How do I set up a trusted IP address list for GuardDuty?

Last updated: 2020-02-03

I want to set up a trusted IP address list for Amazon GuardDuty.  

Short Description

You can configure GuardDuty to use your own custom trusted IP list containing your allowed IP addresses for secure communication with your AWS infrastructure and applications. For more information, see Working with Trusted IP Lists and Threat Lists.

Resolution

Follow these instructions to create and upload a trusted IP list, verify permissions, and add it to GuardDuty.

Create a trusted IP list

Follow the instructions to create a new trusted IP list and save it as a file. Then, follow the instructions to upload the file to an Amazon Simple Storage Service (Amazon S3) bucket.

Note: The trusted IP list file must be in TXT, STIX, OTX_CSV, ALIEN_VAULT, PROOF_POINT, or FIRE_EYE format.

Check IAM identity permissions

Be sure that your AWS Identity and Access Management (IAM) identity has permissions with trusted IP lists and GuardDuty similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "guardduty:*IPSet*",
                "guardduty:List*",
                "guardduty:Get*"
            ],
            "Resource": "*"
        }
    ]
}

Be sure that your IAM identity has permissions for PutRolePolicy and DeleteRolePolicy for the GuardDuty service linked role AWSServiceRoleForAmazonGuardDuty.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteRolePolicy",
                "iam:PutRolePolicy"
            ],
            "Resource": "arn:aws:iam::123456789123:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty"
        }
    ]
}

For more information, see Editing IAM Policies.

Add and activate a trusted IP list in GuardDuty

  1. Open the GuardDuty console.
  2. In the navigation pane, choose Lists.
  3. Choose Add a trusted IP list.
  4. For List name, enter a name that is meaningful to you.
  5. For Location, enter the location for your S3 bucket. For example, https://s3.amazonaws.com/bucket-name/file.txt.
  6. Choose the Format dropdown menu, and then choose your list's file type.
  7. Select the I agree check box, and then choose Add list.
  8. In Trusted IP lists, choose Active for your trusted IP list name.

Note: It can take up to 5 minutes for the list to activate.

If you change a trusted IP list in GuardDuty, you must update and then reactivate the list. For instructions, see update trusted IP lists and threat lists.