Version: Latest

AWS GuardDuty

AWS GuardDuty is a managed threat detection service that continuously monitors for malicious activity and unauthorized behavior across your AWS accounts using ML-based analysis.

Overview

GuardDuty provides:

Threat Detection: ML-based analysis of CloudTrail, VPC Flow Logs, and DNS logs
Threat Intelligence: Integration with AWS and partner threat intelligence feeds
Real-time Alerts: Notifications through CloudWatch Events and SNS
Multi-account Support: Centralized management across your organization
Protection Features: S3, EKS, Lambda, Malware, and Runtime monitoring

Supported Protection Features

Feature	Description
S3 Protection	Monitors S3 data events for suspicious activities
EKS Audit Log Monitoring	Analyzes Kubernetes audit logs from EKS clusters
Malware Protection	Scans EBS volumes for malware
Lambda Protection	Monitors Lambda function network activity
Runtime Monitoring	Runtime threat detection for EC2, ECS, and EKS with automatic agent management

Architecture

Deployment

GuardDuty uses a 3-step delegated administrator deployment model.

Prerequisites

Enable GuardDuty trusted access in AWS Organizations by adding guardduty.amazonaws.com to aws_service_access_principals in your account component

Or enable via AWS CLI:

aws organizations enable-aws-service-access --service-principal guardduty.amazonaws.com

Step 1: Deploy to Delegated Administrator Account

# core-ue1-security
components:
  terraform:
    aws-guardduty/delegated-administrator:
      metadata:
        component: guardduty
      vars:
        enabled: true
        delegated_administrator_account_name: core-security
        environment: ue1
        region: us-east-1

atmos terraform apply aws-guardduty/delegated-administrator -s core-ue1-security

Step 2: Deploy to Organization Management Account

Root Access Required:

This step requires root account access (such as with the managers profile).

# core-ue1-root
components:
  terraform:
    aws-guardduty/root:
      metadata:
        component: guardduty
      backend:
        s3:
          role_arn: null
      vars:
        enabled: true
        delegated_administrator_account_name: core-security
        environment: ue1
        region: us-east-1
        privileged: true

atmos terraform apply aws-guardduty/root -s core-ue1-root

Step 3: Deploy Organization Settings

# core-ue1-security
components:
  terraform:
    aws-guardduty/org-settings:
      metadata:
        component: guardduty
      vars:
        enabled: true
        delegated_administrator_account_name: core-security
        environment: ue1
        region: us-east-1
        admin_delegated: true
        # Protection features
        s3_protection_enabled: true
        kubernetes_audit_logs_enabled: true
        malware_protection_scan_ec2_ebs_volumes_enabled: true
        lambda_network_logs_enabled: true
        # Runtime Monitoring
        runtime_monitoring_enabled: true
        runtime_monitoring_additional_config:
          eks_addon_management_enabled: true
          ecs_fargate_agent_management_enabled: true
          ec2_agent_management_enabled: true

atmos terraform apply aws-guardduty/org-settings -s core-ue1-security

Multi-Region Deployment

Repeat all 3 steps for each region:

# us-east-1
atmos terraform apply aws-guardduty/delegated-administrator -s core-ue1-security
atmos terraform apply aws-guardduty/root -s core-ue1-root
atmos terraform apply aws-guardduty/org-settings -s core-ue1-security

# us-west-2
atmos terraform apply aws-guardduty/delegated-administrator -s core-uw2-security
atmos terraform apply aws-guardduty/root -s core-uw2-root
atmos terraform apply aws-guardduty/org-settings -s core-uw2-security

Enable SNS notifications for GuardDuty findings:

components:
  terraform:
    aws-guardduty/delegated-administrator:
      vars:
        enabled: true
        create_sns_topic: true
        cloudwatch_enabled: true

This creates:

KMS key with permissions for EventBridge, SNS, and SQS
Encrypted SNS topic for findings
SQS queue subscribed to the SNS topic
CloudWatch Event Rules to route findings

Key Variables

Variable	Description	Default
`admin_delegated`	Set to `true` after delegation is complete	`false`
`auto_enable_organization_members`	Auto-enroll members (`ALL`, `NEW`, `NONE`)	`NEW`
`s3_protection_enabled`	Enable S3 data event monitoring	`true`
`kubernetes_audit_logs_enabled`	Enable EKS audit log monitoring	`false`
`malware_protection_scan_ec2_ebs_volumes_enabled`	Enable EBS malware scanning	`false`
`lambda_network_logs_enabled`	Enable Lambda network monitoring	`false`
`runtime_monitoring_enabled`	Enable runtime monitoring	`false`

AWS GuardDuty

Overview

Supported Protection Features

Architecture

Deployment

Prerequisites

Step 1: Deploy to Delegated Administrator Account

Step 2: Deploy to Organization Management Account

Step 3: Deploy Organization Settings

Multi-Region Deployment

Key Variables

See Also

References

Overview​

Supported Protection Features​

Architecture​

Deployment​

Prerequisites​

Step 1: Deploy to Delegated Administrator Account​

Step 2: Deploy to Organization Management Account​

Step 3: Deploy Organization Settings​

Multi-Region Deployment​

SNS Notifications​

Key Variables​

See Also​

References​

Overview

Supported Protection Features

Architecture

Deployment

Prerequisites

Step 1: Deploy to Delegated Administrator Account

Step 2: Deploy to Organization Management Account

Step 3: Deploy Organization Settings

Multi-Region Deployment

SNS Notifications

Key Variables

See Also

References