Trusted IP Lists and Threat Lists in Amazon GuardDuty

Overview

Amazon GuardDuty enhances security monitoring by analyzing VPC Flow Logs, CloudTrail event logs, and DNS logs. It allows you to customize monitoring by:

Trusted IP Lists: Excludes known safe IPs from generating alerts.
Threat Lists: Generates alerts for known malicious IPs.

Key Features:

Scope:
- Lists only affect VPC Flow Logs and CloudTrail findings (not DNS findings).
- They apply to traffic targeting public IPs.
- If an IP exists on both lists, the trusted IP list takes precedence.
Trusted IP List:
- Up to 2,000 IPs or CIDR ranges per list.
- Only one trusted IP list is allowed per AWS account per Region.
Threat List:
- Supports up to 250,000 IPs or CIDR ranges.
- Allows up to six threat lists per AWS account per Region.

Management of Lists in Multi-Account Environments:

Only administrator accounts can manage trusted and threat lists.
The lists are inherited by member accounts managed by the administrator.

Supported Formats:

Plaintext (TXT): Simple IP or CIDR entries.
STIX: Structured XML-based threat intelligence format.
CSV Formats: Compatible with vendors like Open Threat Exchange, FireEye, and Proofpoint.
Size Limit: Each list can be up to 35MB.

Permissions and Encryption:

IAM Permissions:
- Roles managing lists require permissions beyond the AmazonGuardDutyFullAccess policy.
- Permissions include actions like iam:PutRolePolicy and kms:Decrypt.
Encryption Support:
- Supports SSE-AES256 and SSE-KMS encryption for lists.
- The GuardDuty service role must have decryption permissions for KMS-encrypted lists.

Adding and Managing Lists:

Adding a List (API/CLI Example):

aws guardduty create-ip-set --detector-id <detector-id> \
--name "TrustedIPs" --format "Plaintext" --location <S3-path> --activate

Updating Lists: Use UpdateIPSet or UpdateThreatIntelSet commands to modify lists. Example:

aws guardduty update-ip-set --detector-id <detector-id> \
--name "TrustedIPs" --ip-set-id <ip-set-id> --activate

Deactivating or Deleting Lists: Deactivate a list using the --no-activate flag:

aws guardduty update-ip-set --detector-id <detector-id> \
--ip-set-id <ip-set-id> --no-activate

Usage Notes:

After creating or updating a list, GuardDuty may take up to 15 minutes to sync.
Lists are managed through either the console or API/CLI.

PreviousLambda Protection Enablement NextRemediation Recommendations

Last updated 1 year ago

hashtagOverview

hashtagKey Features:

hashtagManagement of Lists in Multi-Account Environments:

hashtagSupported Formats:

hashtagPermissions and Encryption:

hashtagAdding and Managing Lists:

hashtagUsage Notes: