIntelSet"
threat_intel_set_format = "TXT"

# Create the Threat Intel Set
gd_client.create_threat_intel_set(
    DetectorId='your_detector_id',
    Name=threat_intel_set_name,
    Format=threat_intel_set_format
)
  3. Add IP Address to Threat Intel Set:Now, you can add the IP address to the Threat Intel Set. You should replace 'your_detector_id', 'YourIPAddress', and 'MyThreatIntelSet' with your actual values. In the code , the IP address is added to the Threat Intel Set named 'MyThreatIntelSet'. You can specify additional parameters if your Threat Intel Set uses a different format or is stored in a different location.
# Define the IP address to add to the Threat Intel Set
ip_address = "YourIPAddress"

# Add the IP address to the Threat Intel Set
gd_client.update_threat_intel_set(
    DetectorId='your_detector_id',
    ThreatIntelSetId='MyThreatIntelSet',  # Replace with your Threat Intel Set ID
    ThreatIntelSetUpdate={
        'Format': 'TXT',
        'Location': {
            'S3BucketName': '',
            'S3ObjectKey': ''
        }
    }
)

Remember to replace 'your_detector_id', 'YourIPAddress', and 'MyThreatIntelSet' with your actual values, and ensure that you have the necessary permissions to perform these operations in your AWS environment.

Task 3: Generate Sample Findings

Let’s use the AWS CLI to generate sample findings in GuardDuty.

     # Generate sample findings
aws guardduty create-sample-findings --detector-id $detector_id

Task 4: View Sample Findings

We’ll use Boto3 to retrieve and view the generated sample findings.

# List findings
findings_response = gd_client.list_findings(DetectorId=detector_id)
for finding in findings_response['FindingIds']:
    finding_details = gd_client.get_findings(DetectorId=detector_id, FindingIds=[finding])
    severity = finding_details['Findings'][0]['Severity']
    print(f"Finding ID: {finding}, Severity: {severity}")

Task 5: Disable GuardDuty

Finally, let’s disable GuardDuty using the AWS CLI.

     # Disable GuardDuty
aws guardduty delete-detector --detector-id $detector_id

Congratulations! You’ve successfully explored Amazon GuardDuty using the AWS CLI and Boto3. GuardDuty’s continuous monitoring, detailed security findings, and integration with AWS services make it a valuable tool for enhancing the security of your AWS environment. This hands-on experience demonstrates how to interact with GuardDuty programmatically, enabling you to automate security operations and responses.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top