Amazon GuardDuty Adds Three New Threat Detections
Amazon GuardDuty introduces three new threat detections. Two of the detections are related to Amazon S3, and the third to potential EC2 instance metadata exfiltration via DNS rebinding.
The first S3-related detection: Policy:IAMUser/S3BlockPublicAccessDisabled informs you that S3 block public access was disabled for an S3 bucket in your AWS account (or accounts if configured in a multi-account configuration). S3 block public access is used to filter the policies or ACLs applied to a bucket to prevent inadvertent exposure of data. This detection may be an indicator of a misconfiguration or malicious activity. A finding generated from this threat detection does not mean that the bucket or objects are shared publicly, but you should audit the policies and ACLs applied to the bucket to confirm that appropriate permissions are in place. The second S3 related detection: Stealth:IAMUser/S3ServerAccessLoggingDisabled informs you that a change has occurred to disable Amazon S3 server access logging for a bucket where it was previously enabled. When Amazon S3 server access logging is disabled, it may be an indicator of a misconfiguration or malicious activity and should be investigated. The severity for both of these findings is low.
The third new threat detection, UnauthorizedAccess:EC2/MetaDataDNSRebind informs you that an EC2 instance in your AWS environment is querying a domain that resolves to the EC2 metadata IP address. A DNS query of this kind may indicate an attempt to conduct DNS rebinding in an effort to obtain metadata from an EC2 instance, including the IAM credentials associated with the instance. DNS rebinding makes use of vulnerabilities in an application running on the EC2 instance or human users that access the URL in a web browser running on the EC2 instance. The severity for this finding is high.
These new findings are available today in all Regions in which Amazon GuardDuty is available. You don’t need to take any action to start using these new finding types.
Available globally, Amazon GuardDuty continuously monitors for malicious or unauthorized behavior to help protect your AWS resources, including your AWS accounts and access keys. GuardDuty identifies unusual or unauthorized activity, like cryptocurrency mining or infrastructure deployments in a region that has never been used. Powered by threat intelligence and machine learning, GuardDuty is continuously evolving to help you protect your AWS environment.
You can enable your 30-day free trial of Amazon GuardDuty with a single-click in the AWS Management console. Please see the AWS Regions page for all the regions where GuardDuty is available. To learn more, see Amazon GuardDuty Findings and to start your 30-day free trial, see Amazon GuardDuty Free Trial.