☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Overview
  • Key Features:
  • Management of Lists in Multi-Account Environments:
  • Supported Formats:
  • Permissions and Encryption:
  • Adding and Managing Lists:
  1. Logging Reference
  2. GuardDuty

Trusted IP Lists and Threat Lists in Amazon GuardDuty

Overview

Amazon GuardDuty enhances security monitoring by analyzing VPC Flow Logs, CloudTrail event logs, and DNS logs. It allows you to customize monitoring by:

  1. Trusted IP Lists: Excludes known safe IPs from generating alerts.

  2. Threat Lists: Generates alerts for known malicious IPs.

Key Features:

  • Scope:

    • Lists only affect VPC Flow Logs and CloudTrail findings (not DNS findings).

    • They apply to traffic targeting public IPs.

    • If an IP exists on both lists, the trusted IP list takes precedence.

  • Trusted IP List:

    • Up to 2,000 IPs or CIDR ranges per list.

    • Only one trusted IP list is allowed per AWS account per Region.

  • Threat List:

    • Supports up to 250,000 IPs or CIDR ranges.

    • Allows up to six threat lists per AWS account per Region.

Management of Lists in Multi-Account Environments:

  • Only administrator accounts can manage trusted and threat lists.

  • The lists are inherited by member accounts managed by the administrator.

Supported Formats:

  • Plaintext (TXT): Simple IP or CIDR entries.

  • STIX: Structured XML-based threat intelligence format.

  • CSV Formats: Compatible with vendors like Open Threat Exchange, FireEye, and Proofpoint.

  • Size Limit: Each list can be up to 35MB.

Permissions and Encryption:

  • IAM Permissions:

    • Roles managing lists require permissions beyond the AmazonGuardDutyFullAccess policy.

    • Permissions include actions like iam:PutRolePolicy and kms:Decrypt.

  • Encryption Support:

    • Supports SSE-AES256 and SSE-KMS encryption for lists.

    • The GuardDuty service role must have decryption permissions for KMS-encrypted lists.

Adding and Managing Lists:

Adding a List (API/CLI Example):

aws guardduty create-ip-set --detector-id <detector-id> \
--name "TrustedIPs" --format "Plaintext" --location <S3-path> --activate

Updating Lists: Use UpdateIPSet or UpdateThreatIntelSet commands to modify lists. Example:

aws guardduty update-ip-set --detector-id <detector-id> \
--name "TrustedIPs" --ip-set-id <ip-set-id> --activate

Deactivating or Deleting Lists: Deactivate a list using the --no-activate flag:

aws guardduty update-ip-set --detector-id <detector-id> \
--ip-set-id <ip-set-id> --no-activate

Usage Notes:

  • After creating or updating a list, GuardDuty may take up to 15 minutes to sync.

  • Lists are managed through either the console or API/CLI.

PreviousLambda Protection EnablementNextRemediation Recommendations

Last updated 8 months ago